We have a huge trouble 🙁 .. Our mac server makes a spam delivery. Our IP already blacklisted in about a dozen of servers (checked with http://mxtoolbox.com/). We have another computers in the same networks, including PC. What I already did and discovered:
- I found a spam emails in the "Server Admin
app"->Mail->Maintenance->Mail Queue (attached image). - I managed to get one of those emails from /var/spool/postfix/ folder.
Here is the link – simple HTML file
(http://www.sendspace.com/file/wbyjov). - I searched for malware with ClamXav on the server – with no help
- I re-checked PC computers with antivirus – with no help
Also, the fact that these emails appears in "Mail Queue" means that Mac OS server sends them by itself, right? Or is it possible that another computer in the same network sends them?
Thank you in advance for you answers!!!!
* Added two screenshots of server Logs: SMTP logs and IMAP logs *
* Added a screenshot of Access logs. I know for sure that "fitkit.medicine" account shouldn't be used at this time at all. Does it means that some malware hacked several accounts on the server? *
Best Answer
Spam messages in the postfix message queue could mean a number of things:
Your mail server is acting as an open relay. An open relay means that your server is accepting messages from any client on the Internet, and relaying them onward. Open Relays are quickly picked-up by spammers and quickly blacklisted. To see if your mail server is acting as an open relay, you could use this site:
http://www.unlocktheinbox.com/openrelaytest/
For a discussion on OS X server and open relays, also see:
https://discussions.apple.com/message/8036841#8036841
Looking at the message from the postfix message queue, I see that the client address (the IP address of the SMTP client that submitted the email message for delivery) is in the 31.129.xxx.xxx IP range. If this IP range belongs to you, it's something within your network.
There is a machine within your network that's been compromised and is now acting as a botnet client for spam. In this case, you'll need to determine which PC it is that's sending all these messages, and shut that machine down. Because the IP address of the client is a public IP, I'm guessing this is not the case.
Someone has hacked an account on your mail server (if you require SMTP authentication) and is using that account to send messages. From the message you've attached, I see that the spam bot is using authentication (sasl_username=test, sasl_method=LOGIN). Is there a chance you have a "test" account with no password on this server? If so, set a password on it or disable the account.