{"id":2112,"date":"2022-08-30T15:22:09","date_gmt":"2022-08-30T15:22:09","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/01\/02\/ubuntu-10-04-postfix-dovecot-ispconfig-3-send-spam-from-own-domain-to-random-users-collection-of-common-programming-errors\/"},"modified":"2022-08-30T15:22:09","modified_gmt":"2022-08-30T15:22:09","slug":"ubuntu-10-04-postfix-dovecot-ispconfig-3-send-spam-from-own-domain-to-random-users-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2022\/08\/30\/ubuntu-10-04-postfix-dovecot-ispconfig-3-send-spam-from-own-domain-to-random-users-collection-of-common-programming-errors\/","title":{"rendered":"Ubuntu 10.04 Postfix Dovecot ISPConfig 3 – send spam from own domain to random users-Collection of common programming errors"},"content":{"rendered":"

My Config: Ubuntu 10.04 Postfix 2.7.0 Dovecot 1.2.9 ISPConfig 3.0.4.2<\/p>\n

I’ve got the problem that a unknown \/ invalid user e.g dexter_rollins@xxxx> sends mails to different emails.<\/p>\n

Every 5 – 7 min it’s sending 10 emails with random senders and recipients but senders domain is managed by this server.<\/p>\n

If I stop Apache it stops. Is there an solution how to find the error or miss configured form or is it possible to fix it with postfix?<\/p>\n

mail.log shows this:<\/p>\n

\n

Jan 24 22:00:30 xxxx postfix\/qmgr[5489]: 342E47F580BA: from=, size=1826, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix\/qmgr[5489]: 3E9D77F58060: from=, size=1708, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix\/qmgr[5489]: B482A179F8854: from=, size=1863, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix\/qmgr[5489]: 198117F58090: from=, size=1801, nrcpt=1 (queue active) Jan 24 22:00:30 xxxx postfix\/qmgr[5489]: 580787F58091: from=, size=1810, nrcpt=1 (queue active)<\/p>\n

Jan 25 03:12:07 xxxx postfix\/qmgr[20249]: 4BF9F179F85DE: from=, size=4497, nrcpt=1 (queue active) Jan 25 03:12:07 xxxx postfix\/bounce[21727]: 60926179F85DF: sender non-delivery notification: 4BF9F179F85DE Jan 25 03:12:07 xxxx postfix\/qmgr[20249]: 60926179F85DF: removed Jan 25 03:12:07 xxxx postfix\/pipe[21681]: 4BF9F179F85DE: to=, relay=dovecot, delay=0.02, delays=0.01\/0\/0\/0.01, dsn=5.1.1, status=bounced (user unknown) Jan 25 03:12:07 v postfix\/qmgr[20249]: 4BF9F179F85DE: removed<\/p>\n<\/blockquote>\n

apache2ctl -t -D DUMP_MODULES<\/p>\n

\n

Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) expires_module (shared) fcgid_module (shared) include_module (shared) mime_module (shared) negotiation_module (shared) php5_module (shared) reqtimeout_module (shared) rewrite_module (shared) setenvif_module (shared) ssl_module (shared) status_module (shared) suexec_module (shared) suphp_module (shared) unique_id_module (shared) Syntax OK<\/p>\n<\/blockquote>\n

httpd.conf is empty<\/p>\n

apache2.conf: apache2conf<\/p>\n

default vhost: default vhost<\/p>\n

\/etc\/apache2\/mods-available\/<\/p>\n

\n

actions.load dav.load php5.load alias.load dav_lock.load proxy_ajp.load asis.load dbd.load proxy_balancer.load auth_basic.load deflate.load proxy_connect.load auth_digest.load dir.load proxy_ftp.load authn_alias.load disk_cache.load proxy_http.load authn_anon.load dump_io.load proxy.load authn_dbd.load env.load proxy_scgi.load authn_dbm.load expires.load reqtimeout.load authn_default.load ext_filter.load rewrite.load authn_file.load fcgid.load ruby.load authnz_ldap.load file_cache.load setenvif.load authz_dbm.load filter.load speling.load authz_default.load headers.load ssl.load authz_groupfile.load ident.load status.load authz_host.load imagemap.load substitute.load authz_owner.load include.load suexec.load authz_user.load info.load suphp.load autoindex.load ldap.load unique_id.load cache.load log_forensic.load userdir.load cern_meta.load mem_cache.load<\/p>\n

usertrack.load cgid.load mime.load version.load cgi.load mime_magic.load vhost_alias.load charset_lite.load mod-security.load dav_fs.load negotiation.load<\/p>\n<\/blockquote>\n

\/etc\/apache2\/mods-enabled<\/p>\n

\n

actions.load cgi.load reqtimeout.load alias.load deflate.load rewrite.load auth_basic.load dir.load setenvif.load auth_digest.load env.load ssl.load authn_file.load expires.load status.load authz_default.load fcgid.load suexec.load authz_groupfile.load include.load suphp.load authz_host.load mime.load unique_id.load authz_user.load negotiation.load autoindex.load php5.load<\/p>\n<\/blockquote>\n

I’ve got this error message, too:<\/p>\n

\n

Return-Path: X-Original-To: py.brancom@SPAMTRAP.INVALID Received: from www.mydomaim.de (mail.mydomain.de [xxx.xxx.xxx.xxx]) by mx.selfip.biz (Spamtrap) with ESMTP for py.brancom@SPAMTRAP.INVALID; Sat, 04 Feb 2012 00:52:21 +0100 (CET) Date: Sat, 4 Feb 2012 00:52:20 +0100 To: py.brancom@SPAMTRAP.INVALID From: “Levitra Sales” Subject: Hi, get 64% better prices, quod hand carpalin Message-ID: X-Priority: 3 X-Mailer: ZuckMail [version 1.00]<\/strong> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text\/plain; charset=”UTF-8″<\/p>\n<\/blockquote>\n

    \n
  1. \n

    If the behavior stops when apache is stopped, then it’s likely that your apache configuration allows for some sort of proxy-ing, which is being abused by the spammer to send mail through your machine.<\/p>\n

    Start with this: http:\/\/wiki.apache.org\/httpd\/ProxyAbuse<\/p>\n

    Also, check your httpd log files, and look for suspicious entries, specifically ones that do not reference the URLs that you actually host.<\/p>\n<\/li>\n

  2. \n

    Check for suspicious or altered files in your virtualhost.<\/p>\n

    Check for active suspicious process (ps aux<\/code>).<\/p>\n

    Check httpd access.log entries with date\/time immediately before the postfix accepting mail for delivery notification.<\/p>\n<\/li>\n<\/ol>\n

    Originally posted 2014-01-02 12:06:05. <\/small><\/p>","protected":false},"excerpt":{"rendered":"

    My Config: Ubuntu 10.04 Postfix 2.7.0 Dovecot 1.2.9 ISPConfig 3.0.4.2 I’ve got the problem that a unknown \/ invalid user e.g dexter_rollins@xxxx> sends mails to different emails. Every 5 – 7 min it’s sending 10 emails with random senders and recipients but senders domain is managed by this server. If I stop Apache it stops. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2112","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=2112"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2112\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=2112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=2112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=2112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}