Inactive account (suspended) still sending lots of spam mails?

K

klasje

Verified User
Joined
Jan 5, 2008
Messages
57
The user billing was inactive, but still a lot of mails have been sent via this user.
How is this possible?

I received following warning from Directadmin: "
Warning: 500 emails have just been sent by billing
"
The billing account has just finished sending 500 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/billing.bytes file, it was found that the highest sender was [email protected], at 526 emails.

The top authenticated user was billing, at 526 emails.
This accounts for 105% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.

The top sending host was xx.xx.xx.xx, at 526 emails (105%).

The most common path that the messages were sent from is /, at 526 emails (105%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.
 
It's possible this kind of notice gets send after the sending is already stopped / blocked. You can check /var/log/exim/mainlog and see at what time last e-mail was actually sent from the account/mailaddress.
 
The mail queue thinks it's the billing user as well, but this user has been suspended for over a year now...
 
And you mean the entire user called billing is suspended not just a email account.
 
Seeing that the e-mail address mentioned is [email protected], maybe there is something else going on. Maybe it's incoming mails being auto replied to or something. In these cases you really find out more whats going on by looking into the exim log or queue and look at the e-mails that are being flagged here. See who is the sender, what is the message, who is the recipient etc. This mail by DA is mainly a flag being raised so you can investigate further.
 
I faced the the same kind of issue. But, it was from my side. I didn't generated any emails and have no idea what could cause it ?
 
Mail queue:

Mail headers:
1jvd7T-0004dZ-C6-H
mail 8 12
<>
1594803027 0
-received_time_usec .375456
-active_hostname server.domain.com
-ident mail
-received_protocol local
-aclm _uid 2
-1
-aclm _username 7
unknown
-body_linecount 159
-max_received_linelength 149
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1594803037
-localerror
XX
1
[email protected]

143P Received: from mail by server.domain.com with local (Exim 4.93.0.4)
id 1jvd7T-0004dZ-C6
for [email protected]; Wed, 15 Jul 2020 10:50:27 +0200
167 X-Failed-Recipients: [email protected],
[email protected],
[email protected],
[email protected],
[email protected],
[email protected]
029 Auto-Submitted: auto-replied
062F From: Mail Delivery System <[email protected]>
019T To: [email protected]
071 References: <[email protected]>
100 Content-Type: multipart/report; report-type=delivery-status; boundary=1594803027-eximdsn-1151830610
018 MIME-Version: 1.0
059 Subject: Mail delivery failed: returning message to sender
051I Message-Id: <[email protected]>
038 Date: Wed, 15 Jul 2020 10:50:27 +0200


Email body chunk


1jvd7T-0004dZ-C6-D
--1594803027-eximdsn-1151830610
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).

--1594803027-eximdsn-1151830610
Content-type: message/delivery-status

Reporting-MTA: dns; server.domain.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

--1594803027-eximdsn-1151830610
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from [89.36.217.82] (helo=node-fpx.pool-1-4.dynamic.totinternet.net)
by server.domain.com with esmtpa (Exim 4.93.0.4)
(envelope-from <[email protected]>)
id 1jvd7F-0004aV-AV; Wed, 15 Jul 2020 10:50:13 +0200
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Re; How are you ?
To: Recipients <[email protected]>
From: "Julie Leach" <[email protected]>
Date: Wed, 15 Jul 2020 10:50:12 +0200
Reply-To: [email protected]
Message-ID: <[email protected]>
X-ACL-Warn: Adding Message-ID header because it is missing!

I am Julie Leach from Michigan, A 50-year


Logs
1jvd7T-0004dZ-C6-D
--1594803027-eximdsn-1151830610
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
[email protected]
host hotmail-com.olc.protection.outlook.com [104.47.66.33]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).

--1594803027-eximdsn-1151830610
Content-type: message/delivery-status

Reporting-MTA: dns; server.domain.com

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]

--1594803027-eximdsn-1151830610
Content-type: message/rfc822

Return-path: <[email protected]>
Received: from [89.36.217.82] (helo=node-fpx.pool-1-4.dynamic.totinternet.net)
by server.domain.com with esmtpa (Exim 4.93.0.4)
(envelope-from <[email protected]>)
id 1jvd7F-0004aV-AV; Wed, 15 Jul 2020 10:50:13 +0200
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Re; How are you ?
To: Recipients <[email protected]>
From: "Julie Leach" <[email protected]>
Date: Wed, 15 Jul 2020 10:50:12 +0200
Reply-To: [email protected]
Message-ID: <[email protected]>
X-ACL-Warn: Adding Message-ID header because it is missing!

I am Julie Leach from Michigan, A 50-year

Logs

2020-07-15 10:50:27 Received from <> R=1jvd7F-0004aV-AV U=mail P=local S=8538 T="Mail delivery failed: returning message to sender"
2020-07-15 10:50:37 H=live-com.olc.protection.outlook.com [104.47.12.33] SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
2020-07-15 10:50:37 [email protected] F=<> R=lookuphost T=remote_smtp H=live-com.olc.protection.outlook.com [104.47.12.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
*** Frozen (delivery error message)


No clue where it would be auto-replying from or to.
 
It's not easy to read through all of this. But what I would find most interesting is the logs you pasted at the very end, that's how they are in /var/log/exim/mainlog. The 2 entries you pasted though are a reply from your server to [email protected]. And then the mailserver of outlook.com is replying you that [email protected] is unavailable.

Try to look for IP 89.36.217.82 in /var/log/exim/mainlog e.g.

grep "89.36.217.82" /var/log/exim/mainlog
 
After reading all of that, I "think" the answer might be found in this:

Code: 
grep "1jvd7F-0004aV-AV" /var/log/exim/mainlog
 
Hereby the output of your command:

[root@server ~]# grep "1jvd7F-0004aV-AV" /var/log/exim/mainlog
2020-07-15 10:50:13 1jvd7F-0004aV-AV <= [email protected] H=(node-fpx.pool-1-4.dynamic.totinternet.net) [89.36.217.82] P=esmtpa A=login:billing S=3898 T="Re; How are you ?" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2020-07-15 10:50:13 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jvd7F-0004aV-AV
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:24 1jvd7F-0004aV-AV H=hotmail-com.olc.protection.outlook.com [104.47.59.161]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM6NAM12FT007.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:25 1jvd7F-0004aV-AV => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.41.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=86470576593550, Hostname=DM3NAM03HT189.eop-NAM03.prod.protection.outlook.com] 11085 bytes in 0.042, 256.489 KB/sec Queued mail for delivery"
2020-07-15 10:50:25 1jvd7F-0004aV-AV == [email protected] R=lookuphost T=remote_smtp defer (-44) H=hotmail-com.olc.protection.outlook.com [104.47.41.33]: SMTP error from remote mail server after RCPT TO:<[email protected]>: 452 4.5.3 Recipients belong to multiple regions ATTR38 [DM3NAM03FT023.eop-NAM03.prod.protection.outlook.com]
2020-07-15 10:50:25 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.41.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=86470576593550, Hostname=DM3NAM03HT189.eop-NAM03.prod.protection.outlook.com] 11085 bytes in 0.042, 256.489 KB/sec Queued mail for delivery"
2020-07-15 10:50:25 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.41.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=86470576593550, Hostname=DM3NAM03HT189.eop-NAM03.prod.protection.outlook.com] 11085 bytes in 0.042, 256.489 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34252364220537, Hostname=MW2NAM12HT066.eop-nam12.prod.protection.outlook.com] 10603 bytes in 0.159, 64.898 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=hotmail-com.olc.protection.outlook.com [104.47.66.33] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). [MW2NAM12FT006.eop-nam12.prod.protection.outlook.com]
2020-07-15 10:50:27 1jvd7F-0004aV-AV -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=4009 H=hotmail-com.olc.protection.outlook.com [104.47.59.161] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=34213709516242, Hostname=DM6NAM12HT038.eop-nam12.prod.protection.outlook.com] 11623 bytes in 0.045, 251.025 KB/sec Queued mail for delivery"
2020-07-15 10:50:27 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1jvd7F-0004aV-AV
2020-07-15 10:50:27 1jvd7T-0004dZ-C6 <= <> R=1jvd7F-0004aV-AV U=mail P=local S=8538 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2020-07-15 11:10:59 1jvd7F-0004aV-AV failed to expand condition "${perl{check_limits}}" for lookuphost router: You (billing) have reached your daily email limit of 500 emails
2020-07-15 11:10:59 1jvd7F-0004aV-AV ** [email protected] F=<[email protected]>: Unrouteable address
2020-07-15 11:10:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1jvd7F-0004aV-AV
2020-07-15 11:11:00 1jvdRL-00068e-Vm <= <> R=1jvd7F-0004aV-AV U=mail P=local S=5176 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2020-07-15 11:11:00 1jvd7F-0004aV-AV Completed
 
klasje said:
A=login:billing
Click to expand...

Well that at least confirms how they're logging in. Not as any mail account, but as the DirectAdmin user account "billing" in this case. In the short term, change the password to the "billing" account like this:

Code: 
passwd billing

Then clear your exim queue like this:

Code: 
for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done

If the account "billing" has been suspended this whole time, then you have a solid bug report to submit to the DA devs. A suspended account, at least in your case, seems to fail to exclude it from authentication over SMTP ports.

DirectAdmin Tickets -

tickets.directadmin.com tickets.directadmin.com
 
mxroute said:
Well that at least confirms how they're logging in. Not as any mail account, but as the DirectAdmin user account "billing" in this case.
Click to expand...

Which is why I asked in the beginning "And you mean the entire user called billing is suspended not just a email account."

That was never answered. There is a reason why that question was asked.
 
klasje said:
The mail queue thinks it's the billing user as well, but this user has been suspended for over a year now...
Click to expand...
I wonder why a suspended user account is even on the Server a year later? Shouldn't it have been terminated and deleted by now?
 
The entire hosting account was suspended. As far as I know you cannot suspend a mailbox.

So this is indeed a bug in DirectAdmin.

As you might have noticed from the name, the user is called billing, so this was my invoicing system ;-)
I do not delete it as I need to save old invoices for a few years before I can delete it.
 
When you suspend an account the mail is also suspended.

The virtual email for the domain should now be /etc/virtual/example.com_off
 
Well then there is a bug, as a spammer was still able to send spam mails.
This means he must have bruteforced billing users password, right?
 
It should be /etc/virtual/domain.com_off

billing should not be part of it.
 
You must log in or register to reply here.
Back
Top