Topic: Weird Spam Problem
==== Required information ====
- iRedMail version: 0.8.4 / 1.6.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.4
- Related log if you're reporting an issue: maillog
I believe one of my customers pcs have been compromised (one or multiple machines have a trojan), and spammers have their credentials for my server.
My server has been sending a lot of email -- from address / domains that aren't hosted by my server. For example the dashboard shows top senders as -- "email@example.com". Many emails going out don't even have a 'From'.
So there's a couple of issues here.
1. The Pro Panel doesn't show who's credentials are being used to send emails. Right now -- I don't know who's password to reset / account to disable to prevent the spamming. The Pro Panel just show's who the email is FROM -- even though it's not a valid account on my server.
2. How can I configure the server to reject emails without a 'FROM' address -- and to only allow From addresses from valid domains and users that I host?
Here's an excerpt from my maillog:
Jul 1 20:19:32 pcrmail amavis: (28249-05) Passed SPAM, MYNETS LOCAL [10.1.1.1] [126.96.36.199] <firstname.lastname@example.org> -> <email@example.com>, Message-ID: <ZSSLIPAQRVNCRPDYPUNXDU@yahoo.com>, mail_id: 0b8S0Uo8m1eI, Hits: 11.033, size: 3000, queued_as: 6E88B52A05, 160 ms
Jul 1 20:19:32 pcrmail postfix/error: 5C6874B2B8: to=<firstname.lastname@example.org>, relay=none, delay=411489, delays=411488/0.73/0/0.01, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx-tw.mail.gm0.yahoodns.net[188.8.131.52] refused to talk to me: 421 4.7.0 [TS01] Messages from 184.108.40.206 temporarily deferred due to user complaints - 220.127.116.11; see http://postmaster.yahoo.com/421-ts01.html)
Attached is an image of my pro panel -- showing top senders as accounts I don't even host (and obviously fake).