Spam issue - lmtp(15774): Connect from local

[Kennybe]

For months now I'm struggling with a spam issue. Changing passwords don't work, there are no php scripts on the server ... This morning I changed the password, but not on the clients ... still spam ... don't find the issue.

I found several lines in the log file every time I got a mail that the limit was passed (I putted it on 30 per hour) ... I think ther is no authentication for sending the mails, it's local, but how do I find the source ?

Jun 2 12:52:01 nemesis dovecot: lmtp(15774): Connect from local
Jun 2 12:52:01 nemesis dovecot: lmtp([email protected])<15774><oOWUElGWmGKePQAAL2Bj9A>: msgid=<[email protected]>: saved mail to INBOX
Jun 2 12:52:01 nemesis dovecot: lmtp(15774): Disconnect from local: Logged out (state=READY)

 

[cPRex]

Hey there! That entry looks like it is from /var/log/maillog. Can you check the /var/log/exim_mainlog file around the same time to see if there is anything interesting there?

 

[Kennybe]

2022-06-02 12:51:44 SMTP connection from [165.227.206.111]:38100 (TCP/IP connection count = 3)
2022-06-02 12:51:44 no host name found for IP address 165.227.206.111
2022-06-02 12:51:46 H=(mail.asticom.com) [165.227.206.111]:38100 Warning: Sender rate 1.0 / 1h
2022-06-02 12:51:48 1nwiQe-00048B-6G <= [email protected] H=(mail.asticom.com) [165.227.206.111]:38100 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_plain:[email protected] S=1175 id=[email protected] T="\357\273\277" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2022-06-02 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1nwiQe-00048B-6G
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G SMTP connection outbound 1654167108 1nwiQe-00048B-6G xxx.com [email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G SMTP connection outbound 1654167108 1nwiQe-00048B-6G xxx.com [email protected]
2022-06-02 12:51:48 1nwiQe-00048B-6G Sender identification U=asticom D=asticom.com S=[email protected]

and more lines like the last one ...

 

[cPRex]

Do any of those messages match up to the one you're looking for? I'm not going to recognize anything useful on my end, but the 12:51:48 timestamp line seems to be sending a group of messages at once.

 

[Kennybe]

It is the spammer ... each time when I receive a mail that the mail limit is exceeded, the same pattern occurs in mainlog and exim maillog.

Today I had 5 mails ...

 

[cPRex]

When the log shows "Connect from local" that would mean a webmail connection, or access to webmail through cPanel. I wonder if that user has malware on their local system that is contributing to password changes not working. It would be worth having any users with access to that cPanel account scan their local system for viruses or key loggers.

 

[Kennybe]

Strange ... I changed the password on an iOs device, Mac and a Windows PC from the army (I think the last one would be very strange if there was a keylogger).

Noticed two times that the Facebook account registered with the same email address is hacked ... (password recovery via mail).

Now scanning my two Macs on viruses and other stuff ...