To check the email count,
[root@vs-boa ~]# /var/qmail/bin/qmail-qstat
messages in queue: 1970
messages in queue but not yet preprocessed: 0
To see the email queue,
[root@vs-boa ~]# /var/qmail/bin/qmail-qread
6 Apr 2016 01:21:35 GMT #103844 2808 <>
remote sperrung@mastercard.de
6 Apr 2016 01:23:33 GMT #104718 2642 <>
remote support@mastercard.de
6 Apr 2016 01:22:56 GMT #104442 2788 <>
remote support@mastercard.de
6 Apr 2016 01:16:09 GMT #102004 2823 <>
remote sperrung@mastercard.de
6 Apr 2016 01:20:13 GMT #103522 2814 <>
remote sperrung@mastercard.de
6 Apr 2016 01:17:21 GMT #102418 2794 <>
remote support@mastercard.de
6 Apr 2016 01:18:54 GMT #102924 2798 <>
remote support@mastercard.de
6 Apr 2016 01:13:36 GMT #101084 2826 <>
remote info@mastercard.de
6 Apr 2016 01:26:41 GMT #103430 2787 <>
remote support@mastercard.de
6 Apr 2016 01:19:31 GMT #103246 2866 <>
remote support@mastercard.de
Here the number starts with # is the message ID.
[root@vs-boa ~]# find /var/qmail/queue -iname 102418
/var/qmail/queue/info/22/102418
/var/qmail/queue/mess/22/102418
/var/qmail/queue/remote/22/102418
The file /var/qmail/queue/mess/22/102418 contains the message header.
[root@vs-boa ~]# cat /var/qmail/queue/mess/22/102418
Received: (qmail 16833 invoked for bounce); 6 Apr 2016 01:17:21 -0000
Date: 6 Apr 2016 01:17:21 -0000
From: MAILER-DAEMON@*************
To: support@mastercard.de
Subject: failure notice
Hi. This is the qmail-send program at*************.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.
<cornelia.buser@web.de>:
User and password not set, continuing without authentication.
212.227.17.8 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 212.227.17.8.
— Below this line is a copy of the message.
Return-Path: <support@mastercard.de>
Received: (qmail 16824 invoked by uid 0); 6 Apr 2016 01:17:21 -0000
Received: from unknown (HELO localhost.localdomain) (charity@************@XXXX.)
by ************* with ESMTPA; 6 Apr 2016 01:17:21 -0000
Date: Wed, 6 Apr 2016 11:25:10 +0200
Return-Path: <support@mastercard.de>
To: cornelia.buser@web.de
From: MasterCard <support@mastercard.de>
Subject: Phishing-Attacke auf Ihrer MasterCard festgestellt!
Message-ID: <695b595d28e3accca7f498e1d8537870@localhost.localdomain>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
=================
This means, an email was sent from support@mastercard.de to the email address cornelia.buser@web.de. As the recipient address is a non-existent one, the email delivery failed and returned to support@mastercard.de.Here the domains web.de and mastercard.de are not belong to our server. As I said already, the email address charity@************ was used to send spam mails via XX.XX.XX.XX. To confirm this, we can see the log.
——————
Find the spammer
———————–
[root@vs-boa log]#cd /var/log
[root@vs-boa log]# grep -irl XX.XX.XX.XX .
./messages
./kloxo/smtp.log
./kloxo/maillog-7
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <danieldb@XXXX.net> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <Daniel_Polsfuhs@XXXX.de> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <orbb2@XXXX..com> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <raithel9@XXXX..com> : client allowed to relay
cat kloxo/maillog-7 | grep XX.XX.XX.XX
Apr 6 02:28:28 vs-boa vpopmail[15940]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:28 vs-boa vpopmail[15947]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:29 vs-boa vpopmail[15959]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:29 vs-boa vpopmail[15966]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:30 vs-boa vpopmail[15979]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:30 vs-boa vpopmail[15987]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:31 vs-boa vpopmail[15999]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:32 vs-boa vpopmail[16006]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:32 vs-boa vpopmail[16015]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Fix
This means the email address charity@************ has been compromised and become known to a 3rd party and it used to send out spam mails via the IP XX.XX.XX.XX.So, to stop this, change the password and block this IP.
=======================================================================================
Delete the mails from queue
To delete the spam mails, filter the mails and remove it from the queue.
egrep -ir “support@mastercard.de” /var/qmail/queue/mess
/var/qmail/queue/mess/17/105656:To: support@mastercard.de
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:From: MasterCard <support@mastercard.de>
/var/qmail/queue/mess/17/101125:To: support@mastercard.de
/var/qmail/queue/mess/17/101125:Return-Path: <support@mastercard.de>
egrep -ir “support@mastercard.de|www.sascho54@yahoo.de|Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt” /var/qmail/queue/mess
/var/qmail/queue/mess/17/105656:To: support@mastercard.de
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:From: MasterCard <support@mastercard.de>
/var/qmail/queue/mess/17/100458:Subject: Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt!
/var/qmail/queue/mess/17/101125:To: support@mastercard.de
/var/qmail/queue/mess/17/101125:Return-Path: <support@mastercard.de>
/usr/local/script/qmqtool -d -f “Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt”
This will delete the spam mails. You can filter by email address also.
==================================================
That’s it 🙂
catysweb 