Postfix Localhost Server Sending Spam to Itself

blacklistdovecotemailpostfixspam

I have an iRedMail server that runs Postfix and am trying to determine the source of its spam problem.

I have since changed the MX records on the domain for the address receiving spam and the good news is no spam is coming through to this second server. However, new spam messages keep appearing at the old server, despite the MX record change. How is that possible?

Here is a header from one of the spam emails:

Content-Type: multipart/alternative; boundary="6656864_13052705_6656864"
Mime-Version: 1.0
Return-Path: <Macys@yuijdd.stablecheck.party>
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: Debian amavisd-new at myserverdomain.com
Received: from localhost (localhost [127.0.0.1]) by myserverdomain.com (Postfix) with ESMTP id 293FD6B977 for <nick@emaildomain.com>; Tue, 12 Jan 2016 20:45:14 -0700 (MST)
Received: from myserverdomain.com ([127.0.0.1]) by localhost (myserverdomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3TC68wvWWEK for <nick@emailaddress.com>; Tue, 12 Jan 2016 20:45:13 -0700 (MST)
Received: from yuijdd.stablecheck.party (unknown [46.166.133.21]) by myserverdomain.com (Postfix) with ESMTP id 480626B976 for <nick@emaildomain.com>; Tue, 12 Jan 2016 20:45:12 -0700 (MST)
Delivered-To: nick@emaildomain.com
Message-Id: <Lackadaisical.0300b221f33a2b213a8dc0ee683baadac.Obsecratorynick@emaildomain.com>
Re: Macy's is giving out a $50 voucher to start 2016

Does this appear to be coming from my own server? Or is it coming from this IP?: 46.166.133.21. That IP is blacklisted on Spamhaus, which I have postfix set to query.

Here part of my /var/logs/mail.log file

Jan 13 03:45:11 mailhost postfix/smtpd[4796]: connect from unknown[46.166.133.21]
Jan 13 03:45:12 mailhost postfix/smtpd[4796]: 480626B976: client=unknown[46.166.133.21]
Jan 13 03:45:12 mailhost postfix/cleanup[4806]: 480626B976: message-id=<Lackadaisical.0300b221f33a2b213a8dc0ee683baadac.Obsecratorynick@emaildomain.com>
Jan 13 03:45:13 mailhost postfix/qmgr[9274]: 480626B976: from=<Macys@yuijdd.stablecheck.party>, size=5484, nrcpt=1 (queue active)
Jan 13 03:45:13 mailhost postfix/smtpd[4796]: disconnect from unknown[46.166.133.21]
Jan 13 03:45:14 mailhost postfix/smtpd[4815]: connect from localhost[127.0.0.1]
Jan 13 03:45:14 mailhost postfix/smtpd[4815]: 293FD6B977: client=localhost[127.0.0.1]
Jan 13 03:45:14 mailhost postfix/cleanup[4806]: 293FD6B977: message-id=<Lackadaisical.0300b221f33a2b213a8dc0ee683baadac.Obsecratorynick@emaildomain.com>
Jan 13 03:45:14 mailhost postfix/qmgr[9274]: 293FD6B977: from=<Macys@yuijdd.stablecheck.party>, size=5943, nrcpt=1 (queue active)
Jan 13 03:45:14 mailhost postfix/smtpd[4815]: disconnect from localhost[127.0.0.1]
Jan 13 03:45:14 mailhost amavis[31884]: (31884-08) Passed CLEAN, LOCAL [46.166.133.21] [46.166.133.21] <Macys@yuijdd.stablecheck.party> -> <nick@emaildomain.com>, Message-ID: <Lackadaisical.0300b221f33a2b213a8dc0ee683baadac.Obsecratorynick@emaildomain.com>, mail_id: G3TC68wvWWEK, Hits: -0.546, size: 5482, queued_as: 293FD6B977, 568 ms
Jan 13 03:45:14 mailhost postfix/smtp[4812]: 480626B976: to=<nick@emaildomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=1.4/0.01/0.01/0.58, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 293FD6B977)
Jan 13 03:45:14 mailhost postfix/qmgr[9274]: 480626B976: removed
Jan 13 03:45:14 mailhost postfix/pipe[4816]: 293FD6B977: to=<nick@emaildomain.com>, relay=dovecot, delay=0.09, delays=0.01/0.01/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service)

I also thought there might be a PHP script somewhere sending this mail, so I installed and ran Linux Malware Detect, but it found nothing.

Thanks for your help!

EDIT: I have blacklist filtering on in main.cf

smtpd_recipient_restrictions = 
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client b.barracudacentral.org,
        reject_invalid_hostname, 
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,  
        check_policy_service inet:127.0.0.1:7777, 
        check_policy_service inet:127.0.0.1:10031, 
        reject_non_fqdn_sender, 
        reject_non_fqdn_hostname, 
        reject_non_fqdn_recipient, 
        reject_unlisted_recipient,      
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        permit

Best Answer

This email came from outside your server, from the indicated IP address.

Postfix is configured to pass it to Amavis for virus scanning, and when that is complete, Amavis passes it back to Postfix for delivery.

This is why there are two localhost Received: lines. One is added by Amavis when it processes the message, and the other one when Postfix re-accepts it from Amavis for final delivery.

Related Topic