Bugged by spam, cannot find source in user files

[ericovk]

Since a couple of hours I am being bugged by spam that is being send with a domain name from one of the DA accounts. The e-mailaddressess of the sender are all non-existing. Even if I suspend the account, or even if I suspend all accounts on the server, the spam is still being send.
I can't seem to stop it and log files don't make sense to me. I have looked for the source, but I cannot find it.

I have updated exim.conf and exim.pl (#VERSION=16) a couple of weeks ago. exim.pl has 775 rights.

I have set the log selector to these variables:

log_selector = \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
+arguments \
+connection_reject \
+address_rewrite \
+all_parents \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery

An example mail from the mailqueue:

This message was created automatically by mail delivery software.


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:


 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address
 [email protected]
   Unrouteable address


------ This is a copy of the message, including all the headers. ------


Return-path: <puvdxscu@<user domain name>>
Received: from rdns-06.meudns06.biz ([177.11.49.185] helo=WIN-S0SNCDLEFIV)
    by <server domain name> with esmtp (Exim 4.76)
    (envelope-from <puvdxscu@<user domain name>>)
    id 1XrTyj-0004iw-E2; Thu, 20 Nov 2014 16:49:06 +0100
From: "Gabriela" <puvdxscu@<user domain name>>
Subject: Re: Tentou tudo e nada? =?ISO-8859-1?Q?Conhe=E7a?= o Produto Que
Acaba com a Queda de Cabelo
To: [email protected]
Content-Type: text/html
Date: Thu, 20 Nov 2014 13:48:55 -0200


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>FimdaQuedadeCabelo</title></head><BODY>
<P>Olá!</P>
<P>Você sofre com problemas capilares como queda de cabelo,caspas,crescimento 
lento, cabelos danificados ou outros problemas?</P>
<P>O Globo Repórter mostra o que nossos produtos podem fazer por você...</P>
<P>Conheça nosso Shampoo e Loção Antiqueda/Anticaspa!</P>
<P>Acesse nosso site agora e veja a reportagem.</P>
<P>Trabalhamos com o PagSeguro, oferecendo total seguranca para sua compra.</P>
<P>Temos entrega (postagem) imediata.</P>
<P>Últimos dias da PROMOÇÃO RELÂMPAGO - encomende logo seu kit!</P>
<P>Acesse nosso site aqui:</P>
<P><A href="http://www.fimquedadecabelo.net"><FONT 
size=5>http://www.fimquedadecabelo.net</FONT></A></P>
<P> </P>
<P> </P>
<P>Bjs,</P>
<P>Gabriela</P>
<P> </P>
<P>Respeitamos sua privacidade.<BR>Caso não queira mais receber nossos 
informativos, envie email para:<BR><A href="mailto:[email protected]">[email protected]</A> 
e no ASSUNTO coloque "REMOVER".<BR></P>


</BODY></html>

But this doesn't give me any good logs in /var/log/exim/mainlog

A small mainlog tail:

2014-11-20 17:01:30 1XrUAk-0005Ta-4M ** [email protected] F=<jjcego@<user domain name>>: Unrouteable address
2014-11-20 17:01:30 1XrUAk-0005Ta-4M failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:30 1XrUAk-0005Ta-4M ** [email protected] F=<jjcego@<user domain name>>: Unrouteable address
2014-11-20 17:01:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1XrUAk-0005Ta-4M
2014-11-20 17:01:30 1XrUAk-0005Ty-Mc <= <> R=1XrUAk-0005Ta-4M U=mail P=local S=3211 T="Mail delivery failed: returning message to sender" from <> for jjcego@<user domain name>
2014-11-20 17:01:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrUAk-0005Ty-Mc
2014-11-20 17:01:30 1XrUAk-0005Ta-4M Completed
2014-11-20 17:01:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrUAk-0005Tv-HR
2014-11-20 17:01:30 1XrUAk-0005Tv-HR User 0 set for local_delivery transport is on the never_users list
2014-11-20 17:01:30 1XrUAk-0005Tv-HR == root@<server domain> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2014-11-20 17:01:30 1XrUAk-0005Tv-HR ** root@<server domain>: retry timeout exceeded
2014-11-20 17:01:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1XrUAk-0005Tv-HR
2014-11-20 17:01:30 1XrUAk-0005Ty-Mc => overige <jjcego@<user domain name>> F=<> R=virtual_user T=virtual_localdelivery S=3306
2014-11-20 17:01:30 1XrUAk-0005Ty-Mc Completed
2014-11-20 17:01:31 1XrUAk-0005U3-WB <= <> R=1XrUAk-0005Tv-HR U=mail P=local S=1392 T="Mail delivery failed: returning message to sender" from <> for root@<server domain>
2014-11-20 17:01:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrUAk-0005U3-WB
2014-11-20 17:01:31 1XrUAk-0005U3-WB User 0 set for local_delivery transport is on the never_users list
2014-11-20 17:01:31 1XrUAk-0005U3-WB == root@<server domain> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2014-11-20 17:01:31 1XrUAk-0005U3-WB ** root@<server domain>: retry timeout exceeded
2014-11-20 17:01:31 1XrUAk-0005U3-WB root@<server domain>: error ignored
2014-11-20 17:01:31 1XrUAk-0005Tv-HR Completed
2014-11-20 17:01:31 1XrUAk-0005U3-WB Completed
2014-11-20 17:01:32 1XrUAm-0005Tp-0l <= slh1e3c@<user domain name> H=rdns-06.meudns06.biz (WIN-S0SNCDLEFIV) [177.11.49.185] P=esmtp S=1690 T="Re: Aumente seu Pênis em até\n 10cm Naturalmente! Método Comprovado." from <slh1e3c@<user domain name>> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2014-11-20 17:01:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrUAm-0005Tp-0l
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 1XrUAm-0005Tp-0l failed to expand condition "${perl{check_limits}}" for lookuphost router: You (<DA account name>) have reached your daily email limit of 200 emails


2014-11-20 17:01:32 1XrUAm-0005Tp-0l ** [email protected] F=<slh1e3c@<user domain name>>: Unrouteable address
2014-11-20 17:01:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1XrUAm-0005Tp-0l
2014-11-20 17:01:32 1XrUAm-0005U6-Je <= <> R=1XrUAm-0005Tp-0l U=mail P=local S=3202 T="Mail delivery failed: returning message to sender" from <> for slh1e3c@<user domain name>
2014-11-20 17:01:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XrUAm-0005U6-Je
2014-11-20 17:01:32 1XrUAm-0005Tp-0l Completed
2014-11-20 17:01:32 1XrUAm-0005U6-Je => overige <slh1e3c@<user domain name>> F=<> R=virtual_user T=virtual_localdelivery S=3298
2014-11-20 17:01:32 1XrUAm-0005U6-Je Completed

Mails are being frozen in the mailqueue, because I have set the mail limit at 200 mails.

Did I miss an important setting in exim.conf? Don't know how to continue searching to the spam script. It has to be somewhere

Edit: I found an ip address that could possible be the spammer:

2014:11:20-10:27:01: Warning: 200 emails have just been sent by <DA user>. Sender fzp9qew@<domain name> sent 10. authenticated_id=<normal emailaddress> sent 1. host=177.11.49.185 (spammer) sent 199. 201 emails came from /

I am a little worried about "201 emails came from /" What could this be?

 

[Richard G]

Oke first this:

2014:11:20-10:27:01: Warning: 200 emails have just been sent by <DA user>. Sender fzp9qew@<domain name> sent 10. authenticated_id=<normal emailaddress> sent 1.

Seems to me that it's authenticated mail because of the "authenticated_id=" statement. Change this users passwords of his email accounts, but don't give him the new passwords until he cleand up his pc from malware (ADWCleaner+Malware Bytes or have him contact a security forum like bleepingcomputer.com to help him).

Next there is this line:

I am a little worried about "201 emails came from /" What could this be?

Those are the local delivery defer mails which are send by root, but can't be send because root is on the never user list. As you can see in your log:

2014-11-20 17:01:31 1XrUAk-0005U3-WB User 0 set for local_delivery transport is on the never_users list
2014-11-20 17:01:31 1XrUAk-0005U3-WB == root@<server domain> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list

I do want to know about these mails, so I changed my /etc/aliases and set root to an existing email account. So I don't think you have to worry about that one.

 

[ericovk]

It seems possible to connect to the server through telnet without authentification. How can this be possible? I updated exim.conf and exim.pl. Did I configure something the wrong way in the firewall or exim.conf?

telnet mail.serverdomain.com 25

 

[SeLLeRoNe]

Because on port 25 is the port used for server-to-server communication, and cant be forced the auth on that port.

You may need to make users connect to port 587 for let them get required for an auth.

Regards

 

[ericovk]

Sorry, I mean I can send email through telnet. Other servers give a "550 authentication required" message. I guess I have configured something the wrong way?

 

[toml]

If you have popb4smtp then you wouldn't be prompted for a password if you have already checked for email using pop3.

 

[Protected]

Who is the recipient of the e-mail? You should be able to telnet in and send an e-mail to one of your users, that's normal.

 

[nobaloney]

Both toml and Protected are correct. You don't need to authenticate if your IP# is temporarily authenticated by popb4smtp, or if you're sending email to someone on your server. You only need authentication if you're trying to relay to some other server through smtp.

Jeff

 

[ericovk]

The spammer is using different email addresses to send email from, like: [email protected] [email protected] etc. The catchall emailbox is being used by this user, so I can't just disable it.

 

[nobaloney]

The spammer is using different email addresses to send email from, like: [email protected] [email protected] etc. The catchall emailbox is being used by this user, so I can't just disable it.

Deleting Catchall shouldn't have anything to do with spam; it's the same as a forward; it's not a login, so there's no password for it. Removing it won't stop people from spamming.

You need to find out how they're getting authentication on your server. You can do that by checking your logs.

But first:

Twice in your last post you wrote senders @domain.com. Are all the spam emails coming from the same domain? Or are you using domain.com to represent multiple domains?

If they're all sending from the same domain then you should check that domain name in /etc/virtual/whitelist_domains and you must remove it if it's there. Any sender at any domain listed in /etc/virtual/whitelist_domains can relay email through your server. Ideally I'd remove the capability to whitelist domains. I haven't becuse it's sometimes necessary for emergency whitelisting while you figure out a better solution.

But it's recommended you don't allow it.

Another alternative is to use an SMTP relay and let them manage your outgoing spam but you may consider that as too expensive. One which comes to mind: mailchannels.com.

Jeff

 

[ericovk]

Thanks for the whitelist tip. The spammer is sending with [email protected], [email protected], etc. etc. All random email addressess. I guess the spammer now isn't able to send the spam. I am still curious how the spammer was able to trigger the spam messages? I can't seem to figure this out.

 

[nobaloney]

I'm glad it's resolved. Since you didn'g specifically answer my questions I can't help figure it out, either.

Jeff

 

[ericovk]

Deleting Catchall shouldn't have anything to do with spam; it's the same as a forward; it's not a login, so there's no password for it. Removing it won't stop people from spamming.

I have already deleted the catchall reference. Now I know I don't need to do so in the future.

You need to find out how they're getting authentication on your server. You can do that by checking your logs.

I checked my logs, but I can't seem to figure this out. As you can see in my mainlog (my first post), I can't see how the authentication is being done. I also checked exim log, but that's no different story. Would you recommend to check another log?

But first:

Twice in your last post you wrote senders @domain.com. Are all the spam emails coming from the same domain? Or are you using domain.com to represent multiple domains?

If they're all sending from the same domain then you should check that domain name in /etc/virtual/whitelist_domains and you must remove it if it's there. Any sender at any domain listed in /etc/virtual/whitelist_domains can relay email through your server. Ideally I'd remove the capability to whitelist domains. I haven't becuse it's sometimes necessary for emergency whitelisting while you figure out a better solution.

But it's recommended you don't allow it.

Thanks, I removed the domain from the whitelist_domains. Hope this helps. The spammer is sending in batches for like once in a week. So I have to check it out in the next couple of days.

Another alternative is to use an SMTP relay and let them manage your outgoing spam but you may consider that as too expensive. One which comes to mind: mailchannels.com.

Jeff

Thanks for letting me know this could be an option. I hope I can manage this with the default email solution. It is indeed a lot more expensive. Google Apps are also a good solution, but also very expensive.

 

[nobaloney]

I thought I had mentioned earlier the importance of not whitelisting addresses or domain names found on the server. That should resolve it.

Note that while using catchall shouldn't increase outgoing spam it will definitely increase incoming spam. I dont use them, and I dont think using them is a good idea.

Jeff