Spam from own domain

[dayfly]

I am getting spam from my own domain, the MX records point to a diffirent server.

in directadmin i set the mail limit for that domain, and everyday i get mails telling me its spamming.
could someone please tell me how to stop this ? i cant find the problem

 

[dayfly]

re

this is from
/etc/virtual/usage

3503=type=email&[email protected]&method=outgoing&id=1bi8mJ-0005RU-B7&authenticated_id=&sender_host_address=14.186.225.252&log_time=1473377444&message_size=3503&local_part=user&domain= mydomain.nl&path=
3857=type=email&email=user@ mydomain.nl&method=outgoing&id=1bi8oF-0005Sa-9s&authenticated_id=&sender_host_address=189.166.179.59&log_time=1473377564&message_size=3857&local_part=user&domain= mydomain.nl&path=

 

[dayfly]

re

Anyone know what could be causing this ?

 

[Richard G]

Looks to me somebody hacked or bruteforced the password of your email account.
Since your /etc/virtual/usage log is saying some ip's from vietnam and some other ip have authenticated.

Try first cleaning your machines with anti-malware tools like ADWCleaner (only download from authors site or bleepingcomputer.com) and after that Malware Bytes from malwarebytes.org to be sure it's clean.
After that, change your email passwords.

Next to that, check your DNS settings, because it's already strange SPF and DKIM are both failing mail being send from your own machine as you can see from this part:

Authentication-Results: spf=fail (sender IP is 37.97.172.205)
smtp.mailfrom=mydomain.nl; mydomain.nl; dkim=fail (no key
for signature) header.d=mydomain.nl;mydomain.nl;
dmarc=fail action=none
header.from=mydomain.nl;mydomain.nl; dkim=fail (no key
for signature) header.d= mydomain.nl;
Received-SPF: Fail (protection.outlook.com: domain of mydomain.nl
does not designate 3x.9x.17x.xxx as permitted sender)
receiver=protection.outlook.com; client-ip=3x.9x.17x.xxx;
helo=srv1.myserver.nl;

 

[dayfly]

re

Thanks

pc's are clean scanned with several scanners including ADWcleaner

directadmin user has a new password, plus all exchange users have new passwords and clean, scanned pc's

There are no mail accounts on the directadmin server useraccount, MX records point to EOP (office365)

Hosting is a wordpress site with no exotic plugins and are all up to date, i removed the site for several days and stil get message from directadmin that the useraccount is spaming.

There is a contact form on the website wich is often used, thats why i have set a limit on it but its reached everyday. So when visitors use that contact form mail never reaches because the limits are reached.

completely lost in this one reading for hours checking settings i cant find it unfortunatly, its driving me crazy.

 

[dayfly]

last reply gone ?

Thanks,

Wierd my last reply is gone somehow ?.. i reply again …

All computers are scanned also wiith ADWCleaner and are clean

Directadmin password changed, runnig cfs with bruteforce blocking

There are no email accounts on the directadmin server for that account, MX records point to EOP office 365
All exchange users have new passwords

In directadmin i set the mail limit fort hat account but everyday its reached, there is a contact form on the website that visitors often use but thats not working anymore because the mail limit is reached everytime.
Its runnig a standard wordpress site with no exotic plugins and all up to date, i disabeld the site for a few days and still get message its spaming

I have been reading the web for hours tried everything i founds but nothing works, it keeps sendig mail from that directadmin account, driving me crazy

 

[Richard G]

Hmmz.... authenticated mail can't be send from non existing accounts. DA acounts always have 1 email account which is the system account. Is it the system account that is being used?
The only thing I can see is that the login is done remotely to send the mail. So it looks as if it's not the server itself sending the mail.

Let me think... So you change passwords and it keeps spamming or does it stops for some time (for example a couple of hours or several minutes) after the directadmin acounts password change?
Are you the only one who has access to that DA user account via Directadmin or do others get notified by email about new passwords?

Did you also check if no other mail daemon is running by using something like:

lsof -i :25

which should only be exim?

 

[dayfly]

re

The story go's on

The system account has a password that i changed weekly and thats the only account on that account.
Some times it stops for a few weeks but it keeps spamming, i set the limit to 1 mail per day so often get notifications that the limit has been reaced

2017-01-09 07:13:03 1cQTCW-0004uB-Ib <= [email][email protected][/email] H=187-254-97-1-cable.cybercable.net.mx [187.254.97.1] P=esmtp S=2150 id=003701d26a0d$0647113c$35e3f2bf@yrfvifmy T="Civilities" from <[email protected]> for [email][email protected][/email]
2017-01-09 07:13:03 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cQTCW-0004uB-Ib
2017-01-09 07:13:04 1cQTCW-0004uB-Ib => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=3064 H=domain-nl.mail.protection.outlook.com [213.199.154.42] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes K C="250 2.6.0 <003701d26a0d$0647113c$35e3f2bf@yrfvifmy> [InternalId=13872744384924, Hostname=VE1EUR02HT123.eop-EUR02.prod.protection.outlook.com] 9651 bytes in 0.225, 41.813 KB/sec Queued mail for delivery"
2017-01-09 07:13:04 1cQTCW-0004uB-Ib Completed

4040=type=email&[email protected]&method=outgoing&id=1cQOwQ-0002Qw-QH&authenticated_id=&sender_host_address=113.166.93.83&log_time=1483926007&message_size=4040&local_part=usename&domain=domain.nl&path=
2150=type=email&[email protected]&method=outgoing&id=1cQTCW-0004uB-Ib&authenticated_id=&sender_host_address=187.254.97.1&log_time=1483942383&message_size=2150&local_part=info&domain=domain.nl&path=

sof -i :25
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
exim 27078 mail 3u IPv4 67380864 0t0 TCP *:smtp (LISTEN)

csf mail settings to
SMTP_BLOCK =ON

there is no trace of those ip's on the http logs.

 

[Richard G]

It's still authenticated mail for the user@ and [email protected] acounts according to the log.
So imho it seems they still know to retreive the passwords.

 

[dayfly]

It's still authenticated mail for the user@ and [email protected] acounts according to the log.
So imho it seems they still know to retreive the passwords.

The only account for that domain in directadmin is
[email protected]

[email protected]
[email protected]
Are hosted by exchange office 365, very strange that the spam is coming from directadmin.

Its nearly impossbile they know the system password.
Changed weekly and its very complicated
Csf blocks if user had 2 failed logins
2way autentication is on
There are +/- 80 domains on that server and only 1 account that has no email accounts except the [email protected] keeps spaming

How can they retrieve passwords for accounts that dont exist on directadmin ?

Even if they did hack de system@domain password, the accounts [email protected] and [email protected] are sending spam and not [email protected]
I am lost 

 

[ikkeben]

You don't give domain name and server ip therefore Support DA has to gues a lot! ( i 'm pretty sure they don't like to do that)

You can though test yourself how the world is seeing your domain settings dns and mx, also you can test with mail-tester.com and other mailtesters form different mailadresses, mailservers, mailclients and forms and so on.
Check all dns and mx and more with such tools as here http://mxtoolbox.com/

If you don't want to give domain name and ip public here you have to create a support ticket with DA support or someone else that is supporting DA ( SMTALK and Alex for example)

While guessing and banging somewhere/one a account could be hacked is urgent and not really a thing for trying and waiting replys here in a partly answering by "User" support Forum..
(Could also be wrong settings, but also a WEBAPP that is .... and office365 with all their troubles)

For the Dutch also test www.internet.nl

aks your/the hoster lcs ( if that is not the spamming cause)

Its nearly impossbile they know the system password

Wrong if login ( only Username Password) is over a not safe WIFI Access for only one example.

 

[dayfly]

i checked all mail settings, i used to use directadmin as backup mx server but removed the mx as test since the spam and migrating to EOP.
exchange 2013 runs at onsite server and all mail is scanned by EOP from office 365.

server ip
domain that spams
willem se van poorten. nl ( to view remove the spaces)

Connection to directadmin is over https and on a local network no public wifi network.

Directadmin is telling me its sending spam reading the logs.
the dailey send limit on direct admin is set to 1, users on that domain send +/- 50 mails a day with exchange and never have sending problems as its handeld by external servers.

4040=type=email&[email protected]&method=outgoing&id=1cQOwQ-0002Qw-QH&authenticated_id=&sender_host_address=113.166.93.83&log_time=1483926007&message_size=4040&local_part=usename&domain=domain.nl&path=
2150=type=email&[email protected]&method=outgoing&id=1cQTCW-0004uB-Ib&authenticated_id=&sender_host_address=187.254.97.1&log_time=1483942383&message_size=2150&local_part=info&domain=domain.nl&path=

The mail from that domain is not handeld by the directadmin server as the mx records point to EOP from office 365.

 

[ikkeben]

That IP is at lcs hosting nl so ask them! ( keep backup your log files for proof )

If you handled mail and mx before ( as BAckup) on that DA server then the emailadresses are still also on the DA server?
Then the smtp user pass for that mailadresse and so on probable the same as in the office365 or not changed after ...

You can send mail over a DA server even if MX records are not for that, if the MAILACCOUNT is/was there on that server then only you have to do is using the server ip in mailclient ( so not the domainname mail.)
And also you can still use the domainname mail.yourdaserverdomain.nl if using "own ( copy and changed) dns settings" for mx between the path to your DA server. ( but then it is more a hacking.... kind of )

IN BASIS is namelijk de DA server "hostname" zelf de mailserver, dus indien een mailaccount bestaat ( die was er ooit en dus misschien nog daar je deze als backup gebruikte) ( voor welke domein dan ook op de server) kan die rechtstreeks op het hoofdeel namelijk de daadwerkelijk mailserver verzonden worden. ( smtp / pop enz met deels gebruik maken van of de hostname server of ipadres server )

Microsoft Outlook Express client verwacht ik zo, iemand nog onderweg met een oude windows bijv xp of nieuwer maar dan e.a. niet up to date? So or some of you / your client uses or the spamming part uses https://www.cvedetails.com/vulnerab...Microsoft-Outlook-Express-6.00.2900.5512.html

 

[dayfly]

I understand but there are no old mail accounts on the DA server. Only the system account.

Thats the problem spam is being send from accounts that dont exist on the DA server.

No physical mail accounts are necessary for a MX backup in DA i created a file mx_domains in etc/virtual/ and added the domain and changed the exim.conf, nothng else.

If i go into DA and look under E-mail accounts i only see 1 mail account (system account) and that is the only account name i never saw spam from.

 

[ikkeben]

I understand but there are no old mail accounts on the DA server. Only the system account.

Thats the problem spam is being send from accounts that dont exist on the DA server.

No physical mail accounts are necessary for a MX backup in DA i created a file mx_domains in etc/virtual/ and added the domain and changed the exim.conf, nothng else.

If i go into DA and look under E-mail accounts i only see 1 mail account (system account) and that is the only account name i never saw spam from.

You also checked this meaning i hope you unchecked
https://help.directadmin.com/item.php?id=8

There should be an option for "Local Mail Server". Uncheck that option.

 

[dayfly]

Yeah you have to uncheck it otherwise the DA server wil keep handeling the mail instead of the Exchange servers.

ill contact support maybe they can help me, and this weekend i wil copy the current domain to a new user account, start fresh maybe that helps.
i have been reading and searching for hours cant find any solution.

To be continued

 

[Richard G]

It says authenticated_id and then it gives a hostname. You might also try to disable popb4smtp and only use smtpauth, maybe that might help to.
https://help.directadmin.com/item.php?id=467

However it's a good idea to ask your host and create a new account to start fresh.