Vesta Control Panel - Forum

Dear All,

I have received mail from Digital Ocean as below

-----
Please review the following abuse complaint and provide us with a resolution:

******************************
Spam email source IP address = 104.131.30.90

Abuse contact for 104.131.0.0 - 104.131.255.255 is [email protected]

x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 104.131.30.90) smtp.mailfrom=[email protected]; dkim=none header.d=tamcotec.com; x-hmca=none header.id=[email protected]
X-SID-PRA: [email protected]
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTngJmlahZDJ8F4dZhiGbzTBtK0A50QhKiAKvPlfsbx393f7JqcYRaoW/Ote5BSas8ChwOUJOGl8gRKZes+t0Y4RgPj2dR0rB+SsJXMQXIA1YI6Tb07ph7IHqN3YbvwW2LL1AdWxDdhwMquTTV2fuerjIbpmS+4YYPqjw+5pmCB7DUA9SEjx4uoXYAywlsrSQR1zwO+7CVJjWj96wk8a4txx
Received: from localhost ([104.131.30.90]) by BAY004-MC5F36.hotmail.com with Microsoft SMTPSVC(7.5.7601.22751);
Tue, 17 Mar 2015 08:50:55 -0700
Date: Tue, 17 Mar 2015 11:50:55 +0000
MIME-Version: 1.0
Subject: Empowered
To: <x>
Content-Type: text/html; charset=UTF-8
Message-ID: <[email protected]>
Content-Transfer-Encoding: 7bit
From: Chuck <[email protected]>
Return-Path: [email protected]
X-OriginalArrivalTime: 17 Mar 2015 15:50:55.0475 (UTC) FILETIME=[276B5430:01D060CA]

<html>




<head>



<title>All the pieces were already in their spots</title>




</head> <body>






iPurchase
Exclusive eTabz Online
:) <div><a href="http://joystiqdeals.ru">http://joystiqdeals.ru</a></div>
<div> Breaking my defense he quickly strikes me that will teach her a lesson </div>








<div>




His wrapper of scarlet flannel if i can stop one heart from breaking



</div> </body>
</html>
******************************

Please note that generating multiple abuse complaints in a short period of time may lead to your account being suspended.
-----

and they need me to check your mailq and ensuring that your mail server is properly permitted to only permit sending from your local server. You may also wish to block incoming SMTP, while only allowing outbound connections.

My question is how to check SMTP config ? I try to see in panel but still can't see that detail.

I hope you can help for this.
Best regards,
Max

30874 wrote:My question is how to check SMTP config ? I try to see in panel but still can't see that detail.

Max, if you want to check config, then you need to see in /etc/exim4/exim4.conf.template (in Debian/Ubuntu)

You can see your mail queue in shell with command -> mailq

Then I think, you may be need check your sites - update scripts and search malware scripts.

skurudo wrote:

30874 wrote:My question is how to check SMTP config ? I try to see in panel but still can't see that detail.

Max, if you want to check config, then you need to see in /etc/exim4/exim4.conf.template (in Debian/Ubuntu)

You can see your mail queue in shell with command -> mailq

Then I think, you may be need check your sites - update scripts and search malware scripts.

-----
The message from mailq command.
--
postqueue: warning: Mail system is down -- accessing queue directly mail queue is emply.
--

What's should I do next.

skurudo wrote:

30874 wrote:My question is how to check SMTP config ? I try to see in panel but still can't see that detail.

Max, if you want to check config, then you need to see in /etc/exim4/exim4.conf.template (in Debian/Ubuntu)

You can see your mail queue in shell with command -> mailq

Then I think, you may be need check your sites - update scripts and search malware scripts.

----

Dear Vestacp.

I don't have exim4 within etc folder . I have only /etc/exim/exim.conf . What's wrong with this ?

Best regards,

I have checked the log in var/log/exim/main.log .There are strange email that I haven't create that in Vestacp .
Those email sent out incorrect service as below detail.

-----

2015-03-19 00:36:02 1YYSBe-000161-4w <= [email protected] H=mout.perfora.net [74.208.4.196] P=esmtp S=19808 id=[email protected] <----------------------------It's mine>
2015-03-19 00:36:02 1YYSBe-000161-4w => 1baby <[email protected]> R=localuser T=local_delivery
2015-03-19 00:36:02 1YYSBe-000161-4w Completed -<--------Remark my server sent it.
2015-03-19 00:43:16 Start queue run: pid=4644
2015-03-19 00:43:18 1YXnVu-0000mu-Nt Message is frozen
2015-03-19 00:43:18 1YY9zR-0005C7-Mf Message is frozen
2015-03-19 00:43:18 1YY9zX-0005Gk-5c Message is frozen
2015-03-19 00:43:18 1YXnVz-0000rP-Sx Message is frozen
2015-03-19 00:43:18 End queue run: pid=4644
2015-03-19 00:45:13 1YYSKX-0001Gg-Av <= [email protected] H=mx0.innovanet.co.nz [67.23.24.250] P=esmtp S=62560 id=[email protected] <----------------------------It's mine>
2015-03-19 00:45:13 1YYSKX-0001Gg-Av => 1baby <[email protected]> R=localuser T=local_delivery
2015-03-19 00:45:13 1YYSKX-0001Gg-Av Completed -<--------Remark my server sent it.
2015-03-19 01:00:13 1YYSZ3-0001ZH-Eb <= [email protected] H=yjh.hostposter.com [69.65.41.83] P=esmtps X=UNKNOWN:AES256-GCM-SHA384:256 S=2524 id=[email protected] <----------------------------It's mine>
2015-03-19 01:00:13 1YYSZ3-0001ZH-Eb => 1baby <[email protected]> R=localuser T=local_delivery
2015-03-19 01:00:13 1YYSZ3-0001ZH-Eb Completed -<--------Remark my server sent it.


---

How can I block incoming SMTP, while only allowing outbound connections.
Best regards,
Max

30874 wrote: I don't have exim4 within etc folder . I have only /etc/exim/exim.conf . What's wrong with this ?

Nothing wrong, in differnt OS folders have a bit different location and you have CentOS, I think.

30874 wrote: How can I block incoming SMTP, while only allowing outbound connections.

SMTP for outcomming mail, IMAP/POP3 for incomming.
Check firewall and block.

Max, where mail not from your server?
Do you really use exim or it's postfix??

mailq --help

Can you show output?

skurudo wrote:

30874 wrote: How can I block incoming SMTP, while only allowing outbound connections.

SMTP for outcomming mail, IMAP/POP3 for incomming.
Check firewall and block.

Max, where mail not from your server?

Code: Select all

postqueue: warning: Mail system is down -- accessing queue directly mail queue is emply.

Do you really use exim or it's postfix??

mailq --help

Can you show output?

Result is


mailq: invalid option -- '-'
mailq: invalid option -- '-'
mailq: fatal: usage: mailq [options]


or

mailq -help
postqueue: warning: Mail system is down -- accessing queue directly
Mail queue is empty


Please suggestion.

Admin from Digital Ocean suggest about this and I can't find the way to find where it come from.

---
Hello

It's quite possible that your droplet was compromised and then used maliciously by a third party to conduct mailing operations.

It would be up to you and your system administrator to determine the source of the compromise and fix it.

Let us know if you have any other questions or feedback

Best Regards
DigitalOcean Support
---

Please help for this.
Best regards,
Max

It's possible. Check your exim - service exim stop - and then - service exim start
And change passwords for root and admin users