Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: davidS on December 30, 2015, 04:35:03 PM

Title: Queue mails
Post by: davidS on December 30, 2015, 04:35:03 PM

Hello everyone  :-?
Every day I get about 200 spam mails in the queue from domain name "ontop-seo.com" that is no longer on my server and the user of this host is "seo@ontopseo.com" also no longer on my server.
Where does it come from? And how to resolve it?

Quote

26354505 (1, 1/26354505)
  Return-path: JUNIEHILL@ontop-seo.com
  From: JUNIE HILL 'JUNIEHILL@ontop-seo.com'
  To: "rachel 31192 1835" 'rachel.31192.1835@swiftoilandgashouston.aplitrak.com', "michael l sewell" 'michael.l.sewell@ExxonMobil.com', "hr department2010" 'hr.department2010@yahoo.com', "mtoups" 'mtoups@swiftoilandgas.com', "darren harkness" 'darren.harkness@exxonmobil.com', "vacation" 'vacation@beachvillavip.com', "AConnolly" 'AConnolly@fircroft.com', "damita palmer" 'damita.palmer@fluor.com', "joe w sage" 'joe.w.sage@exxonmobil.com', "telinahill" 'telinahill@gmail.com', "marlin" 'marlin@luxuryres.com', "bbrodbeck" 'bbrodbeck@lifetimefitness.com', "lori" 'lori@corporateconnection.net', "greenhilljr" 'greenhilljr@gmail.com', "coolbreezesa" 'coolbreezesa@sbcglobal.net', "daniel villereal" 'daniel.villereal@RNDC-USA.com', "joestexasangel" 'joestexasangel@gmail.com', "jaime" 'jaime@lacasarealtygroup.com', "Jason Gibbons" 'Jason_Gibbons@sterlinghoteldallas.com', "fr reed" 'fr_reed@msn.com'
  Subject: re:
  Date: Tue, 30 Dec 2015 01:44:39 +0000
  Size: 2740 bytes

inside the mail...

Quote

MESSAGE NUMBER 26354505
 --------------
Received: (qmail 2771 invoked by uid 453); 30 Dec 2015 12:44:57 -0000
Received: from Unknown (HELO ori-comp.com) (42.119.69.105)
  (smtp-auth username seo@ontop-seo.com, mechanism plain)
  by ori-comp.com (qpsmtpd/0.84) with (AES256-GCM-SHA384 encrypted) ESMTPSA; Wed, 30 Dec 2015 14:44:57 +0200
Date: Tue, 30 Dec 2015 01:44:39 +0000
From: JUNIE HILL
To: "rachel 31192 1835" , "michael l sewell" , "hr department2010" , "mtoups" , "darren harkness" , "vacation" , "AConnolly" , "damita palmer" , "joe w sage" , "telinahill" , "marlin" , "bbrodbeck" , "lori" , "greenhilljr" , "coolbreezesa" , "daniel villereal" , "joestexasangel" , "jaime" , "Jason Gibbons" , "fr reed"
Message-ID: <8f0eb6ed7a8f$077840c3$ffdd9817$@ontop-seo.com>
Subject: re:
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----=_NextPart_000_028D_D00279A9.7C3D604C"
   
X-Virus-Checked: Checked by ClamAV on ori-comp.com

Title: Re: Queue mails
Post by: CharlieBrady on December 31, 2015, 04:17:23 AM

Quote from: davidS on December 30, 2015, 04:35:03 PM

And how to resolve it?

Change the password of user 'seo', or lock the account.

Title: Re: Queue mails
Post by: davidS on December 31, 2015, 11:32:46 AM

hi and thank you
the user "seo" and the domain "ontop-seo.com" are no longer hosted on my server I deleted them two weeks ago and also I changed the all of his dns records to point to godaddy host.
but I still get those mails :-?

Title: Re: Queue mails
Post by: brianr on December 31, 2015, 11:39:24 AM

Quote from: davidS on December 31, 2015, 11:32:46 AM

hi and thank you
the user "seo" and the domain "ontop-seo.com" are no longer hosted on my server I deleted them two weeks ago and also I changed the all of his dns records to point to godaddy host.
but I still get those mails :-?

Check you do not have a backup MX that still finds its way to your server.  Spammers will often use the backup MX.

Title: Re: Queue mails
Post by: davidS on December 31, 2015, 01:50:08 PM

Quote from: brianr on December 31, 2015, 11:39:24 AM

Check you do not have a backup MX that still finds its way to your server.  Spammers will often use the backup MX.

I never have defined a backup mx

Title: Re: Queue mails
Post by: holck on December 31, 2015, 03:36:16 PM

I would check the qpsmtpd log files and find out which IP adress(es) this spam is coming from. Is it internal, from your LAN, or does it come from outside? If it's from outside, you must make sure that your setup doesn't allow relaying.

Title: Re: Queue mails
Post by: davidS on December 31, 2015, 04:18:13 PM

Quote from: holck on December 31, 2015, 03:36:16 PM

I would check the qpsmtpd log files and find out which IP adress(es) this spam is coming from. Is it internal, from your LAN, or does it come from outside? If it's from outside, you must make sure that your setup doesn't allow relaying.

hi
the mails are coming from ip outside the network and i have only one server on my network without computers .
this is a test log from mxtoolbox

Quote

Connecting to 82.166.61.136

220 secureserver.ori-comp.com ESMTP [2486 ms]
EHLO PWS3.mxtoolbox.com
250-ori-comp.com Hi pws3.mxtoolbox.com [64.20.227.134]
250-PIPELINING
250-8BITMIME
250-SIZE 35000000
250 STARTTLS [781 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>, sender OK - how exciting to get mail from you! [1000 ms]
RCPT TO:<test@example.com>
550 relaying denied test@example.com [797 ms]

PWS3v2 8174ms

no relaying and qpsmtpd show

Quote

db configuration show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    BadCountries=
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    GeoIP=enabled
    LogLevel=6
    MaxScannerSize=30000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

Title: Re: Queue mails
Post by: Stefano on December 31, 2015, 05:14:21 PM

from your first post:

Quote

Received: from Unknown (HELO ori-comp.com) (42.119.69.105)
  (smtp-auth username seo@ontop-seo.com, mechanism plain)

follow Charlie's advice