Cent os email logs and remote emails being sent

Hi.

I noticed that my dedi box had a full mail queue with spam emails all being sent from the same domain hosted internally on the server.

After changing all the email passwords for the domain I can now see failed login attempts from Russia France and an ip found to be in Germany (server is based in united kingdom.) so I expect a proxy is involved.

This is from /usr/local/psa/var/log/maillog
This is Ukraine ip address:
Sep 23 03:55:42 server88-208-248-91 /var/qmail/bin/relaylock[2019]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63128 (592329.soborka.net)
Sep 23 03:55:43 server88-208-248-91 /var/qmail/bin/relaylock[2020]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63188 (host-94-158-158-194.soborka.net)
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: FAILED: casper - password incorrect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from host-94-158-158-194.soborka.net [94.158.158.194]

Open in new window


and some others:

Sep 19 03:30:29 server88-208-248-91 smtp_auth: SMTP connect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:29 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: SMTP connect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: SMTP connect from unknown [92.47.35.36]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from (null) [92.47.35.36]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: SMTP connect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]

Open in new window




I can also see that a lot of emails are being sent to domains with spoofed from addresses.
e.g

This email was received to an internal email on the server:

subject: Your account might be compromised
From:	Barclays Bank PLC
Date:	04/29/2014 (05:29:39 AM UTC)
To:	Undisclosed Recipients
 	
1 Attachment
application/x-zip-compressed	Barclays Bank - Form.zip (4 KB)	
Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 30, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.
application/x-zip-compressed Barclays Bank - Form.zip (4 KB) 

Open in new window




and I then found its headers by checking: /var/qmail/mailnames/domain.com/email_account/Maildir/

Received: (qmail 21075 invoked from network); 23 Apr 2014 11:02:04 +0100
Received: from static.119.17.76.144.clients.your-server.de (HELO c1.cyber-empire.com) (144.76.17.119)
  by server88-208-248-91.live-servers.net with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP; 23 Apr 2014 11:02:04 +0100
Received: from mail1.islamichelp.org.uk ([213.120.215.123] helo=User)
	by c1.cyber-empire.com with esmtpa (Exim 4.82)
	(envelope-from <support@buhpressa.ru>)
	id 1Wctzn-00022y-Rm; Wed, 23 Apr 2014 12:01:40 +0200
Reply-To: <Barclays@email.barclays.co.uk>
From: "Barclays Bank PLC"<Barclays@email.barclays.co.uk>
Subject: Your account might be compromised
Date: Wed, 23 Apr 2014 11:01:33 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_012B_01C2A9A6.140BBE10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1Wctzn-00022y-Rm@c1.cyber-empire.com>
Sender: support@buhpressa.ru

This is a multi-part message in MIME format.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit

Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 24, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: application/x-zip-compressed;
	name="Barclays Bank - Form.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Barclays Bank - Form.zip"

[encoded file removed]

------=_NextPart_000_012B_01C2A9A6.140BBE10--

Open in new window



So I can see from the header that the envelope-from is <support@buhpressa.ru> but i looks like its from Barclays@email.barclays.co.uk

its obvious that the email is trying to get the user to open the attachment that is a .zip   :D

So how can I secure the server to stop these emails?
Thanks.
LVL 1
helpchrisplzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Ask person who compiled and installed qmail...

Move quickly to (CentOS default) postfix. It has many wits in default configuration that it is quite hard to set open relay unintentionally or even intentionally.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
helpchrisplzAuthor Commented:
its rented from hosting complany with preinstalled plesk. i have asked hosting company tech support but they just say to look for php scripts that might be insecure.

i haven't got much server maintenance knowledge. so i should change to centos postfix.  how can i action that? thx.
0
gheistCommented:
Easy peasy - stop QMAIL and take 5 minutes to THINK.
Now install and start POSTFIX
It will by default let mail out. So stay reading /var/log/messages until all your web forms are secure.
You have 4-5 days before mails bounce.... So have a good read of postfix.org site  and enable mail reception if you want it.
0
gheistCommented:
https:#a40234964
(my first line is basic procedure of mail abuse handling)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.