3

So I'm operating an Ubuntu VPS that uses postfix for sending outgoing mail. I have several email addresses attached to the domain that it hosted on the VPS, one of them is say user@domain.com. The owner of this email address has two personal computers and no more and they've up until now been using Thunderbird to access the email address.

A couple of days ago the inbox for user@domain.com started getting slammed with hundreds and hundreds of bouncebacks an hour, the owner of user@domain.com deleted her Thunderbird entries for those email accounts yesterday to no avail.

Both computers were shut down last night but the address was still receiving bouncebacks. Now initially I thought that because neither computer that had had the account on was turned on, this could be bounceback spam. On closer inspection of the email however, I can see some of them contain lines like:

<firstnamelsurname@bellsouth.net>: delivery temporarily suspended: host
gateway-f1.isp.att.net[204.127.217.16] refused to talk to me:
550-XX.XX.XX.XX blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error -
Blocked for abuse. See http://att.net/blocks

Where XX.XX.XX.XX is the IP Address of our VPN. This makes me think that it's something wrong with the postfix server (as well most likely as an infection on the computers. A full clamscan produced the following:

    /var/qmail/mailnames/DOMAIN.COM/USER/Maildir/.Spam/cur/1366042516.M831269P7021V0000000000000025I0000000003C08ED0.VPS-DOMAIN.COM,S=152011:2,: Email.Trojan-432 FOUND
    /usr/share/MailScanner/MailScanner/MessageBatch.pm: Eicar-Test-Signature-1 FOUND

Any ideas how I can track down the issue/solve the problem?

Thanks.

Braiam
  • 67,791
  • 32
  • 179
  • 269
Ben Stephenson
  • 91

2 Answers2

8

"Bounce" emails are sometimes part of a spam attack, though I doubt this is the case in your instance.

550-XX.XX.XX.XX blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse.

This leads me to believe that your server IP has made a blacklist - particularly one with att.net. I would check your domain on mxtoolbox.com and check that you're not running an open relay, and you're not blacklisted

If you are on a dedicated IP, you're going to have to resolve this with ATT / Bell South. If you're using a dynamic IP on a residential account, it will be a bit stickier to resolve, as most ISP's have a low threshold of support for users running servers on non-business accounts, and provisioning usually means that you could be getting blocked because one of your neighbors is/was part of a spam botnet and the shared IP got blocked.

With any email system sending and receiving to the public-at-large, I would be running a virus filter like clamav.

douggro
  • 2,537
0

What is installed on the VPS besides PostFix? What systems and/or users are allowed to send mail through your VPS?

You can check the log of Postfix to see what and/or who is sending mail through PostFix.

cat /var/log/mail.log

What I experienced a lot in these situations is that a customer has a virus that abuses his Outlook which uses our mailserver to send mail. It could be that one user is sending SPAM through his/her account.

Jona Koudijs
  • 1
  • 1