Join Log in
Score:0
Tobias H avatar Server

Is the mail account compromised or is there any other chance?

mx flag
Tobias H

The server was sending spam, now it is my task to clean it up. So did a few things which solved a problem, but this is still open. It seems that the owner receives mails from hisself. A forwarding from [email protected] to [email protected] is in place. The mail header looks like the following:

From:   27 2021 <>
X-Account-Key:  account1
X-UIDL: UID2733-1620041375
X-Mozilla-Status:   0001
X-Mozilla-Status2:  00000000
X-Mozilla-Keys: 
Return-Path:    <[email protected]>
X-Original-To:  [email protected]
Delivered-To:   [email protected]
Received:   from domain.A (domain.A [1.2.3.4]) by domain.B (Postfix) with ESMTPS id 5E1A72008B for <[email protected]>; Thu, 1 Jul 2021 22:34:40 +0200 (CEST)
Received:   by domain.A (Postfix, from userid 30) id 44B4138173D; Thu, 1 Jul 2021 22:34:40 +0200 (CEST)
X-Original-To:  [email protected]
Delivered-To:   [email protected]
Received:   from hp0.221.gvbni.club (hp0.221.gvbni.club [159.65.219.21]) by domain.A (Postfix) with ESMTPS id E8F7F380E19 for <[email protected]>; Thu, 1 Jul 2021 22:34:39 +0200 (CEST)
From:   domain.A <[email protected]>
To: [email protected]
Subject:    Notice from domain.A 30th June 2021 Error Report #496511148735
Date:   1 Jul 2021 13:34:38 -0700
Message-ID: <[email protected]>
MIME-Version:   1.0
Content-Type:   text/html
Content-Transfer-Encoding:  quoted-printable

Plesk with postfix is in use, the mail queue is empty. The owner of [email protected] did not send the message. Of course, this is possible with an compromised mail account. Is there any other possibility why this can happen?

Thank you very much

PS: log shows the following:

Jul  1 22:34:39 h2086526 postfix/smtpd[6949]: connect from hp0.221.gvbni.club[159.65.219.21]
Jul  1 22:34:39 h2086526 postfix/smtpd[6949]: E8F7F380E19: client=hp0.221.gvbni.club[159.65.219.21]
Jul  1 22:34:40 h2086526 postfix/cleanup[7201]: E8F7F380E19: message-id=<[email protected]>
Jul  1 22:34:40 h2086526 check-quota[7204]: Starting the check-quota filter...
Jul  1 22:34:40 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: handlers_stderr: SKIP
Jul  1 22:34:40 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: SKIP during call 'check-quota' handler
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: E8F7F380E19: from=<[email protected]>, size=3932, nrcpt=1 (queue active)
Jul  1 22:34:40 h2086526 postfix-local[7206]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Jul  1 22:34:40 h2086526 dk_check[7207]: Starting the dk_check filter...
Jul  1 22:34:40 h2086526 dk_check[7207]: DKIM verify result: DKIM Feed: No signature
Jul  1 22:34:40 h2086526 check-quota[7212]: Starting the check-quota filter...
Jul  1 22:34:40 h2086526 plesk sendmail[7211]: handlers_stderr: SKIP
Jul  1 22:34:40 h2086526 plesk sendmail[7211]: SKIP during call 'check-quota' handler
Jul  1 22:34:40 h2086526 postfix/pickup[4154]: 44B4138173D: uid=30 from=<[email protected]>
Jul  1 22:34:40 h2086526 postfix/cleanup[7201]: 44B4138173D: message-id=<[email protected]>
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: 44B4138173D: from=<[email protected]>, size=4101, nrcpt=1 (queue active)
Jul  1 22:34:40 h2086526 postfix/pipe[7205]: E8F7F380E19: to=<[email protected]>, relay=plesk_virtual, delay=0.45, delays=0.38/0/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: E8F7F380E19: removed
Jul  1 22:34:40 h2086526 postfix/smtp[7217]: 44B4138173D: to=<[email protected]>, relay=domain.B[1.2.3.4]:25, delay=0.15, delays=0/0.01/0.06/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5E1A72008B)
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: 44B4138173D: removed
Jul  1 22:34:40 h2086526 postfix/smtpd[6949]: disconnect from hp0.221.gvbni.club[159.65.219.21]

PPS: A valid mail was send from [email protected] to [email protected], forwarded to [email protected]:

Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: connect from mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: 2BEA8380E17: client=mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 postfix/cleanup[31873]: 2BEA8380E17: message-id=<[email protected]>
Jul  6 20:35:36 h2086526 check-quota[31876]: Starting the check-quota filter...
Jul  6 20:35:36 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: handlers_stderr: SKIP
Jul  6 20:35:36 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: SKIP during call 'check-quota' handler
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 2BEA8380E17: from=<[email protected]>, size=2775, nrcpt=1 (queue active)
Jul  6 20:35:36 h2086526 postfix-local[31878]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Jul  6 20:35:36 h2086526 dk_check[31879]: Starting the dk_check filter...
Jul  6 20:35:36 h2086526 dk_check[31879]: DKIM verify result: Success
Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: disconnect from mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 dovecot: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Jul  6 20:35:36 h2086526 check-quota[31890]: Starting the check-quota filter...
Jul  6 20:35:36 h2086526 plesk sendmail[31889]: handlers_stderr: SKIP
Jul  6 20:35:36 h2086526 plesk sendmail[31889]: SKIP during call 'check-quota' handler
Jul  6 20:35:36 h2086526 postfix/pickup[29043]: 707C738173E: uid=30 from=<SRS0=RS5/[email protected]>
Jul  6 20:35:36 h2086526 postfix/cleanup[31873]: 707C738173E: message-id=<[email protected]>
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 707C738173E: from=<SRS0=RS5/[email protected]>, size=3027, nrcpt=1 (queue active)
Jul  6 20:35:36 h2086526 postfix/pipe[31877]: 2BEA8380E17: to=<[email protected]>, relay=plesk_virtual, delay=0.3, delays=0.15/0/0/0.15, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 2BEA8380E17: removed
Jul  6 20:35:36 h2086526 postfix/smtp[31895]: 707C738173E: to=<[email protected]>, relay=domain.B[1.2.3.4]:25, delay=0.21, delays=0/0.01/0.09/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8E7C1201F7)
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 707C738173E: removed
110
0 + 5
vidarlo avatar
ar flag
vidarlo
Is the sender really A's standard MX? Have you checked the logs on A? What do they show? A claims it's received from uid 30, have you checked which user this is in `/etc/passwd`?
0
Reply
Tobias H avatar
mx flag
Tobias H
A lot todo, I know... User with id 30 is: popuser:x:30:31:POP3 service user I added the logs in the first post.
0
Reply
vidarlo avatar
ar flag
vidarlo
Is what the logs shows *normal*, e.g. what would be shown for a legitimate mail? And why wold popuser send emails? What software is running as popuser on the system concerned?
0
Reply
Tobias H avatar
mx flag
Tobias H
Thank you very much, I added the logs in the first post.
0
Reply
Tobias H avatar
mx flag
Tobias H
It looks like the server 159.65.219.21 sends mails from a foreign domain or do you have an other idea?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.