i have a very mysterious spamming issue going on that i am clueless what to do about. i have my sendmail automatically set to BCC everything that comes off my server so i can monitor all outgoing email.
below is an example with full headers of what i am seeing.
here is what i altered for this posting:
MY-ADDRESS-AT-gmail.com - my gmail address used to monitor outgoing MY-DOMAIN-NAME-DOT-COM - my home server domain name MY-OTHER-DOMAIN-NAME-DOT-COM - my application domain name MY-SERVER-IP-NUMBER - my server IP number VICTIM - people who somehow became involved with this outgoing email.
email:
Delivered-To: MY-ADDRESS-AT-gmail.com Received: by 10.140.255.194 with SMTP id a185csp248242qhd; Tue, 16 Dec 2014 09:44:33 -0800 (PST) X-Received: by 10.224.89.70 with SMTP id d6mr16500910qam.76.1418751841906; Tue, 16 Dec 2014 09:44:01 -0800 (PST) Return-Path: <MY-HOME-EMAIL-ADDRESS-DOT-COM> Received: from MY-DOMAIN-NAME-DOT-COM (MY-OTHER-DOMAIN-NAME-DOT-COM. [MY-SERVER-IP-NUMBER]) by mx.google.com with ESMTP id d35si1594085qgd.84.2014.12.16.09.44.01 for <MY-ADDRESS-AT-gmail.com>; Tue, 16 Dec 2014 09:44:01 -0800 (PST) Received-SPF: pass (google.com: domain of MY-DOMAIN-NAME-DOT-COM designates MY-SERVER-IP-NUMBER as permitted sender) client-ip=MY-SERVER-IP-NUMBER; Authentication-Results: mx.google.com; spf=pass (google.com: domain of MY-DOMAIN-NAME-DOT-COM designates MY-SERVER-IP-NUMBER as permitted sender) smtp.mail=MY-DOMAIN-NAME-DOT-COM Date: Tue, 16 Dec 2014 09:44:01 -0800 (PST) Message-ID: <54906f61.a61e8c0a.ba54.7204SMTPIN_ADDED_BROKEN@mx.google.com> X-Google-Original-Message-ID: A91EF1B3C5A78D7A07F7D1D86BAC02AE@MY-DOMAIN-NAME-DOT-COM Received: from WIN-0INGADLBBCN (201-222-133-121.baf.movistar.cl [201.222.133.121]) (Authenticated sender: mark) by MY-DOMAIN_NAME-DOT-COM (Postfix) with ESMTPA id 59CE611D8F8; Tue, 16 Dec 2014 12:43:15 -0500 (EST) X-Mailer: MY-DOMAIN-NAME-DOT-COM Subject: Fwd: From: <MY-DOMAIN-NAME-DOT-COM> To: <tompaulrVICTIMoo.co.uk>, <toraVICTOMgsinet.net>, <toon_shVICTIMhotmail.co.th>, <tnhewVICTIMstny.rr.com>, <tony_liVICTIMhotmail.com> http://zmey555.myfilehost.ru/_happy_december_#jbecary35357
i am running clamAV, but dont see anything there. i thought that sendmail always included the calling program name, but we are not seeing which program is sending the email. my hosting company said they dont see any proof this came from my server, but since i am seeing an IP number i want to be absolutely sure.
all outgoing email is supposed to be going through sendmail.
i did cross-check an email address and found this in the /var/log/maillog: Dec 16 12:43:28 edwardsmarkf postfix/smtp[8058]: 59CE611D8F8: to=<tompaulrocVICTIMyahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=12, delays=9.1/0/0.37/2.7, dsn=4.0.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 451 mta1013.mail.ir2.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.1]. (in reply to end of DATA command)) and i found this in mailq: 59CE611D8F8 553 Tue Dec 16 12:43:15 MY-HOME-EMAIL-ADDRESS (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 451 mta1153.mail.ir2.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.1]. (in reply to end of DATA command)) tompaulroVICTIMo.co.uk as always, any help is appreciated.
out of pure desperation, i blocked port 25 in csf - but any other suggestions are very welcome.
Howdy,
Hmm, is this particular IP address/sender your home/work PC by chance?
Received: from WIN-0INGADLBBCN (201-222-133-121.baf.movistar.cl [201.222.133.121])
That is, the IP "201.222.133.121", and the PC name appears to be "WIN-0INGADLBBCN".
That IP appears to be based in the country of Chile.
So far as I can tell, the email headers suggest that's where the email is originating from.
-Eric
update: it appears maybe (JUST MAYBE) one of the user accounts had a compromised password.