[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Someone was able to hack my mail account



Please if anyone knows how to stop this with postfix and amavisd-new please let me know !!!

I am clueless how someone outside $mynetworks was able to do it.

Here is the log:

Dec 10 15:14:35 mail dovecot: auth(default): new auth connection:
pid=23648
Dec 10 15:14:37 mail dovecot: auth(default): new auth connection:
pid=23649
Dec 10 15:14:37 mail postfix/smtpd[23649]: connect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:38 mail postfix/smtpd[23649]: NOQUEUE: filter: RCPT from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]:
<atienoalice kevinslair com>: Sender address triggers FILTER
amavisfeed:[127.0.0.1]:10024; from=<atienoalice kevinslair com>
to=<support kevinslair com> proto=ESMTP helo=<windowsb894c86>
Dec 10 15:14:39 mail postfix/smtpd[23649]: 985869EAA9:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:40 mail postfix/cleanup[23653]: 985869EAA9:
message-id=<001501ca79dd$cc8a4ef0$7f000001 windowsb894c86>
Dec 10 15:14:40 mail postfix/qmgr[2538]: 985869EAA9:
from=<atienoalice kevinslair com>, size=917, nrcpt=1 (queue active)
Dec 10 15:14:40 mail postfix/smtpd[23649]: disconnect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail dovecot: auth(default): new auth connection:
pid=23658
Dec 10 15:14:41 mail postfix/smtpd[23658]: connect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/smtpd[23658]: 3D8869EAAC:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail postfix/cleanup[23653]: 3D8869EAAC:
message-id=<001501ca79dd$cc8a4ef0$7f000001 windowsb894c86>
Dec 10 15:14:41 mail postfix/smtpd[23658]: disconnect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/qmgr[2538]: 3D8869EAAC:
from=<atienoalice kevinslair com>, size=2621, nrcpt=1 (queue active)
Dec 10 15:14:41 mail postfix/smtp[23654]: 985869EAA9:
to=<support kevinslair com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=3.4, delays=2.1/0.02/0.01/1.3, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=22280-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
3D8869EAAC)
Dec 10 15:14:41 mail postfix/qmgr[2538]: 985869EAA9: removed
Dec 10 15:14:41 mail spamd[2472]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 33537
Dec 10 15:14:41 mail spamd[2472]: spamd: setuid to kevin succeeded
Dec 10 15:14:41 mail spamd[2472]: spamd: processing message
<001501ca79dd$cc8a4ef0$7f000001 windowsb894c86> for kevin:502
Dec 10 15:14:42 mail spamd[2472]: spamd: clean message (-98.2/5.0) for
kevin:502 in 1.2 seconds, 2731 bytes.
Dec 10 15:14:42 mail spamd[2472]: spamd: result: . -98 -
BAYES_50,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST
scantime=1.2,size=2731,user=kevin,uid=502,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33537,mid=<001501ca79dd$cc8a4ef0$7f000001 windowsb894c86>,bayes=0.499810,autolearn=no
Dec 10 15:14:42 mail spamd[2460]: prefork: child states: II
Dec 10 15:14:43 mail postfix/local[23659]: 3D8869EAAC:
to=<kevin kevinslair com>, orig_to=<support kevinslair com>,
relay=local, delay=1.8, delays=0.47/0.01/0/1.3, dsn=2.0.0, status=sent
(delivered to command: /usr/bin/procmail)
Dec 10 15:14:43 mail postfix/qmgr[2538]: 3D8869EAAC: removed


the amavisd-new log just shows that it was passed. The ip address: 88.26.49.165 is not in $mynetworks and I am confused how it allowed it to send. I really don't want anymore email going out of my server as spam. Also, I don't have a user with atienoalice kevinslair com email address.



This is the message headers:

Start of headers --

From - Thu Dec 10 15:18:06 2009
X-Account-Key: account2
X-UIDL: 000070314a016525
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <atienoalice kevinslair com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.kevinslair.com
X-Spam-Level:
X-Spam-Status: No, score=-98.2 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST autolearn=no version=3.2.5
X-Original-To: support kevinslair com
Delivered-To: support kevinslair com
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.kevinslair.com (Postfix) with ESMTP id 3D8869EAAC
	for <support kevinslair com>; Thu, 10 Dec 2009 15:14:41 -0500 (EST)
X-Amavis-Modified: Mail body modified (using disclaimer) - mail.kevinslair.com
X-Virus-Scanned: amavisd-new at kevinslair.com
Received: from mail.kevinslair.com ([127.0.0.1])
	by localhost (mail.kevinslair.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cMKr6GHgfe-F for <support kevinslair com>;
	Thu, 10 Dec 2009 15:14:40 -0500 (EST)
Received: from windowsb894c86 (165.Red-88-26-49.staticIP.rima-tde.net [88.26.49.165])
	by mail.kevinslair.com (Postfix) with ESMTP id 985869EAA9
	for <support kevinslair com>; Thu, 10 Dec 2009 15:14:38 -0500 (EST)
Message-ID: <001501ca79dd$cc8a4ef0$7f000001 windowsb894c86>
From: "Atieno Alice" <atienoalice kevinslair com>
To: <support kevinslair com>
Subject: First class male desire promotion, Heat up your intimating
Date: Thu, 10 Dec 2009 21:14:36 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="koi8-r";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-Spam: Not detected
X-Mras: Ok

Bring harmony in your night in-outs, Bone-on to be prolonged.

http://profiles.yahoo.com/blog/CKQKWB7FSAAT4LWZ7UQGKDUGUA

END of headers --

Please someone help !!!!

Thanks,
Kevin


Mail Service Provided by:
Kevins Lair, Ent
mailto:kevin kevinslair com

_________________________________________________________________________________

Think before you print.

This message and any attachments may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail.


All outgoing e-mail is scanned for virus and potentially hazardous material

_________________________________________________________________________________




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]