Hi all 
Last week we had some problems with our DA-server sending spam. The password of one of our emailaccounts was compromised, enabling some annoying russian to send a lot of spam throught our smtp-server. We found out, changed the password of the account, an noticed an instant drop in spam being sent and lots of authentication failures 
So far, so good
For a few days things were okay, but now I get warning-emails from the DA-server: "Warning: 7318 emails have been sent yesterday by admin"
I don't think this is a spam issue, my best guess is that a lot of the spam-messages that were sent a few days earlier by the compromised mailaccount are now bounced or rejected by servers and are delivered back to our server, only our server doesn't know the sender and the admin-account is sending some warnings or bounces back to the other smtp-servers.
Any way if I can find out wat the problem is?
In my exim mainlog I see a lot of lines like these:
The admin.bytes file in /etc/virtual/usage contains lines like:
[email protected], this was the compromised emailadres.
Does anybody have any advice or comments on how to figure out what exactly is going on?
Last week we had some problems with our DA-server sending spam. The password of one of our emailaccounts was compromised, enabling some annoying russian to send a lot of spam throught our smtp-server. We found out, changed the password of the account, an noticed an instant drop in spam being sent and lots of authentication failures So far, so good For a few days things were okay, but now I get warning-emails from the DA-server: "Warning: 7318 emails have been sent yesterday by admin"
I don't think this is a spam issue, my best guess is that a lot of the spam-messages that were sent a few days earlier by the compromised mailaccount are now bounced or rejected by servers and are delivered back to our server, only our server doesn't know the sender and the admin-account is sending some warnings or bounces back to the other smtp-servers.
Any way if I can find out wat the problem is?
In my exim mainlog I see a lot of lines like these:
Code:
2014-05-22 10:08:02 1WnO2j-0004IT-SF ** [email protected] <[email protected]> F=<[email protected]>: Unrouteable address
2014-05-22 10:08:02 1WnO2j-0004IT-SF ** [email protected] <[email protected]> F=<[email protected]>: Unrouteable addressThe admin.bytes file in /etc/virtual/usage contains lines like:
Code:
6225=type=email&[email protected]&method=outgoing&id=1WjwsF-0003ts-RS&[email protected]&sender_host_address=82.209.66.180&log_time=1400746710&message_size=6225&local_part=lydmila.malinovskay&domain=gmail.com&path=/usr/local/directadmin/custombuild
6245=type=email&[email protected]&method=outgoing&id=1WjwzN-0006j0-BL&[email protected]&sender_host_address=2.235.162.168&log_time=1400746743&message_size=6245&local_part=kolbassya&domain=beep.ru&path=/usr/local/directadmin/custombuild
6348=type=email&[email protected]&method=outgoing&id=1WkVTN-0001js-0L&[email protected]&sender_host_address=82.209.66.180&log_time=1400746744&message_size=6348&local_part=avtosklad.ru&domain=r01-service.ru&path=/usr/local/directadmin/custombuild
6188=type=email&[email protected]&method=outgoing&id=1Wk1P6-0006aW-Vm&[email protected]&sender_host_address=2.235.162.168&log_time=1400746767&message_size=6188&local_part=vtriamow&domain=dol.ru&path=/usr/local/directadmin/custombuild
6229=type=email&[email protected]&method=outgoing&id=1WkLr6-0003SF-MG&[email protected]&sender_host_address=2.235.162.168&log_time=1400746778&message_size=6229&local_part=litle&domain=kiss.ru&path=/usr/local/directadmin/custombuild
6259=type=email&[email protected]&method=outgoing&id=1Wk7c9-0000Nd-Pk&[email protected]&sender_host_address=2.235.162.168&log_time=1400746819&message_size=6259&local_part=rychik&domain=mail.ru&path=/usr/local/directadmin/custombuild
6382=type=email&[email protected]&method=outgoing&id=1WkPs9-0004eq-K7&[email protected]&sender_host_address=87.245.149.187&log_time=1400746823&message_size=6382&local_part=bkctbgahzeoowocoyvs&domain=ibbp.psn.ru&path=/usr/local/directadmin/custombuild
6255=type=email&[email protected]&method=outgoing&id=1WkFF9-00021d-M8&[email protected]&sender_host_address=82.209.66.180&log_time=1400746950&message_size=6255&local_part=azakaznikov&domain=texenergo.ru&path=/usr/local/directadmin/custombuild
6209=type=email&[email protected]&method=outgoing&id=1Wjm69-0007T9-MB&[email protected]&sender_host_address=82.209.66.180&log_time=1400746953&message_size=6209&local_part=lotosideal&domain=gmail.com&path=/usr/local/directadmin/custombuild
6175=type=email&[email protected]&method=outgoing&id=1WjmU9-0000Qs-H5&[email protected]&sender_host_address=82.209.66.180&log_time=1400746954&message_size=6175&local_part=yx4&domain=rebyata.hore.ru&path=/usr/local/directadmin/custombuild
2868=type=email&[email protected]&method=outgoing&id=1WjqE9-00067y-1h&[email protected]&sender_host_address=87.245.149.187&log_time=1400746957&message_size=2868&local_part=nazar1105&domain=gmail.com&path=/usr/local/directadmin/custombuild
6214=type=email&[email protected]&method=outgoing&id=1WkHI9-0002Qe-Rn&[email protected]&sender_host_address=82.209.66.180&log_time=1400746958&message_size=6214&local_part=info&domain=burser.ru&path=/usr/local/directadmin/custombuild
6378=type=email&[email protected]&method=outgoing&id=1WkVl9-0000dk-8F&[email protected]&sender_host_address=87.245.149.187&log_time=1400746962&message_size=6378&local_part=club94610465.1161299707&domain=club.mnogo.ru&path=/usr/local/directadmin/custombuild
6158=type=email&[email protected]&method=outgoing&id=1WjxlF-00018S-1r&[email protected]&sender_host_address=2.235.162.168&log_time=1400746965&message_size=6158&local_part=info&domain=gekomed.ru&path=/usr/local/directadmin/custombuild
6208=type=email&[email protected]&method=outgoing&id=1WkDP9-00016I-Hl&[email protected]&sender_host_address=87.245.149.187&log_time=1400746966&message_size=6208&local_part=nina_vasilchenko&domain=ivanovo.rgs.ru&path=/usr/local/directadmin/custombuild
6257=type=email&[email protected]&method=outgoing&id=1Wk969-0005mN-Gd&[email protected]&sender_host_address=2.235.162.168&log_time=1400746979&message_size=6257&local_part=atsauksmes&domain=unibanka.lv&path=/usr/local/directadmin/custombuild
3359=type=email&[email protected]&method=outgoing&id=1WkEI9-0000ZV-Ki&[email protected]&sender_host_address=93.63.238.62&log_time=1400746981&message_size=3359&local_part=0afalin&domain=mail.ru&path=/usr/local/directadmin/custombuild
6206=type=email&[email protected]&method=outgoing&id=1WkL59-0006s3-Jr&[email protected]&sender_host_address=87.245.149.187&log_time=1400746982&message_size=6206&local_part=maria&domain=kolod.udm.ru&path=/usr/local/directadmin/custombuild
6342=type=email&[email protected]&method=outgoing&id=1WkSd9-0000BT-5b&[email protected]&sender_host_address=2.235.162.168&log_time=1400746988&message_size=6342&local_part=angsk&domain=mail.ru&path=/usr/local/directadmin/custombuild
6379=type=email&[email protected]&method=outgoing&id=1WkW99-0003lc-FI&[email protected]&sender_host_address=87.245.149.187&log_time=1400746994&message_size=6379&local_part=omarov&domain=ifdk-insurance.ru&path=/usr/local/directadmin/custombuild
6422=type=email&[email protected]&method=outgoing&id=1WkUb9-0000E9-HF&[email protected]&sender_host_address=87.245.149.187&log_time=1400746994&message_size=6422&local_part=mostovayakv&domain=banksoyuz.ru&path=/usr/local/directadmin/custombuild
6267=type=email&[email protected]&method=outgoing&id=1Wk8o9-0007xh-52&[email protected]&sender_host_address=2.235.162.168&log_time=1400746996&message_size=6267&local_part=ialrex&domain=ipcmsk.dol.ru&path=/usr/local/directadmin/custombuild[email protected], this was the compromised emailadres.
Does anybody have any advice or comments on how to figure out what exactly is going on?
