ConfigServer Community Forum

I have installed MailScanner FE and recently I started to notice outbound spam from one of the accounts

going to logs I found this

grep 1ja0kz-0004qR-E2 /var/log/exim_mainlog
2020-05-16 20:37:53 1ja0kz-0004qR-E2 <= oriental@webtop.vra.ro U=oriental P=local S=1293 id=c223b0bbd40485862c2a0e1ce12259ce@orientalis.ro T="[Shared Post] Privacy Policy" for 1750380179@qq.com
2020-05-16 20:37:59 cwd=/var/spool/MailScanner/incoming 5 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -Mc 1ja0kz-0004qR-E2
2020-05-16 20:37:59 1ja0kz-0004qR-E2 Sender identification U=oriental D=orientalis.ro S=noreply@orientalis.ro
2020-05-16 20:37:59 1ja0kz-0004qR-E2 SMTP connection outbound 1589650679 1ja0kz-0004qR-E2 orientalis.ro 1750380179@qq.com
2020-05-16 20:38:03 1ja0kz-0004qR-E2 ** 1750380179@qq.com R=lookuphost T=remote_smtp H=mx3.qq.com [203.205.219.57] X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after end of data: 550 Mailbox unavailable or access denied [MLq1b27YPAsqEXo9ximTXMe0MbNNInoPx+egkUQW+0FulhgKQ/CQJsz992TQrHIQVA== IP: 91.194.30.144].
2020-05-16 20:38:03 cwd=/var/spool/exim 9 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -t -oem -oi -f <> -E1ja0kz-0004qR-E2
2020-05-16 20:38:03 1ja0l9-0004rg-9Y <= <> R=1ja0kz-0004qR-E2 U=mailnull P=local S=3203 T="Mail delivery failed: returning message to sender" for oriental@webtop.vra.ro
2020-05-16 20:38:03 1ja0kz-0004qR-E2 Completed

Where the source of the spam seems to be a local script, actually /var/spool/MailScanner/incoming

Did someone encountered this before?

That doesn't mean that MailScanner sent it, I believe that line is going to be there for every email that mailscanner processes. Exim may not be reporting the actual script used because it is a retry or a bounce message. You might want to search for other emails sent by that user to see if they contain different information, or check MailControl for the headers for more information.

Thanks