-1

I'm stuck in here. I'm using ISPConfig on a Debian Wheezy Postfix mail server, and I have the following problem: I have multiple mailbox addresses on 14 domains. One of the addresses started 2 days ago to send a huge amount of spam e-mails and already got blacklisted by yahoo and gmail servers... I tried scanning with clamav, rkhunter, etc... nothing pops out. I tried blocking from ISPConfig POP3, SMTP and IMAP.... still sending. I tried changing the password.... the account is practicaly dissabled now, and still is sending a huge amount of e-mails.... HEEEELP PLEAASE!

Alexandru Popa
  • 11
  • 2
    You should start by shutting down the outgoing mail server entirely. – ceejayoz Sep 29 '18 at 19:54
  • I presume this mailbox is beeing spoofed.... I already tried that.... nothing new under the sun but the problem is for the other 38 mailboxes that are functioning properly and friends that are using this server for their domains are not so glad about this situation.... I tried restarting the server, blocking that specific domain, blocking that specific e-mail address.... nothing works. And in the Inbox, is full of "Undelivered mail returned to sender".... checking the content, some mail was sent to a non-existent yahoo or gmail address, nothing in sent folder... sigh! – Alexandru Popa Sep 29 '18 at 20:26

1 Answers1

2

In the router you should block the outgooing port 25 completly.

You think it’s a mailbox that cause the mass spam, but most malware will start their own SMTP server and directly send their email(s) and will spoof the sender.

Please block the outgooing port 25 and try a tcpview in all of your computers inside your LAN to see who is the culprit.

If your router got a CLI get the port 25 stat from there directly.

Good luck finding the infected computer, but blocking from the router is the first step for a recovery, and to get delisted from RBL after.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Now that's a little bit tricky. This e-mail address is accessed from another network with a laptop.... so I must block the SMTP outgoing port there first... I think his laptop must have some problems.... I don't think it's from my mail server.... – Alexandru Popa Sep 29 '18 at 21:50
  • And furthermore, this mailbox is the single one that sends mass e-mails..... like today it sent over 14000 e-mails.... now it's peace and quiet because I blacklisted that address... and I see that it's finally sleeping... But I presume that this huge amount of e-mails.... somehow are spoofed from that laptop :( – Alexandru Popa Sep 29 '18 at 21:55
  • To help for next time you can setup a SPF entry in your DNS that will tell which IP can send as your domain, that way remote mail server that receive know that its spoofed. (and you configure that remote computer to send via your server) – yagmoth555 Sep 29 '18 at 22:00
  • yagmoth555 that's really something I didn't think off until now. Thanks a lot. That SPF entry is indeed a great idea. – Alexandru Popa Sep 29 '18 at 23:52