Outbound spam seems to originate from mailscanner

Discuss our MailScanner install script and MailScanner itself
Post Reply
rvencu
Junior Member
Posts: 1
Joined: 16 May 2020, 20:03

Outbound spam seems to originate from mailscanner

Post by rvencu »

I have installed MailScanner FE and recently I started to notice outbound spam from one of the accounts

going to logs I found this

grep 1ja0kz-0004qR-E2 /var/log/exim_mainlog
2020-05-16 20:37:53 1ja0kz-0004qR-E2 <= oriental@webtop.vra.ro U=oriental P=local S=1293 id=c223b0bbd40485862c2a0e1ce12259ce@orientalis.ro T="[Shared Post] Privacy Policy" for 1750380179@qq.com
2020-05-16 20:37:59 cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1ja0kz-0004qR-E2
2020-05-16 20:37:59 1ja0kz-0004qR-E2 Sender identification U=oriental D=orientalis.ro S=noreply@orientalis.ro
2020-05-16 20:37:59 1ja0kz-0004qR-E2 SMTP connection outbound 1589650679 1ja0kz-0004qR-E2 orientalis.ro 1750380179@qq.com
2020-05-16 20:38:03 1ja0kz-0004qR-E2 ** 1750380179@qq.com R=lookuphost T=remote_smtp H=mx3.qq.com [203.205.219.57] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550 Mailbox unavailable or access denied [MLq1b27YPAsqEXo9ximTXMe0MbNNInoPx+egkUQW+0FulhgKQ/CQJsz992TQrHIQVA== IP: 91.194.30.144].
2020-05-16 20:38:03 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1ja0kz-0004qR-E2
2020-05-16 20:38:03 1ja0l9-0004rg-9Y <= <> R=1ja0kz-0004qR-E2 U=mailnull P=local S=3203 T="Mail delivery failed: returning message to sender" for oriental@webtop.vra.ro
2020-05-16 20:38:03 1ja0kz-0004qR-E2 Completed

Where the source of the spam seems to be a local script, actually /var/spool/MailScanner/incoming

Did someone encountered this before?
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Re: Outbound spam seems to originate from mailscanner

Post by Sarah »

That doesn't mean that MailScanner sent it, I believe that line is going to be there for every email that mailscanner processes. Exim may not be reporting the actual script used because it is a retry or a bounce message. You might want to search for other emails sent by that user to see if they contain different information, or check MailControl for the headers for more information.
paxosglyfadabeach
Junior Member
Posts: 1
Joined: 03 Jul 2020, 11:21

Re: Outbound spam seems to originate from mailscanner

Post by paxosglyfadabeach »

Thanks :)
Post Reply