mysterious outgoing email spam problem

4 posts / 0 new
Last post
#1 Tue, 12/16/2014 - 13:41
edwardsmarkf

mysterious outgoing email spam problem

i have a very mysterious spamming issue going on that i am clueless what to do about. i have my sendmail automatically set to BCC everything that comes off my server so i can monitor all outgoing email.

below is an example with full headers of what i am seeing.

here is what i altered for this posting:

MY-ADDRESS-AT-gmail.com - my gmail address used to monitor outgoing
MY-DOMAIN-NAME-DOT-COM - my home server domain name
MY-OTHER-DOMAIN-NAME-DOT-COM - my application domain name
MY-SERVER-IP-NUMBER - my server IP number
VICTIM - people who somehow became involved with this outgoing email.

email:

Delivered-To: MY-ADDRESS-AT-gmail.com
Received: by 10.140.255.194 with SMTP id a185csp248242qhd;
        Tue, 16 Dec 2014 09:44:33 -0800 (PST)
X-Received: by 10.224.89.70 with SMTP id d6mr16500910qam.76.1418751841906;
        Tue, 16 Dec 2014 09:44:01 -0800 (PST)
Return-Path: <MY-HOME-EMAIL-ADDRESS-DOT-COM>
Received: from MY-DOMAIN-NAME-DOT-COM (MY-OTHER-DOMAIN-NAME-DOT-COM. [MY-SERVER-IP-NUMBER])
        by mx.google.com with ESMTP id d35si1594085qgd.84.2014.12.16.09.44.01
        for <MY-ADDRESS-AT-gmail.com>;
        Tue, 16 Dec 2014 09:44:01 -0800 (PST)
Received-SPF: pass (google.com: domain of MY-DOMAIN-NAME-DOT-COM designates MY-SERVER-IP-NUMBER as      permitted sender) client-ip=MY-SERVER-IP-NUMBER;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of MY-DOMAIN-NAME-DOT-COM designates MY-SERVER-IP-NUMBER as permitted  sender) smtp.mail=MY-DOMAIN-NAME-DOT-COM
Date: Tue, 16 Dec 2014 09:44:01 -0800 (PST)
Message-ID: <54906f61.a61e8c0a.ba54.7204SMTPIN_ADDED_BROKEN@mx.google.com>
X-Google-Original-Message-ID: A91EF1B3C5A78D7A07F7D1D86BAC02AE@MY-DOMAIN-NAME-DOT-COM
Received: from WIN-0INGADLBBCN (201-222-133-121.baf.movistar.cl [201.222.133.121])
(Authenticated sender: mark)
by MY-DOMAIN_NAME-DOT-COM (Postfix) with ESMTPA id 59CE611D8F8;
Tue, 16 Dec 2014 12:43:15 -0500 (EST)
X-Mailer: MY-DOMAIN-NAME-DOT-COM
Subject: Fwd: 
From: <MY-DOMAIN-NAME-DOT-COM>
To: <tompaulrVICTIMoo.co.uk>, <toraVICTOMgsinet.net>, <toon_shVICTIMhotmail.co.th>, <tnhewVICTIMstny.rr.com>, <tony_liVICTIMhotmail.com>
 
http://zmey555.myfilehost.ru/_happy_december_#jbecary35357

i am running clamAV, but dont see anything there. i thought that sendmail always included the calling program name, but we are not seeing which program is sending the email. my hosting company said they dont see any proof this came from my server, but since i am seeing an IP number i want to be absolutely sure.

all outgoing email is supposed to be going through sendmail.

i did cross-check an email address and found this in the /var/log/maillog: Dec 16 12:43:28 edwardsmarkf postfix/smtp[8058]: 59CE611D8F8: to=<tompaulrocVICTIMyahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=12, delays=9.1/0/0.37/2.7, dsn=4.0.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 451 mta1013.mail.ir2.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.1]. (in reply to end of DATA command)) and i found this in mailq: 59CE611D8F8 553 Tue Dec 16 12:43:15 MY-HOME-EMAIL-ADDRESS (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 451 mta1153.mail.ir2.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.1]. (in reply to end of DATA command)) tompaulroVICTIMo.co.uk as always, any help is appreciated.

Tue, 12/16/2014 - 13:56
edwardsmarkf

out of pure desperation, i blocked port 25 in csf - but any other suggestions are very welcome.

Tue, 12/16/2014 - 14:17
andreychek

Howdy,

Hmm, is this particular IP address/sender your home/work PC by chance?

Received: from WIN-0INGADLBBCN (201-222-133-121.baf.movistar.cl [201.222.133.121])

That is, the IP "201.222.133.121", and the PC name appears to be "WIN-0INGADLBBCN".

That IP appears to be based in the country of Chile.

So far as I can tell, the email headers suggest that's where the email is originating from.

-Eric

Tue, 12/16/2014 - 14:27
edwardsmarkf

update: it appears maybe (JUST MAYBE) one of the user accounts had a compromised password.

Topic locked