Author Topic: Problems with Mail Service  (Read 200 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Problems with Mail Service
« on: January 12, 2022, 01:58:25 PM »
HI all i`am having very strange problem with emails the Antivirus scan doesn`t find anything but the spam is still sending from server hostname:
even in php log there is nothing i have paid for cwp support but nothing happens
om=<depotentiate@hosting.iwillvisit.com>, size=33099, nrcpt=1 (queue active)
Jan 12 13:33:14 hosting postfix/qmgr[31494]: C5BADEE08CC: from=<haven@hosting.iwillvisit.com>, size=33376, nrcpt=1 (queue active)
Jan 12 13:33:14 hosting amavis[16402]: (16402-07) Passed CLEAN {RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:44046 <haven@hosting.iwillvisit.com> -> <jokischregina@web.de>, Queue-ID: 6ED95EE08C3, Message-ID: <5d87a52d5d-43dc94a1@hosting.iwillvisit.com>, mail_id: eqFZR9vRV0tT, Hits: -1.887, size: 32885, queued_as: C5BADEE08CC, dkim_sd=default:hosting.iwillvisit.com, 1301 ms
how is this possible ?


Code: [Select]
message_arrival_time: Wed Jan 12 14:02:44 2022
create_time: Wed Jan 12 14:02:44 2022
named_attribute: log_ident=ABBFDEE005D
named_attribute: rewrite_context=local
sender: ecneeds@hosting.iwillvisit.com
named_attribute: encoding=7bit
named_attribute: log_client_name=unknown
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=45822
named_attribute: log_message_origin=unknown[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=127.0.0.1
named_attribute: client_port=45822
named_attribute: server_address=127.0.0.1
named_attribute: server_port=10025
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
warning_message_time: Wed Jan 12 18:02:44 2022
named_attribute: dsn_orig_rcpt=rfc822;machillm@aol.com
original_recipient: machillm@aol.com
recipient: machillm@aol.com
*** MESSAGE CONTENTS deferred/A/ABBFDEE005D ***
Received: from localhost (unknown [127.0.0.1])
        by hosting.iwillvisit.com (Postfix) with ESMTP id ABBFDEE005D
        for <machillm@aol.com>; Wed, 12 Jan 2022 14:02:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=hosting.iwillvisit.com; s=default; t=1641996164;
        bh=Olr/JIIX4wcofClmfihfjUsEg2plgTKzUTYO8i/Gs3o=;
        h=To:List-Unsubscribe:Subject:From:Date;
        b=FD7Nfr74IHO/hXIhvWmKLf9SQcDapPhS74vIX3aGQt4qN/K+tMEv12o0Muc8l3kO5
         Nv9jc1bGzsgeKgRst0lP65Sb1QgA+bBnPIaMJE/dvnBGdBPOCmzCwahEZuVAUVc0x9
         abENqWQSUOSgecZIflaieHemSwaCg6szzxpEcTe4=
X-Virus-Scanned: amavisd-new at iwillvisit.com
Received: from hosting.iwillvisit.com ([127.0.0.1])
        by localhost (hosting.iwillvisit.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id qe3DWBVgErQg for <machillm@aol.com>;
        Wed, 12 Jan 2022 14:02:43 +0000 (UTC)
Received: from hosting.iwillvisit.com (localhost [127.0.0.1])
        by hosting.iwillvisit.com (Postfix) with ESMTP id EE89DEE00CB
        for <machillm@aol.com>; Wed, 12 Jan 2022 14:02:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=hosting.iwillvisit.com; s=default; t=1641996163;
        bh=Olr/JIIX4wcofClmfihfjUsEg2plgTKzUTYO8i/Gs3o=;
        h=To:List-Unsubscribe:Subject:From:Date;
        b=VombcGlia+3HhNsTgINCBbkr/y6MAG2K6eXjiHS4Udq/nPhJBExIHxnCUaIFRnIus
         0ok8b9Ykq++UbfBE19FvcDSzZa91u+Ccv4I3PtKs6/w2p5OrZTa+TYK3UkidzumFAy
         yaq8ei0TDGbuYcN2H4ueIfaLnGCyTfv++8J6m2hw=
« Last Edit: January 12, 2022, 02:07:51 PM by dani521 »

Offline
***
Re: Problems with Mail Service
« Reply #1 on: January 12, 2022, 08:56:30 PM »
Check you logs by queue id, like:
Code: [Select]
# grep C5BADEE08CC /var/log/maillog
of

Code: [Select]
# grep ABBFDEE005D /var/log/maillog
...and post the results here.

Offline
*
Re: Problems with Mail Service
« Reply #2 on: January 13, 2022, 08:33:38 PM »
grep
Code: [Select]
[root@hosting ~]# grep 3E581EE07AD /var/log/maillog
Jan 13 18:30:25 hosting postfix/smtpd[11175]: 3E581EE07AD: client=unknown[127.0.0.1]
Jan 13 18:30:25 hosting postfix/cleanup[11098]: 3E581EE07AD: message-id=<af16e42a3d-5f16f@hosting.iwillvisit.com>
Jan 13 18:30:25 hosting opendkim[4889]: 3E581EE07AD: DKIM-Signature field added (s=default, d=hosting.iwillvisit.com)
Jan 13 18:30:25 hosting postfix/qmgr[4753]: 3E581EE07AD: from=<date@hosting.iwillvisit.com>, size=33443, nrcpt=1 (queue active)
Jan 13 18:30:25 hosting amavis[4844]: (04844-04) Passed CLEAN {RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:45002 <date@hosting.iwillvisit.com> -> <jser128@aol.com>, Queue-ID: D7B1CEE07A9, Message-ID: <af16e42a3d-5f16f@hosting.iwillvisit.com>, mail_id: eBYb_ACSJKlp, Hits: -2.887, size: 32962, queued_as: 3E581EE07AD, dkim_sd=default:hosting.iwillvisit.com, 4438 ms
Jan 13 18:30:25 hosting postfix/smtp[11100]: D7B1CEE07A9: to=<jser128@aol.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.8, delays=0.3/0.03/0/4.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3E581EE07AD)
Jan 13 18:30:26 hosting postfix/smtp[11199]: 3E581EE07AD: host mx-aol.mail.gm0.yahoodns.net[67.195.204.75] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Jan 13 18:30:26 hosting postfix/smtp[11199]: 3E581EE07AD: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.204.75] while sending RCPT TO
Jan 13 18:30:27 hosting postfix/smtp[11199]: 3E581EE07AD: to=<jser128@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.93]:25, delay=2.6, delays=0.21/0.02/2.3/0.16, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.93] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Jan 13 18:37:29 hosting postfix/qmgr[4753]: 3E581EE07AD: from=<date@hosting.iwillvisit.com>, size=33443, nrcpt=1 (queue active)
Jan 13 18:37:31 hosting postfix/smtp[19578]: 3E581EE07AD: host mx-aol.mail.gm0.yahoodns.net[67.195.228.84] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Jan 13 18:37:31 hosting postfix/smtp[19578]: 3E581EE07AD: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.228.84] while sending RCPT TO
Jan 13 18:37:32 hosting postfix/smtp[19578]: 3E581EE07AD: to=<jser128@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.93]:25, delay=427, delays=424/0.02/2.7/0.15, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.93] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Jan 13 18:47:29 hosting postfix/qmgr[4753]: 3E581EE07AD: from=<date@hosting.iwillvisit.com>, size=33443, nrcpt=1 (queue active)
Jan 13 18:47:30 hosting postfix/smtp[31356]: 3E581EE07AD: host mx-aol.mail.gm0.yahoodns.net[67.195.204.80] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Jan 13 18:47:30 hosting postfix/smtp[31356]: 3E581EE07AD: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.204.80] while sending RCPT TO
Jan 13 18:47:32 hosting postfix/smtp[31356]: 3E581EE07AD: to=<jser128@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[67.195.228.86]:25, delay=1027, delays=1024/0.02/2.5/0.19, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[67.195.228.86] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Jan 13 19:07:29 hosting postfix/qmgr[4753]: 3E581EE07AD: from=<date@hosting.iwillvisit.com>, size=33443, nrcpt=1 (queue active)
Jan 13 19:07:31 hosting postfix/smtp[18139]: 3E581EE07AD: host mx-aol.mail.gm0.yahoodns.net[67.195.228.84] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Jan 13 19:07:31 hosting postfix/smtp[18139]: 3E581EE07AD: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.228.84] while sending RCPT TO
Jan 13 19:07:32 hosting postfix/smtp[18139]: 3E581EE07AD: to=<jser128@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.92]:25, delay=2227, delays=2224/0/2.7/0.15, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Jan 13 19:47:29 hosting postfix/qmgr[4753]: 3E581EE07AD: from=<date@hosting.iwillvisit.com>, size=33443, nrcpt=1 (queue active)
Jan 13 19:47:31 hosting postfix/smtp[28902]: 3E581EE07AD: host mx-aol.mail.gm0.yahoodns.net[67.195.204.75] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Jan 13 19:47:31 hosting postfix/smtp[28902]: 3E581EE07AD: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.204.75] while sending RCPT TO
Jan 13 19:47:32 hosting postfix/smtp[28902]: 3E581EE07AD: to=<jser128@aol.com>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.92]:25, delay=4627, delays=4625/0.04/2.2/0.15, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421 4.7.0 [TSS04] Messages from 78.142.2.53 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
[root@hosting ~]#
Postcat
Code: [Select]
postcat: name_mask: all
postcat: inet_addr_local: configured 3 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
regular_text: Received: from localhost (unknown [127.0.0.1])
regular_text:   by hosting.iwillvisit.com (Postfix) with ESMTP id 3E581EE07AD
regular_text:   for <jser128@aol.com>; Thu, 13 Jan 2022 18:30:25 +0000 (UTC)
pointer_record:           34189
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
regular_text:   d=hosting.iwillvisit.com; s=default; t=1642098625;
regular_text:   bh=91IhoeJ10AVd6+dm+TrkpM+e6e2Q8C7TqDuUwCzF8/U=;
regular_text:   h=Date:Subject:To:From:List-Unsubscribe;
regular_text:   b=UfsZQo3a8y7VG+8kCwh403SddxUNZB0BYfxQxuv3H0XU4Lm1jWOiSD0LE/E4ZT8T3
regular_text:    KnkBRMGG3VGk7WFIilinfYWN7p9mGP6o6HGxrQqwPkFcN2TUGboDQglhAQvsclMfkW
regular_text:    TFGVCnDVLmzrx+/xI1VeSd8s+33yI0MX0xTvXuvI=
regular_text: X-Virus-Scanned: amavisd-new at iwillvisit.com
pointer_record:             933
regular_text: Received: from hosting.iwillvisit.com ([127.0.0.1])
regular_text:   by localhost (hosting.iwillvisit.com [127.0.0.1]) (amavisd-new, port 10024)
regular_text:   with ESMTP id eBYb_ACSJKlp for <jser128@aol.com>;
regular_text:   Thu, 13 Jan 2022 18:30:21 +0000 (UTC)
regular_text: Received: from hosting.iwillvisit.com (localhost [127.0.0.1])
regular_text:   by hosting.iwillvisit.com (Postfix) with ESMTP id D7B1CEE07A9
regular_text:   for <jser128@aol.com>; Thu, 13 Jan 2022 18:30:20 +0000 (UTC)
regular_text: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
regular_text:   d=hosting.iwillvisit.com; s=default; t=1642098620;
regular_text:   bh=91IhoeJ10AVd6+dm+TrkpM+e6e2Q8C7TqDuUwCzF8/U=;
regular_text:   h=Date:Subject:To:From:List-Unsubscribe;
regular_text:   b=TM8/xtTG0a4laq938pAYOnjmzG8PBR+vcMXp0DlNTh3XSvIymNTQY/79EiMIru1u/
regular_text:    aH4TKKV+qcgrhVuMn3XG8sAXVeUVvRO1bNIYz1sjFymlYX0dUUesP2np9zf5LFcqm/
regular_text:    QcO6UkDgmZUt4LLAEcNM51/53gH4UM8czfivO99U=
regular_text: Date: Thu, 13 Jan 2022 18:30:20 +0000 (UTC)
regular_text: MIME-Version: 1.0
regular_text: Subject: Your profile is looking great
regular_text: Lev-Diameter: E9F665C2D9727E9D
regular_text: X-LinkedIn-Class: EMAIL-DEFAULT
regular_text: Content-ID: html-body
regular_text: X-LinkedIn-Id: 6f8dba11c4916ad21447793977e
regular_text: Require-Recipient-Valid-Since: jser128@aol.com; Thu, 13 Jan 2022 18:30:20 +0000
regular_text: Content-Type: text/html; charset=UTF-8
regular_text: To: "jser128@aol.com" <jser128@aol.com>
regular_text: Content-Transfer-Encoding: base64
regular_text: Felony-Simulates: sniffle
regular_text: X-LinkedIn-fbl: 2bb5818967c8315a7c3ed39a5f7ef59ecdea4e9efcd9768be
regular_text: Feedback-ID: email_notification_single_search_appearance_0:linkedin
regular_text: Contemplate-Telescopes-Modifiable: 79a134b2747
regular_text: Retransmits-Widened-Revolting: b618d821526
regular_text: From: LinkedIn <date@hosting.iwillvisit.com>
regular_text: X-LinkedIn-Template: email_notification_single_search_appearance_0
regular_text: Message-ID: <af16e42a3d-5f16f@hosting.iwillvisit.com>
regular_text: Kilometer-Echelon: ddcda75b
regular_text: List-Unsubscribe: <https://www.linkedin.com/e/v2?e=458be95e9&t=lun&midToken=44b63959c57&ek=email_notification_single_search_appearance_0&li=7&m=unsub&ts=unsub&loid=5dc4e6ee81c879f16b1f15373726b19af>
pointer_record:               0
[root@hosting ~]#

Offline
*
Re: Problems with Mail Service
« Reply #3 on: January 15, 2022, 11:09:32 AM »
Antivirus scan doesn`t find anything but the spam is still sending from server hostname:

Can you elaborate on your question? Are you saying that you know that your server is sending spam and you want the antivirus to block it but it isnt doing it?

Offline
*
Re: Problems with Mail Service
« Reply #4 on: January 15, 2022, 05:27:14 PM »
Also, according to your first log, it seems like your server is being used as a relay (a big no no), and also that you are already being blocked by yahoo.... (uff..) Right now they are giving you error code 421 which means temporarily rejected. They will eventually issue a permanent 554 error code.
An IPv4 address is precious. You need to get to the bottom of this spam issue quickly otherwise it will be hard to get your IP's reputation clean again. No hosting provider will allow you to change your IP of the server, specially if they know that you have tainted it by getting it on the blacklist.

You are already on 4 blacklists...
https://www.blacklistmaster.com/check?t=78.142.2.53

My recommendation for saving your IP is to completely shutdown postfix so the server won't send any more mail. You can keep dovecot open so you have access to the mail accounts with roundcube. Then take your time to figure it out.
« Last Edit: January 15, 2022, 05:35:51 PM by iraqiboy90 »

Offline
***
Re: Problems with Mail Service
« Reply #5 on: January 15, 2022, 10:37:51 PM »
Isn't an open relay, as mxtoolbox.com is not reporting this.
(Check here: https://mxtoolbox.com/diagnostic.aspx)

You don't clarify the volume of E-mail messages being sent from your server, but it seems several messages are being sent.

If you don't recognize these messages being sent, then most likely some user has had their password compromised, and neither Antispam nor Antivirus will stop this. You need to find out who the user is, and change the password to a stronger password, and more than that, find out how it was compromised, and prevent it from being compromised again.
That's an art.
The art of managing an internet server.

So, you need to verify who the authenticating user is to make this submission. You can start by trying to identify on the server who has authenticated to perform this sending, with the following command:
Code: [Select]
# grep 'auth=1' /var/log/maillog

Try to discover a line just right before the first sending attempt.