This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Spam email complaint
#1
Spam email complaint
Hello, I have a droplet hosted on DigitalOcean and received a ticket with a complaint saying my server ip was blocked for sending spam email.

I justed checked the postfix logs and they are over 6 GB in size. 
I think someone exploited a flaw or some configuration error on the postfix server, because I changed all the email passwords to very secure ones and I still see spam emails being sent on the server.

Here are some parts of the logs:

Quote:Apr 30 10:49:09 zentora postfix/smtp[10637]: 9F7B2126826: to=<bobreisner@earthlink.net>, relay=mx1.earthlink.net[209.86.93.226]:25, delay=236801, delays=234764/2037/0.29/0.02, dsn=4.0.0, status=SOFTBOUNCE (host mx1.earthlink.net[209.86.93.226] said: 550 IP xx.xx.xx.xx is blocked by EarthLink. Go to earthlink.net/block for details. (in reply to MAIL FROM command))

Quote:Apr 30 10:48:49 zentora postfix/smtp[10286]: 93E7F12FB8C: to=<amandawg@ara.seed.net.tw>, relay=mx.seed.net.tw[139.175.54.239]:25, delay=214822, delays=212804/2016/1.4/0.45, dsn=4.0.0, status=SOFTBOUNCE (host mx.seed.net.tw[139.175.54.239] said: 550 unknown user (in reply to RCPT TO command))

Apr 30 10:48:49 zentora postfix/qmgr[3435]: 6B41513E98B: from=<sec@mydomain.com>, size=4895, nrcpt=1 (queue active)

Is there maybe a security bug built in Sentora? Is there a way I can secure my server to stop this spam complaints? If you need access to the server or the logs I can give you access.

Thank you
Reply
Thanks given by:
#2
RE: Spam email complaint
Seem you ip is now blacklisted.

Check if you have wordpress or such CMS that will likely have flaws that got the spam bot inside. Clean your server and then delist your ip and keep an eye over it.

M B
No support using PM (Auto adding to IGNORE list!), use the forum. 
How to ask
Freelance AWS Certified Architect & SysOps// DevOps

10$ free to start your VPS
Reply
Thanks given by:
#3
RE: Spam email complaint
(05-02-2017, 07:07 AM)Me.B Wrote: Seem you ip is now blacklisted.

Check if you have wordpress or such CMS that will likely have flaws that got the spam bot inside. Clean your server and then delist your ip and keep an eye over it.

M B

Thank you M B for your answer.

I have a custom cms built inside, I will clean the server and will let you know. 

Quick question, I can see all the emails are being sent from the same email address. I have deleted that email address but emails are still being sent using that email address... Maybe the server is compromised?
Reply
Thanks given by:
#4
RE: Spam email complaint
I have cleaned the server, and the spam email are still being sent.
I disabled the relay sending in postfix and as soon as I start the postfix service the emails start sending like crazy
Reply
Thanks given by:
#5
RE: Spam email complaint
Hi. Try updating your /etc/postfix/main.cf and comment out soft_bounce=yes (the Postfix default is no). I had the same "status=SOFTBOUNCE" in my logs for emails that should have otherwise failed (unknown email addresses, etc.) However these were being retried every 70 mins. After changing the above option I started getting the expected Undeliverable emails in the mailbox that sent the email. This was on a fresh Sentora install on a Centos 7 minimal image.
The soft_bounce=yes config appears to come from Sentora - a fresh Linode Centos 7 install has a different /etc/postfix/main.cf, installing Sentora seems to replace this (and understandably so, just not the soft_bounce value).
The references that ultimately helped me: http://postfix.1071664.n5.nabble.com/sta...d9035.html and the linked ref: http://www.postfix.org/postconf.5.html#soft_bounce
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Email has suddenly stopped coming through rsthomas 4 4 ,638 10-12-2022, 09:29 PM
Last Post: rsthomas
can not send email - SMTP error on roundcube wolvepy 9 28 ,887 01-03-2020, 08:37 AM
Last Post: Telepuzik
Cannot reuse previously deleted email address rsthomas 16 36 ,946 09-04-2019, 07:58 PM
Last Post: prasanna8519

Forum Jump:


Users browsing this thread: 1 Guest(s)