Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: crazybob on August 21, 2015, 06:17:11 PM

Title: email stops functioning [SOLVED]
Post by: crazybob on August 21, 2015, 06:17:11 PM

I am not sure where my problem is with my email, but it stops a couple of times a day. I have been uninstalling and re-installing qmail to get it running again.
I have Qmail queue management installed and when I look at the queue, I will see that there are 800 to 2000 messages in the remote queue.
Here are a couple of examples of the messages

Code: [Select]

MESSAGE NUMBER 18301999
 --------------
Received: (qmail 24871 invoked by uid 453); 21 Aug 2015 13:13:02 -0000
Received: from cable-178-148-247-163.dynamic.sbb.rs (HELO srdpc.com) (178.148.247.163)
  (smtp-auth username jmorgan@rjm-design.com, mechanism plain)
  by srdpc.com (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA; Fri, 21 Aug 2015 09:13:02 -0400
Subject: from:  Prayuansy Langsy
From: Prayuansy Langsy
Content-Type: multipart/alternative;
boundary=Apple-Mail-3FE75221-2AFD-6FAB-E476-D7C3C70443C0
X-Mailer: iPhone Mail (12D508)
Message-Id: <74397864347b$8f90063b$4312b115$@rjm-design.com>
Date: Thu, 21 Aug 2015 02:13:01 +0000
To: "Roger"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
X-Virus-Checked: Checked by ClamAV on srdpc.com


--Apple-Mail-3FE75221-2AFD-6FAB-E476-D7C3C70443C0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit

Breaking news: http://gudangoxone.com/wait.php?Prayuansy_Langsy
 
Prayuansy Langsy

Sent from my iPhone   



--Apple-Mail-3FE75221-2AFD-6FAB-E476-D7C3C70443C0
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: 7bit

Breaking news: http://gudangoxone.com/wait.php?Prayuansy_Langsy

 

Prayuansy Langsy

Sent from my iPhone   



--Apple-Mail-3FE75221-2AFD-6FAB-E476-D7C3C70443C0--



 --------------
MESSAGE NUMBER 18302017
 --------------
Received: (qmail 24946 invoked by uid 453); 21 Aug 2015 13:13:15 -0000
Received: from cable-178-148-247-163.dynamic.sbb.rs (HELO srdpc.com) (178.148.247.163)
  (smtp-auth username jmorgan@rjm-design.com, mechanism plain)
  by srdpc.com (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA; Fri, 21 Aug 2015 09:13:15 -0400
Subject: from:  Jeffrey Nadeau
From: Jeffrey Nadeau
Content-Type: multipart/alternative;
boundary=Apple-Mail-25D928D1-9FCB-D743-65E5-7C8E2A41F3AB
X-Mailer: iPhone Mail (12D508)
Message-Id: <7b6d111d9c80$c45f3d01$5fa8f27c$@rjm-design.com>
Date: Thu, 21 Aug 2015 02:13:09 +0000
To: "affinity ma" , "afrane" , "agentamyjolyns" , "atusz" , "bbauer" , "bergie11007" , "blm2" , "camerabird" , "camrabird" , "Careers" , "CBryntesen" , "cseidelman" , "dholzer" , "dominic00036" , "gvhanson" , "hmccool" , "jfroelke" , "job edxqb 2219909970" , "jobs" , "James"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
X-Virus-Checked: Checked by ClamAV on srdpc.com


--Apple-Mail-25D928D1-9FCB-D743-65E5-7C8E2A41F3AB
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi! http://pakundobet.it/here.php?Jeffrey_Nadeau

How are you?

Jeffrey Nadeau
Sent from my iPhone
--Apple-Mail-25D928D1-9FCB-D743-65E5-7C8E2A41F3AB
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: 7bit

Hi! http://pakundobet.it/here.php?Jeffrey_Nadeau


How are you?


Jeffrey Nadeau
Sent from my iPhone
--Apple-Mail-25D928D1-9FCB-D743-65E5-7C8E2A41F3AB--

rjm-design is a domain I have on my server, and jmorgan@rjm-design is a user.
He is at a remote location, and I have checked his computer for virus and malware, and it came up clean.
 
srdpc.com is my main domain, and 134.215.197.162 is my static ip.

I am having the same issue with another domain on my server.
Have I been hacked, or is this a problem with spoofing?
Looking for a direction to go in to clear this up.
Thanks

Title: Re: email stops functioning
Post by: guest22 on August 21, 2015, 10:43:03 PM

Looks like someone is simply spamming your from Belgrade.

Title: Re: email stops functioning
Post by: mmccarn on August 22, 2015, 02:53:13 PM

According to mxtoolbox (http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a178.148.247.163&run=toolpage), the sending IP is listed by both spamhaus and sorbs.

You might consider adding 'zen.spamhaus.org' to your RBLList config.

(Of course, it's also possible that you're already using spamhaus, but the sending IP wasn't listed for a day or two after it started spamming...)
 

Title: Re: email stops functioning
Post by: Stefano on August 22, 2015, 04:04:15 PM

 maybe I'm wrong but

Quote

(smtp-auth username jmorgan@rjm-design.com, mechanism plain)

AFAIK this line is saying that it's legitimate email.. user is authenticating..
am I wrong?

Title: Re: email stops functioning
Post by: crazybob on August 22, 2015, 05:01:02 PM

Yes, he is a legitimate user.

I am using zen.spamhaus.org in my RBBList

Title: Re: email stops functioning
Post by: Stefano on August 22, 2015, 05:06:15 PM

Then change his password...

Title: Re: email stops functioning
Post by: crazybob on August 22, 2015, 05:06:55 PM

I will try that.

Title: Re: email stops functioning
Post by: Stefano on August 22, 2015, 06:40:51 PM

well, IIUC, you have a user account that is spamming via authenticated smtp..

I'm quite sure you MUST change his password ASAP

Title: Re: email stops functioning
Post by: crazybob on August 22, 2015, 06:52:02 PM

Thank you all for a quick response.

I have changed passwords on two accounts that were showing to be the problem. I will watch how things progress.

Bob

Title: Re: email stops functioning [SOLVED]
Post by: crazybob on August 24, 2015, 06:08:43 PM

Changing the passwords seems to have fixed it. Thanks.