Spam Email Server Account Hijacked
Hello everyone,
I've been having a lot of trouble with one particular email server. I've posted a couple of questions but nobody has answered me so I went and re-installed the whole server by changing it's static IP and adding an Airport Extreme in between so that the server only does DNS, Open Directory, File Sharing and Email.
Everything it's been going well until one user started receiving email notifications about mail returned messages.
I've tried several things:
- Removed the non SSL website so I only left the Webmail on 443
- Changed to more secure passwords
- Lock the account after 10 bad passwords (the user gets blocked every couple of hours)
- Deactivate the POP protocol as nobody is using it, we are only using
- Tried blocking some Russian IPs because I noticed that all the emails are Reply To the domain ngs.ru but from the logs it looks like it's going through locally.
My user has only Macs and iOS products so even though it's a mixed environment I don't think there could be a Malware doing this.
I don't know what else can I do, I really want to avoid the server getting blacklisted and I've been looking for help so I would really appreciate if someone can provide me some guidance.
Here's the postconf -n:
server:~ administrator$ sudo postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, ecogenia.ca, server.ecogenia.ca, localhost.localdomain, $mydomain
mydomain = ecogenia.ca
mydomain_fallback = localhost
mynetworks = 127.0.0.0/8,192.168.1.0/24,207.115.108.190
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c hain.pem
smtpd_tls_cert_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c ert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.k ey.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users
These are some of the logs I've been seeing:
Dec 4 04:06:51 server postfix/smtpd[19291]: NOQUEUE: reject: RCPT from unknown[95.65.176.14]: 554 5.7.1 Service unavailable; Client host [95.65.176.14] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=95.65.176.14; from=<reports@rapidfax.com> to=<gcrasnier@ecogenia.ca> proto=ESMTP helo=<[95.65.176.14]>
Dec 4 04:08:54 server postfix/smtp[19353]: 7897321698B: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=10/0/0/10, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F0C1121699B)
Dec 4 05:08:14 server postfix/smtp[21213]: 43A6E216C47: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0/5.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A6914216C55)
Dec 4 05:16:28 server postfix/smtp[21479]: 6A7D8216CB8: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0.01/5.6, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17723-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B435E216CC4)
Here is an example of the emails returned that the user has never sent:
From: "Mail Delivery System" <MAILER-DAEMON@orange.fr>
Subject: Undelivered Mail Returned to Sender
Date: 3 December, 2012 1:08:42 PM EST
Nous sommes desoles de vous informer que votre message n a pas
pu etre remis a un ou plusieurs de ses destinataires.
Ceci est un message automatique genere par le serveur mwinf5d38.orange.fr.
Merci de ne pas y repondre.This is the mail system at host mwinf5d38.orange.fr.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients.The mail system
< titulk@mail.ru>: host mail.ru[94.100.176.20] said: 550
spam message discarded. Please visit http://mail.ru/notspam/abuse?c=dK3Cqtwc2M_u_NHfPpZdr5kaLTUE1R6jDAAAAPoyAAATz4o6 or report details to abuse@corp.mail.ru. Error code: AAC2AD74CFD81CDCDFD1FCEEAF5D963E352D1A99A31ED504. ID: 0000000C000032FA3A8ACF13.
From: Вера Краснова <gcrasnier@ecogenia.ca>
Subject: Кредит под конец года каждому, успевайте оставить заявку на кредит в декабре.
Date: 3 December, 2012 12:59:23 PM EST
To: Дина <diandpaul@ntlworld.com>
Reply-To: Вера Краснова <spencer1986placek@ngs.ru>
Доброе время суток, в четвертом квартале 2012 года Вы проявляли интерес к нашим кредитным программам, сообщаем Вам, что Ваша заявка получила одобрение от службы безопасности нескольких банков и мы просим заполнить заявку на кредит на сайтеhttp://renessanscapital.ru/
--
С уважением, Вера Краснова
т. +7 (913) 574-24-76
skype: credit.skype
ICQ: 6573118
Внимание! Для того, чтобы отписаться от рассылки нужно один раз отправить заявку на получение кредита на странице http://renessanscapital.ru/ после чего на Ваш e-mail больше не будут отправляться письма.
I'll really appreciate anyone's help.