Author Topic: Spam from Clients Mail Account (Read 1842 times)

krky · « **on:** 2015-04-13, 10:34:54 »

My vps is sending lots of spams from my client's mail account. These spam mails started 3 days ago and they are still continuing to be send hundreds within an hour. I am using 6.5.0.f and spamdyke and virus scan options are enabled under server mail settings.
My vps provider blocked smtp port (25).

you can see example spam mail from mail queue page:

Code: [Select]

 --------------
MESSAGE NUMBER 919647 
 --------------
Received: (qmail 17511 invoked from network); 13 Apr 2015 06:48:27 -0000
Received: from unknown (HELO ?192.168.1.2?) (clientname@clientsite.com.tr@95.153.84.247)
  by srv.myserver.net with ESMTPA; 13 Apr 2015 06:48:27 -0000
From: "clientname" <clientname@clientsite.com.tr>
Cc: bendict.hackl@gmail.com,sothy2006@hotmail.com,bwilliams2580@gmail.com,moises.barrera2010@gmail.com,slim_042@yahoo.com,remattson@comcast.net,j_mitrovski@hotmail.com
Date: Mon, 13 Apr 2015 08:47:04 +0400
MIME-Version: 1.0
Subject: hey big daddy!any chance u r interested in spankin naughty gurls? :)
Message-ID: <6D33F2AB81E6F33EFC756ADCD47C939C@PCPC>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.70)
Content-type: text/html; charset=windows-1251
Content-transfer-encoding: 7BIT
Content-description: Mail message body

http://zooz.org/7hd<br>
Berliner in senior<br>
Ephrussis almost , References Family's 2010 Hase<br>
had 74th America Pontiac's

How can I stop these mails sent from my vps?

MRatWork · « **Reply #1 on:** 2015-04-13, 10:46:04 »

Did you update all component to latest version with 'yum clean all; yum update -y'?. If yes, try 'cat /var/log/maillog|grep PWD' and find out most came from (base on PWD value).

krky · « **Reply #2 on:** 2015-04-13, 11:04:46 »

I installed kloxomr yesterday and yes, all components are up to date.

I did what you said and result:

Code: [Select]

Apr 12 21:33:41 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundVaTj4R" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 12 21:38:42 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundvyTpv0" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 12 21:39:29 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundU0kXpU" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 12 21:42:45 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgrounduxOvAv" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 12 21:45:35 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundrKG3UY" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 12 21:46:57 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundM6UDMa" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
[root@srv ~]# cat /var/log/maillog|grep PWD                             Apr 12 21:33:41 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundVaTj4R" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:38:42 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundvyTpv0" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:39:29 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundU0kXpU" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:42:45 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgrounduxOvAv" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:45:35 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundrKG3UY" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:46:57 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundM6UDMa" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 21:48:33 stock root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundCUN2A2" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                                   Apr 12 22:12:26 vps153619 root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/background6MXXoe" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"                                               Apr 13 03:18:19 vps153619 root: sendmail: CALLER="init" PWD="/" BAN="no"Apr 13 03:18:19 vps153619 root: sendmail: CALLER="/usr/sbin/anacron -s" PWD="/var/spool/anacron" BAN="no"
Apr 13 08:08:36 vps153619 root: sendmail: CALLER="sh -c printf %b "Subject: [Fail2Ban] SSH: started on `uname -n`?Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`?From: Fail2Ban <fail2ban@example.com>?To: you@example.com\n?Hi,\n?The jail SSH has been started successfully.\n?Regards,\n?Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.com you@example.com" PWD="/" BAN="no"
Apr 13 08:14:11 vps153619 root: sendmail: CALLER="sh -c printf %b "Subject: [Fail2Ban] SSH: stopped on `uname -n`?Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`?From: Fail2Ban <fail2ban@example.com>?To: you@example.com\n?Hi,\n?The jail SSH has been stopped.\n?Regards,\n?Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.com you@example.com" PWD="/" BAN="no"
Apr 13 08:20:28 vps153619 root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/backgroundmiav68" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Apr 13 10:37:07 vps153619 root: sendmail: CALLER="/opt/php52s/bin/php ../bin/common/background.php /tmp/background6B2ykK" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"

Part of Maillog:

Code: [Select]

Apr 13 11:10:27 vps153619 submission: tcpserver: end 12531 status 0
Apr 13 11:10:27 vps153619 submission: tcpserver: status: 0/100
Apr 13 11:10:28 vps153619 submission: tcpserver: status: 1/100
Apr 13 11:10:28 vps153619 submission: tcpserver: pid 12537 from 36.224.106.24
Apr 13 11:10:28 vps153619 submission: tcpserver: ok 12537 srv.myserver.net:151.80.119.207:587 :36.224.106.24::19954
Apr 13 11:10:28 vps153619 submission: 12537 > 220 myserver.net - Welcome to Qmail ESMTP? 
Apr 13 11:10:28 vps153619 submission: 12537 < EHLO [169.254.44.12]? 
Apr 13 11:10:28 vps153619 submission: 12537 > 250-myserver.net - Welcome to Qmail? 
Apr 13 11:10:28 vps153619 submission: 12537 > 250-PIPELINING? 
Apr 13 11:10:28 vps153619 submission: 12537 > 250-8BITMIME? 
Apr 13 11:10:28 vps153619 submission: 12537 > 250-SIZE 20971520? 
Apr 13 11:10:28 vps153619 submission: 12537 > 250 AUTH LOGIN PLAIN? 
Apr 13 11:10:28 vps153619 submission: 12537 < AUTH LOGIN? 
Apr 13 11:10:28 vps153619 submission: 12537 > 334 VXNlcm5hbWU6? 
Apr 13 11:10:29 vps153619 submission: 12537 < ZGVib2x1a2Jhc2lAY2l0ZXhjby5jb20udHI=? 
Apr 13 11:10:29 vps153619 submission: 12537 > 334 UGFzc3dvcmQ6? 
Apr 13 11:10:29 vps153619 submission: 12537 < RGVjaXRleGNv? 
Apr 13 11:10:29 vps153619 vpopmail[12540]: vchkpw-smtp: (PLAIN) login success clientname@clientsite.com.tr:36.224.106.24
Apr 13 11:10:29 vps153619 submission: 12537 > 235 ok, go ahead (#2.0.0)? 
Apr 13 11:10:29 vps153619 submission: 12537 < MAIL FROM: <clientname@clientsite.com.tr>? 
Apr 13 11:10:29 vps153619 submission: CHKUSER accepted sender: from <clientname@clientsite.com.tr:clientname@clientsite.com.tr:> remote <[169.254.44.12]:unknown:36.224.106.24> rcpt <> : sender accepted
Apr 13 11:10:29 vps153619 submission: 12537 > 250 ok? 
Apr 13 11:10:30 vps153619 submission: 12537 < RCPT TO: <millin77@msn.com>? 
Apr 13 11:10:30 vps153619 submission: CHKUSER relaying rcpt: from <clientname@clientsite.com.tr:clientname@clientsite.com.tr:> remote <[169.254.44.12]:unknown:36.224.106.24> rcpt <millin77@msn.com> : client allowed to relay
Apr 13 11:10:30 vps153619 submission: policy_check: local clientname@clientsite.com.tr -> remote millin77@msn.com (AUTHENTICATED SENDER)
Apr 13 11:10:30 vps153619 submission: policy_check: policy allows transmission
Apr 13 11:10:30 vps153619 submission: 12537 > 250 ok? 
Apr 13 11:10:30 vps153619 submission: 12537 < RCPT TO: <nghia.tran130988@gmail.com>? 
Apr 13 11:10:30 vps153619 submission: CHKUSER relaying rcpt: from <clientname@clientsite.com.tr:clientname@clientsite.com.tr:> remote <[169.254.44.12]:unknown:36.224.106.24> rcpt <nghia.tran130988@gmail.com> : client allowed to relay
Apr 13 11:10:30 vps153619 submission: policy_check: local clientname@clientsite.com.tr -> remote nghia.tran130988@gmail.com (AUTHENTICATED SENDER)
Apr 13 11:10:30 vps153619 submission: policy_check: policy allows transmission
Apr 13 11:10:30 vps153619 submission: 12537 > 250 ok? 
Apr 13 11:10:31 vps153619 submission: 12537 < DATA? 
Apr 13 11:10:31 vps153619 submission: 12537 > 354 go ahead? 
Apr 13 11:10:31 vps153619 submission: 12537 < From: "clientname" <clientname@clientsite.com.tr>? 
Apr 13 11:10:31 vps153619 submission: 12537 < Cc: millin77@msn.com,nghia.tran130988@gmail.com? 
Apr 13 11:10:31 vps153619 submission: 12537 < Date: Mon, 13 Apr 2015 17:10:27 +0800? 
Apr 13 11:10:31 vps153619 submission: 12537 < MIME-Version: 1.0? 
Apr 13 11:10:31 vps153619 submission: 12537 < Subject: Hi honey, got a minute?I just found out my BF is cheating on me :( Gotta get back at him. +
Apr 13 11:10:31 vps153619 submission: 12537 < Come over, now!? 
Apr 13 11:10:31 vps153619 submission: 12537 < Message-ID: <E17OTE5.5054282@clientsite.com.tr>? 
Apr 13 11:10:31 vps153619 submission: 12537 < Priority: normal? 
Apr 13 11:10:31 vps153619 submission: 12537 < X-mailer: Pegasus Mail for Windows (4.70)? 
Apr 13 11:10:31 vps153619 submission: 12537 < Content-type: text/html; charset=windows-1251? 
Apr 13 11:10:31 vps153619 submission: 12537 < Content-transfer-encoding: 7BIT? 
Apr 13 11:10:31 vps153619 submission: 12537 < Content-description: Mail message body? 
Apr 13 11:10:31 vps153619 submission: 12537 < ? 
Apr 13 11:10:31 vps153619 submission: 12537 < http://olr+
Apr 13 11:10:31 vps153619 submission: 12537 < .me.uk/eid9<br>? 
Apr 13 11:10:31 vps153619 submission: 12537 < States, (1901).jpg Pine,<br>? 
Apr 13 11:10:31 vps153619 submission: 12537 < 17th 0?07??22??E Quy<br>? 
Apr 13 11:10:31 vps153619 submission: 12537 < Jamie Malkin Harrigan, Haiti News? 
Apr 13 11:10:31 vps153619 submission: 12537 < .? 
Apr 13 11:10:31 vps153619 submission: 12537 < ? 
Apr 13 11:10:31 vps153619 send: new msg 922844
Apr 13 11:10:31 vps153619 send: info msg 922844: bytes 825 from <clientname@clientsite.com.tr> qp 12542 uid 7791
Apr 13 11:10:31 vps153619 submission: 12537 > 250 ok 1428916231 qp 12542? 
Apr 13 11:10:31 vps153619 submission: 12537 > 502 unimplemented (#5.5.1)? 
Apr 13 11:10:31 vps153619 submission: 12537 < QUIT? 
Apr 13 11:10:31 vps153619 submission: 12537 > 221 myserver.net - Welcome to Qmail? 
Apr 13 11:10:31 vps153619 submission: 12537 > [EOF]
Apr 13 11:10:31 vps153619 submission: tcpserver: end 12537 status 0
Apr 13 11:10:31 vps153619 submission: tcpserver: status: 0/100
Apr 13 11:10:34 vps153619 send: delivery 512: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection

Smtp can't connect because of smtp port blocked by vps provider.

Author Topic: Spam from Clients Mail Account (Read 1842 times)

krky

Spam from Clients Mail Account

MRatWork

Re: Spam from Clients Mail Account

krky

Re: Spam from Clients Mail Account