Outbound spam seems to originate from mailscanner
Posted: 16 May 2020, 20:07
I have installed MailScanner FE and recently I started to notice outbound spam from one of the accounts
going to logs I found this
grep 1ja0kz-0004qR-E2 /var/log/exim_mainlog
2020-05-16 20:37:53 1ja0kz-0004qR-E2 <= oriental@webtop.vra.ro U=oriental P=local S=1293 id=c223b0bbd40485862c2a0e1ce12259ce@orientalis.ro T="[Shared Post] Privacy Policy" for 1750380179@qq.com
2020-05-16 20:37:59 cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1ja0kz-0004qR-E2
2020-05-16 20:37:59 1ja0kz-0004qR-E2 Sender identification U=oriental D=orientalis.ro S=noreply@orientalis.ro
2020-05-16 20:37:59 1ja0kz-0004qR-E2 SMTP connection outbound 1589650679 1ja0kz-0004qR-E2 orientalis.ro 1750380179@qq.com
2020-05-16 20:38:03 1ja0kz-0004qR-E2 ** 1750380179@qq.com R=lookuphost T=remote_smtp H=mx3.qq.com [203.205.219.57] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550 Mailbox unavailable or access denied [MLq1b27YPAsqEXo9ximTXMe0MbNNInoPx+egkUQW+0FulhgKQ/CQJsz992TQrHIQVA== IP: 91.194.30.144].
2020-05-16 20:38:03 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1ja0kz-0004qR-E2
2020-05-16 20:38:03 1ja0l9-0004rg-9Y <= <> R=1ja0kz-0004qR-E2 U=mailnull P=local S=3203 T="Mail delivery failed: returning message to sender" for oriental@webtop.vra.ro
2020-05-16 20:38:03 1ja0kz-0004qR-E2 Completed
Where the source of the spam seems to be a local script, actually /var/spool/MailScanner/incoming
Did someone encountered this before?
going to logs I found this
grep 1ja0kz-0004qR-E2 /var/log/exim_mainlog
2020-05-16 20:37:53 1ja0kz-0004qR-E2 <= oriental@webtop.vra.ro U=oriental P=local S=1293 id=c223b0bbd40485862c2a0e1ce12259ce@orientalis.ro T="[Shared Post] Privacy Policy" for 1750380179@qq.com
2020-05-16 20:37:59 cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1ja0kz-0004qR-E2
2020-05-16 20:37:59 1ja0kz-0004qR-E2 Sender identification U=oriental D=orientalis.ro S=noreply@orientalis.ro
2020-05-16 20:37:59 1ja0kz-0004qR-E2 SMTP connection outbound 1589650679 1ja0kz-0004qR-E2 orientalis.ro 1750380179@qq.com
2020-05-16 20:38:03 1ja0kz-0004qR-E2 ** 1750380179@qq.com R=lookuphost T=remote_smtp H=mx3.qq.com [203.205.219.57] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550 Mailbox unavailable or access denied [MLq1b27YPAsqEXo9ximTXMe0MbNNInoPx+egkUQW+0FulhgKQ/CQJsz992TQrHIQVA== IP: 91.194.30.144].
2020-05-16 20:38:03 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1ja0kz-0004qR-E2
2020-05-16 20:38:03 1ja0l9-0004rg-9Y <= <> R=1ja0kz-0004qR-E2 U=mailnull P=local S=3203 T="Mail delivery failed: returning message to sender" for oriental@webtop.vra.ro
2020-05-16 20:38:03 1ja0kz-0004qR-E2 Completed
Where the source of the spam seems to be a local script, actually /var/spool/MailScanner/incoming
Did someone encountered this before?