mail queue spam?

[Jayson]

CentOS 6.3 with Panel 11.0.9 Update #15

Hello, I have been having spam appear in my queue originating from external network without using an authenticated account which I appear to be relaying.

subject "СТРОИТЕЛЬНАЯ ДЕЯТЕЛЬНОСТЬ"
sender, "=?windows-1251?B?wtGoIM4g0dLQzsjSxcvczc7JIMTF39LFy9zN?="

Checking it from the queue I see,
X-No-Relay: not in my network
X-No-Relay: not in my network
--snip--
Received: from Unknown (unknown [190.251.104.30])
--snip--

Why does it say received? I should not have allowed it as they are a non-authenticated user.

Checking Maillog I see repeated,
Oct 1 03:45:00 uber pop3d: LOGOUT, ip=[::ffff:200.91.77.46]
Oct 1 03:45:01 uber pop3d: Connection, ip=[::ffff:200.91.77.46]
Oct 1 03:45:01 uber pop3d: Connection, ip=[::ffff:200.91.77.46]
Oct 1 03:45:07 uber pop3d: IMAP connect from @ [::ffff:200.91.77.46]checkmailpasswd: FAILED: noah - short names not allowed from @ [::ffff:200.91.77.46]IMAP connect from @ [::ffff:200.91.77.46]checkmailpasswd: FAILED: nina - short names not allowed from @ [::ffff:200.91.77.46]ERR: LOGIN FAILED, ip=[::ffff:200.91.77.46]
Oct 1 03:45:07 uber pop3d: LOGIN FAILED, ip=[::ffff:200.91.77.46]
Oct 1 03:45:07 uber pop3d: LOGOUT, ip=[::ffff:200.91.77.46]
Oct 1 03:45:07 uber pop3d: LOGOUT, ip=[::ffff:200.91.77.46]
Oct 1 03:45:09 uber pop3d: Connection, ip=[::ffff:200.91.77.46]
Oct 1 03:45:09 uber pop3d: Connection, ip=[::ffff:200.91.77.46]
Oct 1 03:45:10 uber postfix/qmgr[7152]: 3B9FDEC206F: from=<[email protected]>, size=19340, nrcpt=20 (queue active)
Oct 1 03:45:10 uber postfix/qmgr[7152]: 21AD2EC21F1: from=<[email protected]>, size=60283, nrcpt=20 (queue active)
Oct 1 03:45:11 uber pop3d: IMAP connect from @ [::ffff:200.91.77.46]checkmailpasswd: FAILED: noah - short names not allowed from @ [::ffff:200.91.77.46]IMAP connect from @ [::ffff:200.91.77.46]checkmailpasswd: FAILED: nina - short names not allowed from @ [::ffff:200.91.77.46]


Aside from blocking the IP address, any ideas on how to prevent this?

Thank you,

 

[burnleyvic]

Jayson, the information you've provided is far from complete, or at least usable. What evidence do you have that your server is relaying for an authenticated user? The two postfix entries don't give any hint on this. Try searching for "sasl_username" strings in maillog file, if you're suspecting a compromised account. And if this is indeed the problem, just log into Plesk and change the password for that account. But we need more relevant log entries and, if possible, the entire list of Received: headers.
Also, it's generally useful to get Postfix to display the "Authenticated sender:" information in the Received: header added by smtpd. See "smtpd_sasl_authenticated_header" parameter in postconf(5) manpage.

 

[Jayson]

Thank you for your help and I apologize for not providing more information. The server only has 120 domains, but there is a lot of mail activity and I was having problems understanding where the it was coming from while parsing the log file. I did eventually trace it back to a customer email account. I changed there password and it appears to have fixed the problem. I'm googling smtpd_sasl_authenticated_header information and will be looking for any other flags that might help me when searching through maillog. I'm new to Postfix, but it's been working pretty good.