Hello
From some days ago, in my queue (exim) I see a lot ofs email from accounts google to our accounts but using names of one domain inside my server (returned emails). I means:
Its seems that:
An account/website/ is infected, is sending emails with for<[email protected]>, after the returned emails go back account. The queue is around 1000 en 1 hour.
I can't how I can see it because its using user=mailnull, and I dont know which user is using.
Any help?
Best Regards
From some days ago, in my queue (exim) I see a lot ofs email from accounts google to our accounts but using names of one domain inside my server (returned emails). I means:
Code:
#exim -Mvl 1VoYIi-000PnS-5L
2013-12-05 12:45:05 Received from <> R=1VoYIh-000PnE-TG U=mailnull P=local S=2881 T="Mail delivery failed: returning message to sender"
2013-12-05 12:45:09 SMTP error from remote mail server after RCPT TO:<[email protected]>: host aspmx.l.google.com [173.194.78.26]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 bo12si1008868wib.66 - gsmtp
2013-12-05 12:45:09 [email protected] R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host aspmx.l.google.com [173.194.78.26]: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 http://support.google.com/mail/bin/a...py?answer=6596 bo12si1008868wib.66 - gsmtp
*** Frozen (delivery error message)
#exim -Mvb 1VoYIi-000PnS-5L
Return-path: <[email protected]>
Received: from cpe-c83a353d88c8.cpe.cableonda.net ([190.219.233.231]:26822)
by server with esmtp (Exim 4.82)
(envelope-from <[email protected]>)
id 1VoYIh-000PnE-TG
for [email protected]; Thu, 05 Dec 2013 12:45:04 +0000
Received: from apache by kdlqijaimrrgkdadi.bmatter.com with local (Exim 4.63)
(envelope-from <<[email protected]>>)
id 9M089L-KIWFUF-ML
for <[email protected]>; Thu, 5 Dec 2013 07:48:37 -0500
To: <dio[email protected]>
Subject: Job offer match, respond to apply
An account/website/ is infected, is sending emails with for<[email protected]>, after the returned emails go back account. The queue is around 1000 en 1 hour.
I can't how I can see it because its using user=mailnull, and I dont know which user is using.
Any help?
Best Regards