Spam Email Server Account Hijacked

Hello everyone,
I've been having a lot of trouble with one particular email server. I've posted a couple of questions but nobody has answered me so I went and re-installed the whole server by changing it's static IP and adding an Airport Extreme in between so that the server only does DNS, Open Directory, File Sharing and Email.
Everything it's been going well until one user started receiving email notifications about mail returned messages.
I've tried several things:
- Removed the non SSL website so I only left the Webmail on 443
- Changed to more secure passwords
- Lock the account after 10 bad passwords (the user gets blocked every couple of hours)
- Deactivate the POP protocol as nobody is using it, we are only using
- Tried blocking some Russian IPs because I noticed that all the emails are Reply To the domain ngs.ru but from the logs it looks like it's going through locally.
My user has only Macs and iOS products so even though it's a mixed environment I don't think there could be a Malware doing this.
I don't know what else can I do, I really want to avoid the server getting blacklisted and I've been looking for help so I would really appreciate if someone can provide me some guidance.
Here's the postconf -n:
server:~ administrator$ sudo postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, ecogenia.ca, server.ecogenia.ca, localhost.localdomain, $mydomain
mydomain = ecogenia.ca
mydomain_fallback = localhost
mynetworks = 127.0.0.0/8,192.168.1.0/24,207.115.108.190
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks  reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c hain.pem
smtpd_tls_cert_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c ert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.k ey.pem
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users
These are some of the logs I've been seeing:
Dec  4 04:06:51 server postfix/smtpd[19291]: NOQUEUE: reject: RCPT from unknown[95.65.176.14]: 554 5.7.1 Service unavailable; Client host [95.65.176.14] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=95.65.176.14; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[95.65.176.14]>
Dec  4 04:08:54 server postfix/smtp[19353]: 7897321698B: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=10/0/0/10, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F0C1121699B)
Dec  4 05:08:14 server postfix/smtp[21213]: 43A6E216C47: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0/5.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A6914216C55)
Dec  4 05:16:28 server postfix/smtp[21479]: 6A7D8216CB8: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0.01/5.6, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17723-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B435E216CC4)
Here is an example of the emails returned that the user has never sent:
From: "Mail Delivery System" <[email protected]>
Subject: Undelivered Mail Returned to Sender
Date: 3 December, 2012 1:08:42 PM EST
To: [email protected]
Nous sommes desoles de vous informer que votre message n a pas
pu etre remis a un ou plusieurs de ses destinataires.
Ceci est un message automatique genere par le serveur mwinf5d38.orange.fr.
Merci de ne pas y repondre. This is the mail system at host mwinf5d38.orange.fr.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients.                  The mail system <[email protected]>: host mail.ru[94.100.176.20] said: 550
spam message discarded. Please visit http://mail.ru/notspam/abuse?c=dK3Cqtwc2M_u_NHfPpZdr5kaLTUE1R6jDAAAAPoyAAATz4o6 or report details to [email protected]. Error code: AAC2AD74CFD81CDCDFD1FCEEAF5D963E352D1A99A31ED504. ID: 0000000C000032FA3A8ACF13.  
From: Вера Краснова <[email protected]>
Subject: Кредит под конец года каждому, успевайте оставить заявку на кредит в декабре.
Date: 3 December, 2012 12:59:23 PM EST
To: Дина <[email protected]>
Reply-To: Вера Краснова <[email protected]>
Доброе время суток, в четвертом квартале 2012 года Вы проявляли интерес к нашим кредитным программам, сообщаем Вам, что Ваша заявка получила одобрение от службы безопасности нескольких банков и мы просим заполнить заявку на кредит на сайтеhttp://renessanscapital.ru/ 
С уважением, Вера Краснова
т. +7 (913) 574-24-76
skype: credit.skype
ICQ: 6573118
Внимание! Для того, чтобы отписаться от рассылки нужно один раз отправить заявку на получение кредита на странице http://renessanscapital.ru/ после чего на Ваш e-mail больше не будут отправляться письма.
I'll really appreciate anyone's help.

I've been getting a lot of bounce backs from the same SMTP server as you to our email domain as well.
The offending server mwinf5d55.orange.fr is sending "backscatter" spam which should be simply dropped by them instead of bouncing back to the "FROM" address.
Because of this problem of bounced emails, I've tweaked our SPF (Sender Policy Framework) DNS TXT entry for our email domain to help receiving mailservers know what our legitimate OUTBOUND smtp mail servers actually are.  This should allow correctly configured email servers to drop any email from mwinf5d55.orange.fr because it is not a valid source of email for our domain.
(See http://www.openspf.org/SPF_Record_Syntax for some syntax)
Some details that I've dug up:
The SMTP server at orange.fr is accepting mail based on forged FROM: addresses which bounce back to you by the receiving target TO: address mailservers. 
Eg. From your email bounce back message:  host mail.ru[94.100.176.20] said: 550 spam message discarded.
I'm not sure if the spammer is using the mwinf5d55.orange.fr smtp server as an open relay or if it's using someone else's smtp username and password to send mail.
If you look at the email headers of the original bounced (spam) email that caused the backscatter it shows for example (from one of our bounces that I've received):
Received: from Unknown ([92.46.248.56])
by mwinf5d55 with ME
id 7XfA1l00l1Dkwus03XfJsw; Mon, 04 Mar 2013 20:39:43 +0100
X-ME-IP: 92.46.248.56
X-ME-Entity: ofr
When you look up the IP address source of that email it shows that it is coming from "JSC Kazakhtelecom, West Kazakhstan Affiliate".
http://en.utrace.de/whois/92.46.248.56
If you lookup the original source email and find that it's from your original user's computer then you have a problem.  If it's from a compromised machine overseas that's sending forged spam on your user's behalf, then there's not too much you can do about it short of publishing a correct SPF record.
Hope that helps.

Similar Messages

  • SPAM from our email server

    I received an email from [email protected]
    Subject: Email Feedback Report for IP (our email server's IP address)
    This is an email abuse report for an email message with the message-id of F07FB3A7-2B7C-4DD7-BD3B-D976E24D398D@(ourdomain).com received from IP address (our email server's IP address) on Wed, 26 Oct 2011 12:03:22 -0400 (EDT)
    So it looks like SPAM was sent from our email server from the email address above (F07FB3A7-etc...).  I searched log files but I can't locate anything with that address.  There are no accounts with that name on the server.  Is it possible that someone created that account, sent out SPAM, then deleted the account?  I'm puzzled.

    Post the unexpurgated contents of the postconf -n command, and we'll have a look at the usual suspects.
    We'll also want a look at the headers from the feedback message, as well as the reported spam.  This to see whether the feedback message looks legitimate, and what the reported spam message contained.
    And search for the time of the message in the logs; that long hexadecimal string is in the format of a GUID/UUID valud, and not a user.   Which might mean it's tied to a message, or to a user.  (The message headers can show more about this.)
    (For the GUIDs associated with users, look around for a user in your Open Directory or your local database with a matching value.  This can be visible via Workgroup manager inspector, or via the GeneratedUID value that Directory Utility can display for the user.  For the messages, dig around in the SMTP server logs.)

  • TS3276 I cannot connect to my outgoing email server on my macBook pro, yet I can, for the same email account on my iPad. Also I can send emails from the other email account I have on my MacBook...really confused can anyone help?

    I cannot connect to my outgoing email server on my macBook pro, yet I can, for the same email account on my iPad. Also I can send emails from the other email account I have on my MacBook...really confused can anyone help?

    Sometimes deleting the account and then re-creating it can solve this issue
    Write down all the information in accounts before doing this
    Highlight the account on the left and click the minus button
    Then click the plus button to add the new account and follow the prompts

  • I have 4 email accounts in apple Mail.  My mail is sending from the wrong account.  even on "reply" it sends from a different account.  I have 3 gmail accounts and one exchange server account. I choose which account to send from and it still sends from a

    I have 4 email accounts in apple Mail.  My mail is sending from the wrong account.  even on "reply" it sends from a different account.  I have 3 gmail accounts and one exchange server account. I choose which account to send from and it still sends from the same gmail account.  Help.

    I HAD two accounts because of this problem.  I completely removed the problem account from the Apple Mail client.  Guess what is happening??  That's right - Mail is still sending from the other account that no longer exists on my computer, and I have absolutely no idea how this is happening.  This is incredibly frustrating.  When a recipient chooses to reply to my message, quite often I won't get it now because it is going to the other account that has now been deleted from my system.  COME ON APPLE!!! WHAT'S THE DEAL WITH THIS???

  • I've recently changed my password on my e-mail account and now I can't share i photos instead I get a message The email server didn't recognize your username/password combination. How do I change it in i photo pls

    I've recently changed my password on my e-mail account and now I can't share i photos instead I get a message The email server didn’t recognize your username/password combination. How do I change it in i photo pls

    I'm trying to email from iPhoto

  • When attempting to send e-mail photos on my i-Photo 11, I keep getting " THE EMAIL SERVER DIDN'T RECOGNIZE YOUR USERNAME/PASSWORD COMBINATION"  even if I already have this in my preference accounts.

    When attempting to send email photos on my iPhoto 11, I keep getting the message  " THE EMAIL SERVER DIDN'T RECOGNIZE YOUR USERNAME/PASSWORD COMBINATION". However, I already have this info in my preferences/account section.  What is the problem and
    how can it be fixed???

    The usual fix: Delete the account from your Preferences and Re-Enter it.

  • Spam filter for email server

    Depends on what you want to pay. There are various ways of doing this.
    1. block at your firewall. I have a watchguard and this acts as my first line of defense.
    2. Install an app on your mail server - I have Symantic for Exchange as my second line 
    but then you can go and signup to outside organisations such as messagelabs to handle all your filtering for you.

    hi all,
    im running postfix+dovecot for an email server and i want a spam filter to go infront of postfix so it can filter out spam before it gets anywhere near my email server
    also i imagine with spam filters you can set your own spam policies and allow good senders and block bad senders
    many thanks
    rob
    This topic first appeared in the Spiceworks Community

  • Spam getting past email server

    Why has my email server started letting so much spam get through?  What can I do to stop it?  Thanks.

    Your question is too vague.
    First off you need to realize you will not stop all spam. Mega-corporations have spent billions trying to 'fix' spam, so don't think you're going to solve the issue yourself.
    On that basis, the best you can hope for is reducing spam to a manageable level - at least as far as your users' mailboxes are concerned. However, you don't state how much spam you're getting... are you getting 1? 10? 100? 10,000 spam messages an hour? so it's impossible to tell whether you're in the realm of normal behaviour or not.
    You also don't state whether the spam is directed at your domain, or specific user mailboxes?
    Are some users getting more spam than others?
    Is the spam actually getting to users' mailboxes or is it getting blocked before it gets that far?
    Also, you state your server has 'started letting so much spam through', so the most pertinent question is what have you changed - these things don't radically change on their own so the chances are something's changed on your server that's having an effect.
    So, more data please.

  • Spam email sent from my BT mail account

    My email account appears to be sending rogue emails to my contacts list.
    I first noticed the problem several months ago, BT NetProtect scans and malwarebites didnt detect anything.
    I changed my password which seemed to work for a while but then same thing happened, my contacts list received a rogue email with a link.
    I recently re-installed windows on my 2 p.c's hoping this would resolve the issue, but after a couple of weeks the same thing has just happened.
    The last spam email sent emails to everyone from my old conatcts list, even though I had deleted all the contacts after the recent windows re-install.
    I have looked at the 'Delivery Failure' emails and the header does contain my email address.
    Any help greatly appreciated.
    Thanks

    Have a look at these threads. It will save repeating everything.
    https://community.bt.com/t5/Other-Broadband-Queries/Email-account-hacked-yet-again/td-p/1234813
    https://community.bt.com/t5/Other-Broadband-Queries/Frequent-hacking/td-p/1198223

  • Spam email bypasses server to iMail

    I have been receiving spam email in junk mail folder that does not appear on Verizon server

    How many emai accounts do you have? How many of them are setup in Mac Mail?
    Have you looked into the Junk or Spam Folder on the Web Mail system for Verizon?
    If you only have one account and it is from Verizon then they are coming from the Verizon servers and being originally delivered to your Verizon Email Address.

  • Why am I getting frequent spam emails via iPad that are not coming through my primary email account?  And how do I get them to stop?

    Why am I getting frequent spam emails via iPad that are not coming through my primary email account?  And how do I get them to stop? 

    Hi D.,
    Unfortunately phishing is far too common these days. The articles below will help you determine the authenticity of the emails that you received.
    Identifying fraudulent "phishing" email
    http://support.apple.com/kb/ht4933
    Identifying legitimate emails from the iTunes Store
    http://support.apple.com/kb/ht2075
    -Jason

  • Thunderbird stopped downloading emails from the web server and now when I try to add a new account I get a message to say it cannot find the email server.

    Thunderbird was working and then for no reason it stopped downloading emails from the web server. I can access my emails in the web server okay. I have tried to remove my account and then add it again as a new account but I get a message saying that Thunderbird cannot find the email server. I have also tried to uninstall and reinstall Thunderbird but with the same result. I have also tried to remove the default mail server but have been unable to do so. How can I fix this?

    I figured out a workaround.... Since I can get e-mails to populate via iSync and my other computer is running Leopard (it's a powerpc chip and can't run Snow Leopard), I added the account on the other computer and got the new account to populate into my SL machine with iSync. I don't like that I can't actually add the account directly, but at least this got me working.

  • Why do we have to manually recreate our accounts each time the email server goes down?

    On very infrequent occassions (fortunately), our email server will go off-line.  Whenever this happens, every one of us has to login to the Blackberry Internet Service website to reenter the account information.  This is very annyoing.  Why doesn't it just automatically reconnect when the email server goes back up?

    No idea why. I'm guessing the the BIS system goes to check for email and can't find the account.  Then it sends you the email to revalidate and it won't check again until you do.  If it was setup to check too many times with, say, a wrong password, it may lock the account.  This is only a guess on my part. 
    Your people with accounts setup like this should know how to go to their email setup on their device and validate the password.  It's not very complicated and takes only a moment.
    1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
    2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!

  • I have received a spamming complaint from my email server - help?

    I have received a spamming complaint from my email server that I was not aware was happening.  They want me to clean my computer, what do I do first?

    There are a few trojan horse programs that can infect a Mac, but none found in the wild send out spam messages, so those aren't a concern for your current situation, and if you stay current with your updates to Mac OS X, Apple's blocked most of those trojans that do exist (there's a new update just today, I believe, for one discovered recently). Overall I don't see much need for antivirus utilities as long as you exercise common sense and caution in what you download from the web. Those trojans all depend on unsuspecting users downloading fake software from unsecure sites. Download only from sites you can trust - the software developer for applications - and don't open attachments you aren't expecting - and you should be fine. If you do feel the need for some sort of scanning, the freeware ClamXav should be sufficient.
    Regards.

  • My email server is down(yahoo.cn), cant use this email right now. I want to check my account and cancle monthly payment of photoshop, but i need to verify through my email. what should i do?

    my email server is down(yahoo.cn), cant use this email right now. I want to check my account and cancle monthly payment of photoshop, but i need to verify through my email.

    All account maintenance is done using your Adobe ID and signing in at Adobe
    For anything else, you need Adobe staff to help
    Adobe contact information - http://helpx.adobe.com/contact.html
    -Select your product and what you need help with
    -Click on the blue box "Still need help? Contact us"
    -or by telephone http://helpx.adobe.com/x-productkb/global/phone-support-orders.html

Maybe you are looking for

  • Hard drives do not appear on desktop.

    Ok never had this happen have been downloading programs and after rebooting my itunes fails to open and no hard drives appear on the desktop... the only thing appearing is the docking station. Anyone know what to do....

  • Video & Audio Drop Outs on Macbook Pro

    I have a MacBook Pro with Version 10.7.3, 6 months old. Just recently when I play video, regardless of whether it's in iTunes, iMovie, or embedded in Keynote the video sticks, audio drops out for 1 -2 seconds or the shot freezes. What causes this and

  • Cant hear anything HELP!

    I have a 4G nano pod for the last 6 months but i did not use it for the last 3 months. Now I had trouble charging it - folder and exclamation point so i restored it back to its original factory settings. I later uploaded a playlist but I cant hear an

  • How to Debug code written in Include RMCSUZ10?

    In our Sales extractor 2LIS_11_VAITM we need to get information from custom Partner Functions whichwere added by the R/3 team. To do this we have used the SAP provided include:RMCSUZ10 I have changed the Structure: MCPARTNER to include new fields PKU

  • Any solution to the iOS 6 bug for auto lock function for the iPhone 4S

    Any solution to the iOS 6 bug for auto lock function for the iPhone 4S