In the last 1-2 weeks, I've suddenly started getting a ton of emails from MAILER-DAEMON with emails sent to random people that I did not send. I'm not sure how to stop this. My email has not been compromised and I'm afraid all these emails with my server on it, that it'll get blacklisted. Any ideas on how to stop this? Here's the latest one from this morning. (My server is crossflame.com) ---------------------------------------------------------------------------- This is the mail system at host mail.crossflame.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <>: Host or domain name not found. Name service error for name=nbctv33.com type=A: Host not found <>: host aln-mailrelay.att.net[12.102.252.75] said: 521-23.226.227.202 blocked by sbc:blacklist.mailrelay.att.net. 521 DNSRBL: Blocked for abuse. See -removed-link- (in reply to MAIL FROM command) <>: host mx1.emailsrvr.com[173.203.2.36] said: 550 5.7.1 <>: Relay access denied. (in reply to RCPT TO command) Reporting-MTA: dns; mail.crossflame.com X-Postfix-Queue-ID: D5F89E600FD X-Postfix-Sender: rfc822; justin[at]crossflame.com Arrival-Date: Fri, 21 Feb 2014 03:51:59 -0500 (EST) Final-Recipient: rfc822; Action: failed Status: 4.4.4 Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error for name=nbctv33.com type=A: Host not found Final-Recipient: rfc822; Action: failed Status: 4.0.0 Remote-MTA: dns; aln-mailrelay.att.net Diagnostic-Code: smtp; 521-23.226.227.202 blocked by sbc:blacklist.mailrelay.att.net. 521 DNSRBL: Blocked for abuse. See removed-link Final-Recipient: rfc822; Action: failed Status: 4.7.1 Remote-MTA: dns; mx1.emailsrvr.com Diagnostic-Code: smtp; 550 5.7.1 <>: Relay access denied. Subject ***SPAM*** Ashley Williford From Ashley Williford To randy, ray sutley, recrewtr, reginald j saddler, Jen L Repovsch, resumes, resumes, rjones,ronald taylor, ross3875, RST, Cliff Russell, rwoods, Nicola Saub, sbrewer, scheduling,scott thompson, scott thompson, scott thompson, sdpaster Date 2014-02-27 02:51 removed-spam-link ----------------------------------------------------------------------------
well, do you perhaps host anything with mail-sending capabilities on your server? Something that might have been compromised? And, you need to look at the mail headers - that will show the route taken, and see if it at any time originated from your mailserver. (Although all that can be faked, few spammers actually bother to hide everything)
I don't have anything on my server (VPS) that sends emails out. I've had it hosted with another host for around 4 years and about 3-4 months ago I've moved it to another host (ramnode). This is the source of one of the MAILER-DEAMON emails. I can't get the source of the spam email, it wasn't sent from my email (It's not in the sent folder).
There are few reasons you could be seeing this: compromised email password compromised desktop compromised web application It appears your server may already be getting a 521 error from ATT due to the spam, so you will want to get this stopped. The only clue I see in your post is that the email injection point appears to be Received: from mycomputer (unknown [115.241.98.204]) by mail.crossflame.com (Postfix) with ESMTPA id ECBD7E600AC; Would need to check the logs for this IP and email ID to see how the email is flowing into the system and then stop it. Once you have it cleaned up see http://www.rackaid.com/blog/att-blacklist-removal/ for details on how to get off ATT's blacklist.
Ok, i'll run a scan from home. I changed my password again just now (at work) so I'll see if that stops it. Actually, I'm wondering if it could be my phone with the virus. I've never scanned my phone, and I'm not having any issues with any other accounts I log into like my bank, paypal, email accounts on other servers... but i don't access those on my phone.
Well - the IP is an Indian IP, and both the previous and next in the sequence has been tagged by Project Honey Pot - http://www.projecthoneypot.org/ip_115.241.99.120 - so I think it's fair to say that you've been hijacked by _something_ - it might be your server that's compromised. This is nothing to do (most likely) with an email-program - this is sending from the servers IP-adress (the bounced mails coming back are directed to your server's mailserver) - so unless you're sending mail directly from the server via some login, it probably won't be your client that's compromised. Also, if you have more than one email assigned, you'd assume that the problem would be on all accounts. Of course, scan your systems, but also make sure you close down the server properly - and make sure to run a scan on that as well
For compromised accounts, there are two methods I usually see when I do spam investigation work. 1. Compromise Password This is simple -- your password is compromised. Changing the password fixes this. 2. Piggybacking Some malware will piggyback on an existing SMTP connection. So even if it does not have your password it will attempt to inject emails. This is more of a problem with POP before SMTP type authentication but still see this tactic.
There's only one other email on my server and I had the owner of it check it, and it does not have any of these emails on it.
Just noticed something while looking around in ZPanel on my server... I'm hoping I didn't miss a basic thing but... SMTP Auth method: tls SMTP Pass: SMTP Port: 25 SMTP Server: mail.crossflame.com SMTP User: Use AUTH: true Use SMTP: true Looking at that, did I mess up and leave the default SMTP credentials on? (I'm assuming if it's blank, it's using defaults?) I'm not sending any emails from that server right now, should I turn SMTP off to stop the spam emails until I figure out and stop these emails? I cant login to my VPS right now to check logs or other settings, I only have the tools on my home computer.
Just checked the maillog on the server and the emails were still being sent after I changed the password at work. I've just shut off SMTP to see if that stops them until I find the issue. If it still doesn't stop it, I'm getting the data I need off the server and re-imaging it.