1 Topic by jlim0930

  • jlim0930
  • Member
  • Offline
  • Registered: 2015-08-04
  • Posts: 4

Topic: Undelivered Mail Returned to Sender - spam?

hello,

I am all the sudden getting a lot of undelivered mail returned to sender emails in my inbox.  I believe something is trying to relay mails using my server.

looks like the emails are being generated from my server to a lot of random email addresses and the remote relay hosts either doesnt exist or deny the mail.

i looked on the forums and found someone stating to change the smtpd_sender_login_maps to :

 
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf, proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

however it haven't helped.  Maybe something with my local_recipent_maps?

current its set to <code>local_recipient_maps = $alias_maps $virtual_alias_maps $virtual_mailbox_maps</code>


==== Required information ====
- iRedMail version (check /etc/iredmail-release):
host1 ~ # cat /etc/iredmail-release
0.9.0
- Linux/BSD distribution name and version:
host1 ~ # cat /etc/redhat-release
CentOS release 6.6 (Final)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
mysql
- Web server (Apache or Nginx):
Apache
====


logs

14898 Aug  4 05:34:38 host1 postfix/cleanup[5690]: 08F32207F4: message-id=<ba33e58028b8$1138461f$9cc09bbe$@sullung.com>
14899 Aug  4 05:34:38 host1 postfix/smtp[5921]: 70B98206F6: to=<hr@sentoria.com.my>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=2, delay=17, delays=13/3/0/0.81, dsn
      =2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CA9E320801)
14900 Aug  4 05:34:38 host1 postfix/qmgr[1424]: 08F32207F4: from=<jlim@sullung.com>, size=2606, nrcpt=1 (queue active)
14901 Aug  4 05:34:38 host1 amavis[5884]: (05884-05-3) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [78.187.39.46]:61328 [78.187.39.46] <jlim@sullung.com> -> <hr@w
      estports.com.my>, Message-ID: <ba33e58028b8$1138461f$9cc09bbe$@sullung.com>, mail_id: 34lrZ6KIjDmg, Hits: 3.907, size: 1920, queued_as: 08F32207F4, 601 ms
14902 Aug  4 05:34:38 host1 postfix/smtp[5698]: 70B98206F6: to=<hr@westports.com.my>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=3, delay=17, delays=13/3.2/0/0.61, 
      dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 08F32207F4)
14903 Aug  4 05:34:38 host1 postfix/smtpd[5754]: 63B04207FF: client=host1.gooksu.com[127.0.0.1]
14904 Aug  4 05:34:38 host1 postfix/cleanup[5730]: 63B04207FF: message-id=<ba33e58028b8$1138461f$9cc09bbe$@sullung.com>
14905 Aug  4 05:34:38 host1 postfix/qmgr[1424]: 63B04207FF: from=<jlim@sullung.com>, size=2600, nrcpt=1 (queue active)
14906 Aug  4 05:34:38 host1 amavis[5886]: (05886-05-4) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [78.187.39.46]:61328 [78.187.39.46] <jlim@sullung.com> -> <hr@y
      inson.com.my>, Message-ID: <ba33e58028b8$1138461f$9cc09bbe$@sullung.com>, mail_id: SZY66W5DKuR2, Hits: 3.907, size: 1920, queued_as: 63B04207FF, 675 ms
14907 Aug  4 05:34:38 host1 postfix/smtp[5696]: 70B98206F6: to=<hr@yinson.com.my>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=4, delay=18, delays=13/3.5/0/0.69, dsn
      =2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 63B04207FF)
14908 Aug  4 05:34:38 host1 postfix/smtp[6009]: 39AB1207F1: to=<hr@mentor-facilities.com.my>, relay=ASPMX.L.GOOGLE.COM[173.194.74.26]:25, delay=1.4, delays=0.01/0.0
      3/1.1/0.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1438684478 g89si1284520iod.173 - gsmtp)
14909 Aug  4 05:34:38 host1 postfix/qmgr[1424]: 39AB1207F1: removed
14910 Aug  4 05:34:39 host1 postfix/smtp[5734]: certificate verification failed for mail.cougarshipyard.com[219.94.50.81]:25: untrusted issuer /C=IN/ST=Gujarat/L=Ah
      medabad/O=Elitecore/OU=Cyberoam Certificate Authority/CN=Cyberoam SSL CA_C16213508165/emailAddress=support@elitecore.com
14911 Aug  4 05:34:39 host1 postfix/smtp[6010]: certificate verification failed for mail.myeg.com.my[103.240.177.90]:25: untrusted issuer /O=WatchGuard_Technologies
      /OU=Fireware/CN=Fireware HTTPS Proxy (SN 80B700233B8EC 2010-12-30 13:08:40 GMT) CA
14912 Aug  4 05:34:39 host1 postfix/smtp[5975]: certificate verification failed for mail.mymillenniumjobs.com[210.48.155.34]:25: self-signed certificate
14913 Aug  4 05:34:40 host1 postfix/smtp[5823]: 29E59207EC: to=<humanr@iwk.com.my>, relay=mars.iwk.com.my[58.27.17.165]:25, delay=4.4, delays=0.01/0/2.8/1.6, dsn=2.
      0.0, status=sent (250 2.0.0 t74AYcKU010908 Message accepted for delivery)
14914 Aug  4 05:34:40 host1 postfix/qmgr[1424]: 29E59207EC: removed
14915 Aug  4 05:34:40 host1 postfix/smtp[5991]: server certificate verification failed for mail.oceancare.com.my[202.75.55.169]:25: certificate has expired
14916 Aug  4 05:34:40 host1 postfix/smtp[5975]: 34748207F3: to=<huitze@mymillenniumjobs.com>, relay=mail.mymillenniumjobs.com[210.48.155.34]:25, delay=4.7, delays=0
      .01/0.03/4/0.69, dsn=2.0.0, status=sent (250 Mail queued for delivery)
14917 Aug  4 05:34:40 host1 postfix/qmgr[1424]: 34748207F3: removed
14918 Aug  4 05:34:41 host1 postfix/smtp[5734]: C5468207E6: to=<hrm@ajangshipping.com>, relay=mail.cougarshipyard.com[219.94.50.81]:25, delay=5.7, delays=0.01/0/4.1
      /1.6, dsn=2.0.0, status=sent (250 Data Dropped)
14919 Aug  4 05:34:41 host1 postfix/qmgr[1424]: C5468207E6: removed
14920 Aug  4 05:34:41 host1 postfix/smtp[5732]: 08F32207F4: to=<hr@westports.com.my>, relay=mail.westports.com.my[203.115.228.16]:25, delay=3.6, delays=0.08/0.01/2.
      4/1.1, dsn=2.0.0, status=sent (250 ok:  Message 4431149 accepted)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Undelivered Mail Returned to Sender - spam?

I solved many similar issues for customers, the most possible problem is, some mail user has weak password and it was cracked by spammer, then spammer sends spams with this account (with proper smtp authentication).

Here's the suggested procedure to solve this issue:

*) Keep monitoring Postfix log file, find out which (local) user sent out most (spam) emails. You should pay close attention to the Postfix log line with 'sasl_username='.
*) Reset its password to a strong one. So far, this issue is solved.
*) Make sure your Postfix setting 'smtpd_sender_restrictions' (or smtpd_recipient_restrictions) contains rule 'reject_sender_login_mismatch'.

We also offer paid support ($39) to help you out if you want (ssh access with root privilege is required).
http://www.iredmail.org/support.html

3 Reply by jlim0930

  • jlim0930
  • Member
  • Offline
  • Registered: 2015-08-04
  • Posts: 4

Re: Undelivered Mail Returned to Sender - spam?

Thank you!! i think that did the trick!! not getting anymore returned mails!!

ZhangHuangbin wrote:

I solved many similar issues for customers, the most possible problem is, some mail user has weak password and it was cracked by spammer, then spammer sends spams with this account (with proper smtp authentication).

Here's the suggested procedure to solve this issue:

*) Keep monitoring Postfix log file, find out which (local) user sent out most (spam) emails. You should pay close attention to the Postfix log line with 'sasl_username='.
*) Reset its password to a strong one. So far, this issue is solved.
*) Make sure your Postfix setting 'smtpd_sender_restrictions' (or smtpd_recipient_restrictions) contains rule 'reject_sender_login_mismatch'.

We also offer paid support ($39) to help you out if you want (ssh access with root privilege is required).
http://www.iredmail.org/support.html