Join Log in
Score:0
Tobias H avatar Server

Is the mail account compromised or is there any other chance?

mx flag
Tobias H

The server was sending spam, now it is my task to clean it up. So did a few things which solved a problem, but this is still open. It seems that the owner receives mails from hisself. A forwarding from info@domain.A to mail@domain.B is in place. The mail header looks like the following:

From:   27 2021 <>
X-Account-Key:  account1
X-UIDL: UID2733-1620041375
X-Mozilla-Status:   0001
X-Mozilla-Status2:  00000000
X-Mozilla-Keys: 
Return-Path:    <info@domain.A>
X-Original-To:  mail@domain.B
Delivered-To:   mail@domain.B
Received:   from domain.A (domain.A [1.2.3.4]) by domain.B (Postfix) with ESMTPS id 5E1A72008B for <mail@domain.B>; Thu, 1 Jul 2021 22:34:40 +0200 (CEST)
Received:   by domain.A (Postfix, from userid 30) id 44B4138173D; Thu, 1 Jul 2021 22:34:40 +0200 (CEST)
X-Original-To:  info@domain.A
Delivered-To:   info@domain.A
Received:   from hp0.221.gvbni.club (hp0.221.gvbni.club [159.65.219.21]) by domain.A (Postfix) with ESMTPS id E8F7F380E19 for <info@domain.A>; Thu, 1 Jul 2021 22:34:39 +0200 (CEST)
From:   domain.A <info@domain.A>
To: info@domain.A
Subject:    Notice from domain.A 30th June 2021 Error Report #496511148735
Date:   1 Jul 2021 13:34:38 -0700
Message-ID: <20210701133438.4F3F959FAAE23414@domain.A>
MIME-Version:   1.0
Content-Type:   text/html
Content-Transfer-Encoding:  quoted-printable

Plesk with postfix is in use, the mail queue is empty. The owner of info@domain.A did not send the message. Of course, this is possible with an compromised mail account. Is there any other possibility why this can happen?

Thank you very much

PS: log shows the following:

Jul  1 22:34:39 h2086526 postfix/smtpd[6949]: connect from hp0.221.gvbni.club[159.65.219.21]
Jul  1 22:34:39 h2086526 postfix/smtpd[6949]: E8F7F380E19: client=hp0.221.gvbni.club[159.65.219.21]
Jul  1 22:34:40 h2086526 postfix/cleanup[7201]: E8F7F380E19: message-id=<20210701133438.4F3F959FAAE23414@domain.A>
Jul  1 22:34:40 h2086526 check-quota[7204]: Starting the check-quota filter...
Jul  1 22:34:40 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: handlers_stderr: SKIP
Jul  1 22:34:40 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: SKIP during call 'check-quota' handler
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: E8F7F380E19: from=<info@domain.A>, size=3932, nrcpt=1 (queue active)
Jul  1 22:34:40 h2086526 postfix-local[7206]: postfix-local: from=info@domain.A, to=info@domain.A, dirname=/var/qmail/mailnames
Jul  1 22:34:40 h2086526 dk_check[7207]: Starting the dk_check filter...
Jul  1 22:34:40 h2086526 dk_check[7207]: DKIM verify result: DKIM Feed: No signature
Jul  1 22:34:40 h2086526 check-quota[7212]: Starting the check-quota filter...
Jul  1 22:34:40 h2086526 plesk sendmail[7211]: handlers_stderr: SKIP
Jul  1 22:34:40 h2086526 plesk sendmail[7211]: SKIP during call 'check-quota' handler
Jul  1 22:34:40 h2086526 postfix/pickup[4154]: 44B4138173D: uid=30 from=<info@domain.A>
Jul  1 22:34:40 h2086526 postfix/cleanup[7201]: 44B4138173D: message-id=<20210701133438.4F3F959FAAE23414@domain.A>
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: 44B4138173D: from=<info@domain.A>, size=4101, nrcpt=1 (queue active)
Jul  1 22:34:40 h2086526 postfix/pipe[7205]: E8F7F380E19: to=<info@domain.A>, relay=plesk_virtual, delay=0.45, delays=0.38/0/0/0.06, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: E8F7F380E19: removed
Jul  1 22:34:40 h2086526 postfix/smtp[7217]: 44B4138173D: to=<mail@domain.B>, relay=domain.B[1.2.3.4]:25, delay=0.15, delays=0/0.01/0.06/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5E1A72008B)
Jul  1 22:34:40 h2086526 postfix/qmgr[28667]: 44B4138173D: removed
Jul  1 22:34:40 h2086526 postfix/smtpd[6949]: disconnect from hp0.221.gvbni.club[159.65.219.21]

PPS: A valid mail was send from testmail@web.de to support@domain.A, forwarded to support@domain.B:

Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: connect from mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: 2BEA8380E17: client=mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 postfix/cleanup[31873]: 2BEA8380E17: message-id=<1269DDAE-17B0-466B-A309-67FA2688FD76@web.de>
Jul  6 20:35:36 h2086526 check-quota[31876]: Starting the check-quota filter...
Jul  6 20:35:36 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: handlers_stderr: SKIP
Jul  6 20:35:36 h2086526 /usr/lib/plesk-9.0/psa-pc-remote[672]: SKIP during call 'check-quota' handler
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 2BEA8380E17: from=<testmail@web.de>, size=2775, nrcpt=1 (queue active)
Jul  6 20:35:36 h2086526 postfix-local[31878]: postfix-local: from=testmail@web.de, to=support@domain.A, dirname=/var/qmail/mailnames
Jul  6 20:35:36 h2086526 dk_check[31879]: Starting the dk_check filter...
Jul  6 20:35:36 h2086526 dk_check[31879]: DKIM verify result: Success
Jul  6 20:35:36 h2086526 postfix/smtpd[31806]: disconnect from mout.web.de[212.227.15.4]
Jul  6 20:35:36 h2086526 dovecot: service=lda, user=support@domain.A, ip=[]. msgid=<1269DDAE-17B0-466B-A309-67FA2688FD76@web.de>: saved mail to INBOX
Jul  6 20:35:36 h2086526 check-quota[31890]: Starting the check-quota filter...
Jul  6 20:35:36 h2086526 plesk sendmail[31889]: handlers_stderr: SKIP
Jul  6 20:35:36 h2086526 plesk sendmail[31889]: SKIP during call 'check-quota' handler
Jul  6 20:35:36 h2086526 postfix/pickup[29043]: 707C738173E: uid=30 from=<SRS0=RS5/=L6=web.de=testmail@domain.A>
Jul  6 20:35:36 h2086526 postfix/cleanup[31873]: 707C738173E: message-id=<1269DDAE-17B0-466B-A309-67FA2688FD76@web.de>
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 707C738173E: from=<SRS0=RS5/=L6=web.de=testmail@domain.A>, size=3027, nrcpt=1 (queue active)
Jul  6 20:35:36 h2086526 postfix/pipe[31877]: 2BEA8380E17: to=<support@domain.A>, relay=plesk_virtual, delay=0.3, delays=0.15/0/0/0.15, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 2BEA8380E17: removed
Jul  6 20:35:36 h2086526 postfix/smtp[31895]: 707C738173E: to=<support@domain.B>, relay=domain.B[1.2.3.4]:25, delay=0.21, delays=0/0.01/0.09/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8E7C1201F7)
Jul  6 20:35:36 h2086526 postfix/qmgr[28667]: 707C738173E: removed
110
0 + 5
vidarlo avatar
ar flag
vidarlo
Is the sender really A's standard MX? Have you checked the logs on A? What do they show? A claims it's received from uid 30, have you checked which user this is in `/etc/passwd`?
0
Reply
Tobias H avatar
mx flag
Tobias H
A lot todo, I know... User with id 30 is: popuser:x:30:31:POP3 service user I added the logs in the first post.
0
Reply
vidarlo avatar
ar flag
vidarlo
Is what the logs shows *normal*, e.g. what would be shown for a legitimate mail? And why wold popuser send emails? What software is running as popuser on the system concerned?
0
Reply
Tobias H avatar
mx flag
Tobias H
Thank you very much, I added the logs in the first post.
0
Reply
Tobias H avatar
mx flag
Tobias H
It looks like the server 159.65.219.21 sends mails from a foreign domain or do you have an other idea?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.