Messages appear to be sent from my server

[robert....@gmail.com]

I am getting a lot of these messages:

Mar 13 05:48:19 myserver sm-mta[1618]: v2CI05LI001071: to=<bri...@tribcore.com>, delay=00:48:14, xdelay=00:00:00, mailer=esmtp, pri=210000, relay=tribcore.com. [216.126.239.102], dsn=4.0.0, stat=Deferred: 421 tribcore.com out of connection slots
Mar 13 05:48:20 myserver sm-mta[1618]: v2CE0UUg015276: to=<sur...@addawap.com>, delay=04:47:50, xdelay=00:00:01, mailer=esmtp, pri=930000, relay=addawap.com. [216.126.239.100], dsn=4.0.0, stat=Deferred: 421 tribcore.com out of connection slots
Mar 13 05:48:20 myserver sm-mta[1618]: v2CAscbY013634: to=<cloa...@bariteh.com>, delay=07:53:42, xdelay=00:00:00, mailer=esmtp, pri=1470000, relay=bariteh.com. [216.126.239.98], dsn=4.0.0, stat=Deferred: 421 tribcore.com out of connection slots
Mar 13 05:48:21 myserver sm-mta[1618]: v2C7mcrx011891: to=<pay...@csxca.com>, delay=10:59:43, xdelay=00:00:01, mailer=esmtp, pri=2010000, relay=csxca.com. [216.126.239.77], dsn=4.0.0, stat=Deferred: 421 tribcore.com out of connection slots
Mar 13 05:48:22 myserver sm-mta[1618]: v2C2EWcX008858: to=<rhi...@giddychef.com>, delay=16:33:50, xdelay=00:00:01, mailer=esmtp, pri=3090000, relay=giddychef.com. [216.126.239.73], dsn=4.0.0, stat=Deferred: 421 tribcore.com out of connection slots

It appears that my server is trying to send these. They don't look like legitimate recipients. Where are these messages originating from? Is it possible that one of my user accounts has been compromised?

I'm using sendmail 8.14.9 64 bit, procmail 3.22-r10, gentoo linux.

[J.O. Aho]

Sure that is possible, specially as there are the out of connection slots.

You should have a log row which shows when the user did authenticate
should look something like:

Mar 13 03:41:11 myserver sm-mta[1618]: AUTH=server, relay=example.net
[127.0.0.1], authid=username, mech=PLAIN, bits=0


--

//Aho

[Robert S]

On Wednesday, March 15, 2017 at 8:21:54 AM UTC+11, J.O. Aho wrote:

Thanks. All of the logins on my account look legitimate (I think my account is the offending one). I am getting a lot of "Postmaster notify: see transcript for details" messages in my inbox, for messages that I didn't send. I have changed my password and this has not stopped the issue. The logs suggest that the messages are being sent by a spammer to the non-existent user "admin" - at ad...@mydomain.com.au. My mail server is sending a "User unknown" bounce, and it isn't arriving back with the sender. How can I prevent the "Undeliverable mail" messages being sent to me? Here is a relevant log entry (my server name has been altered):

Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: from=<inc...@ekominek.com>, size=16936, class=0, nrcpts=1, msgid=<EUnz7af_JRtrQ8WPKrSo1zJh3F9WWLWz6FKkZWG5ERg...@ekominek.co, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=[216.126.239.104]
Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.4.3 (mydomain.com.au [192.168.0.40]); Mon, 13 Mar 2017 07:52:56 +1100 (AEDT)
Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Scanned: clamav-milter 0.99 at myserver
Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Status: Clean
Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter accept: message
Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: to=REJECT, ctladdr=<ad...@mydomain.com.au> (2/0), delay=00:00:04, mailer=local, pri=136936, dsn=5.1.1, stat=User unknown
Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: v2CKqunj003312: DSN: User unknown
Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: timeout waiting for input from ekominek.com. during client greeting
Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: to=<inc...@ekominek.com>, delay=00:05:00, xdelay=00:05:00, mailer=esmtp, pri=30000, relay=ekominek.com. [216.126.239.104], dsn=4.0.0, stat=Deferred: Connection timed out with ekominek.com.

[J.O. Aho]

On 03/15/17 06:06, Robert S wrote:

> Thanks. All of the logins on my account look legitimate (I think my account is the offending one).
> I am getting a lot of "Postmaster notify: see transcript for details" messages in my inbox,
> for messages that I didn't send.

That is the "evidence" that someone uses the mailserver to send spam.

> I have changed my password and this has not stopped the issue.

There are usually two things, the spammer sends a lot of spam in a short
timespan and it will take a while before your system has managed to
handle the mail, they tend to end up in queues to be resent and you will
get notification that there are issues to send and ends with a mail that
it failed to send the mail.
The other thing is that just changing the password isn't enough, you
need to do a: /etc/init.d/saslauthd restart
so that the logged in session will for sure die.

> The logs suggest that the messages are being sent by a spammer to the non-existent user "admin" - at ad...@mydomain.com.au.
> My mail server is sending a "User unknown" bounce, and it isn't arriving back with the sender.
> How can I prevent the "Undeliverable mail" messages being sent to me? Here is a relevant log entry (my server name has been altered):
>
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: from=<inc...@ekominek.com>, size=16936, class=0, nrcpts=1, msgid=<EUnz7af_JRtrQ8WPKrSo1zJh3F9WWLWz6FKkZWG5ERg...@ekominek.co, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=[216.126.239.104]
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.4.3 (mydomain.com.au [192.168.0.40]); Mon, 13 Mar 2017 07:52:56 +1100 (AEDT)
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Scanned: clamav-milter 0.99 at myserver
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Status: Clean
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter accept: message
> Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: to=REJECT, ctladdr=<ad...@mydomain.com.au> (2/0), delay=00:00:04, mailer=local, pri=136936, dsn=5.1.1, stat=User unknown
> Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: v2CKqunj003312: DSN: User unknown
> Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: timeout waiting for input from ekominek.com. during client greeting
> Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: to=<inc...@ekominek.com>, delay=00:05:00, xdelay=00:05:00, mailer=esmtp, pri=30000, relay=ekominek.com. [216.126.239.104], dsn=4.0.0, stat=Deferred: Connection timed out with ekominek.com.
>

This I don't think is part of your original problem, this just an
attempt to spam you.


--

//Aho

[Robert S]

> There are usually two things, the spammer sends a lot of spam in a short
> timespan and it will take a while before your system has managed to
> handle the mail, they tend to end up in queues to be resent and you will
> get notification that there are issues to send and ends with a mail that
> it failed to send the mail.
> The other thing is that just changing the password isn't enough, you
> need to do a: /etc/init.d/saslauthd restart
> so that the logged in session will for sure die.
>
>

> This I don't think is part of your original problem, this just an
> attempt to spam you.
>
>

Assuming that my account hasn't been compromised - is there some way that I can stop my system from sending these "Returned mail" messages?

I am getting some "User unknown" messages sent to my email address - I assume that these spams are being sent from non-existent user accounts.

Thanks for the useful answers to my questions.

[Claus Aßmann]

On 03/14/17 21:50, robert....@gmail.com wrote:

[somehow my news server doesn't have this posting and others from you, only replies]

> I am getting a lot of these messages:

> Mar 13 05:48:19 myserver sm-mta[1618]: v2CI05LI001071: to=<bri...@tribcore.com>,
> delay=00:48:14, xdelay=00:00:00, mailer=esmtp, pri=210000, relay=tribcore.com.

fgrep v2CI05LI001071 $MAILLOG | head

Whatever file $MAILLOG is on your system -- and you might have to
look into previous versions to find the original submission.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

[J.O. Aho]

You could use procmail or sieve rules (if you have this enabled in
dovecot) to move the mail somewhere else as /dev/null, but then you will
not know when this happens again or when a legitimate mail gets into
trouble.

I do recommend to move those mails to a junk mail folder.

--

//Aho

[Mike Scott]

On 15/03/17 05:06, Robert S wrote:
....

>
> Thanks. All of the logins on my account look legitimate (I think my account is the offending one). I am getting a lot of "Postmaster notify: see transcript for details" messages in my inbox, for messages that I didn't send. I have changed my password and this has not stopped the issue. The logs suggest that the messages are being sent by a spammer to the non-existent user "admin" - at ad...@mydomain.com.au. My mail server is sending a "User unknown" bounce, and it isn't arriving back with the sender. How can I prevent the "Undeliverable mail" messages being sent to me? Here is a relevant log entry (my server name has been altered):
>
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: from=<inc...@ekominek.com>, size=16936, class=0, nrcpts=1, msgid=<EUnz7af_JRtrQ8WPKrSo1zJh3F9WWLWz6FKkZWG5ERg...@ekominek.co, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=[216.126.239.104]
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.4.3 (mydomain.com.au [192.168.0.40]); Mon, 13 Mar 2017 07:52:56 +1100 (AEDT)
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Scanned: clamav-milter 0.99 at myserver
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter add: header: X-Virus-Status: Clean
> Mar 13 07:52:56 myserver sm-mta[3275]: v2CKphnj003275: Milter accept: message
> Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: to=REJECT, ctladdr=<ad...@mydomain.com.au> (2/0), delay=00:00:04, mailer=local, pri=136936, dsn=5.1.1, stat=User unknown
> Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: v2CKqunj003312: DSN: User unknown
> Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: timeout waiting for input from ekominek.com. during client greeting
> Mar 13 07:57:56 myserver sm-mta[3312]: v2CKqunj003312: to=<inc...@ekominek.com>, delay=00:05:00, xdelay=00:05:00, mailer=esmtp, pri=30000, relay=ekominek.com. [216.126.239.104], dsn=4.0.0, stat=Deferred: Connection timed out with ekominek.com.
>

Maybe someone would check my reading of this, which is that your server
has accepted for delivery an email from 'incubus' to 'admin'. It then,
after accepting the mail, finds 'admin' does not exist, so the mail
cannot be delivered and it generates a failure message - delivery of
which (unsurprisingly) fails, and leaves you with a problematic queued
message.

If this is correct, I'd suggest your server is misconfigured -
recipients should be checked, and undeliverable mail rejected, during
the original smtp transaction, not later. This way you never actually
have anything queued that cannot in principle be delivered.

Is my analysis correct?


--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex
"The only way is Brexit" -- anon.

[Claus Aßmann]

Robert S wrote:

> Mar 13 07:52:56 myserver sm-mta[3312]: v2CKphnj003275: to=REJECT,

What did you configure to get that "REJECT" here?
Some virtuser entry?
Check your maps/config and then compare your setup with the docs.

[robert....@gmail.com]

>
> What did you configure to get that "REJECT" here?
> Some virtuser entry?
> Check your maps/config and then compare your setup with the docs.
>

> Maybe someone would check my reading of this, which is that your server
> has accepted for delivery an email from 'incubus' to 'admin'. It then,
> after accepting the mail, finds 'admin' does not exist, so the mail
> cannot be delivered and it generates a failure message - delivery of
> which (unsurprisingly) fails, and leaves you with a problematic queued
> message.
>
> If this is correct, I'd suggest your server is misconfigured -
> recipients should be checked, and undeliverable mail rejected, during
> the original smtp transaction, not later. This way you never actually
> have anything queued that cannot in principle be delivered.
>
> Is my analysis correct?
>

Hi Mike/Claus.

Your analysis is correct. I've just had a look at my configs. It turns out that I *do* have an "admin" user - I set it up because I have an "admin" account on windows machines on my network. My /etc/mail/aliases contains the following line, so that mail doesn't get sent to that account:

admin REJECT

If I remove this line, the message ends up in /var/spool/mail and does not get delivered by procmail - not what I'm wanting.

I can't find a lot of detailed documentation. What is the magic keyword that I need to use in place of "REJECT". I assume that this will fix the problem.

[Claus Aßmann]

wrote:

> I set it up because I have an "admin" account on windows machines on my network. My /etc/mail/aliases contains
> the following line, so that mail doesn't get sent to that account:

> admin REJECT

Which part of the documentation caused you to enter that entry in
aliases?

> I can't find a lot of detailed documentation.

Did you try cf/README?

access_db Turns on the access database feature.
...
blacklist_recipients
Turns on the ability to block incoming mail for certain
recipient usernames, hostnames, or addresses.
etc.

[robert....@gmail.com]

> access_db Turns on the access database feature.
> ...
> blacklist_recipients
> Turns on the ability to block incoming mail for certain
> recipient usernames, hostnames, or addresses.

Thanks :) That has fixed it