I woke up this morning to 10000 emails in my one account. I am deleting them as fast as possible but they keep pouring in. Can anyone tell me what to do to resolve this issue. I also changed the password on the account just in case it got stolen.
Assuming that you are serving your domain’s DNS with MiaB there is not a lot that you can do sadly. Someone is sending spam pretending to be from you. The returned email notifications are likely a result of the system working as intended by the recipient’s email system blocking the messages. Of course, you are still going to receive the back scatter. 
If you are using external DNS then you need to be sure that your DKIM, DMARC, SPF, etc. records are active.
Unfortunately, there is no way to stop bad actors.
You have reviewed the headers to be absolutely certain that your system was not compromised, right?
There are so many messages am not sure where to start. I have over 10000 of these messages right now and am not sure what to do to keep the box from getting over run.
I did not put in DKIM, DMSRC, SPF records in my DNS but that has not been a problem for a year? I am not serving my domain dns from MIAB. It is served via another dns provider. I can go add those but am not familiar with those settings in DNS…
Is there anything I can do to stop this?,
Is there a command to tell my miab server to stop trying to send these as they also come back that they will be retried until 2 days have passed…
This is the mail system at host box.fullmoonmanor.net.
I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.
I have seen others suggest to delete that email account. It will stop the incoming flood of messages. I do not know from personal experience if that is a good or a bad idea.
You can always add the email account back in a few days. Deleting the account in the admin area will not remove the emails from the system. That needs to be done manually, so it is safe to delete the account and not worry about lost previous emails.
YOU DEFINITELY want to add those records to your External DNS provider’s zone file. The records you need are all found in the System>External DNS section of the admin area. Although at this point it is probably too late to be effective against this round of spam. You may also want to send an abuse report against the spammers provider.
They are sending the messages with me listed as the sender. I thought mailinabox would not allow mail or accept mail to be sent with my account as the from without authenticating during the send?
I will delete the account as you suggest as well.
2 ways …
Anyone can say that they are anyone and send email using another email server. This is called spoofing. The method of fighting them is through the DNS records that you have not enabled.
Properly configured email servers do not allow mail relaying – sending mail from your box claiming to be from someone else. The method of fighting this is by requiring authentication to send email - which MiaB does.
Did you look at the headers of the emails to determine if they compromised your MiaB or if they are simply forging your return address?
I am not sure how to tell this-I am in no way a mail expert. I have pasted one of them below if it helps:
This is the mail system at host box.fullmoonmanor.net. I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <turris11@virgilio.it>: host smtp-in.virgilio.it[213.209.1.130] said: 550 Invalid Recipient <turris11@virgilio.it> [smtp-37.iol.local; VIR_520] (in reply to RCPT TO command)
Reporting-MTA: dns; box.fullmoonmanor.net X-Postfix-Queue-ID: 029CF69231 X-Postfix-Sender: rfc822; tony@dahbura.com Arrival-Date: Wed, 26 Dec 2018 08:42:53 -0500 (EST) Final-Recipient: rfc822; turris11@virgilio.it Original-Recipient: rfc822;turris11@virgilio.it Action: failed Status: 5.0.0 Remote-MTA: dns; smtp-in.virgilio.it Diagnostic-Code: smtp; 550 Invalid Recipient <turris11@virgilio.it> [smtp-37.iol.local; VIR_520]
that make you prepared to become her #1.eml
Subject:
that make you prepared to become her #1
From:
“CANADIAN PHARMACY” <tony@dahbura.com>
Date:
12/26/18, 8:42 AM
To:
bazzawilson11@hotmail.com, djfarm11@gmail.com, bbevan11@excite.com, mhartwill11@comcast.net, pharma11@chemixjp.co.jp, turris11@virgilio.it, djelida11@hotmail.com
Good sexual life is a foundation of happy relationship and ever-lasting marriage. One out five marriages fails due to husband’s bad sexual performance. Don’t be the one to fail, fight your Erectile Dysfunction right now by using one of the new and safe cures. Get your help right now and purchase yourself a cure that will bring you back on a track to your joy and happiness. Additionally, we present you a bonus 75% rebate on all our treatments if you apply your exclusive coupon: x8qelu7r during checkout process. Happy shopping! -http://vamasilks.com/wp-content/plugins/woocommerce/includes/api/o_falcated_instructress.html
I am also getting a ton of these:
This is the mail system at host box.fullmoonmanor.net. #################################################################### # THIS IS A WARNING ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. # #################################################################### Your message could not be delivered for more than 3 hour(s). It will be retried until it is 2 day(s) old. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <bowes0433@aol.com>: delivery temporarily suspended: lost connection with mx-aol.mail.gm0.yahoodns.net[98.137.157.43] while sending RCPT TO
Reporting-MTA: dns; box.fullmoonmanor.net X-Postfix-Queue-ID: E70166BB80 X-Postfix-Sender: rfc822; tony@dahbura.com Arrival-Date: Wed, 26 Dec 2018 10:45:24 -0500 (EST) Final-Recipient: rfc822; bowes0433@aol.com Original-Recipient: rfc822;bowes0433@aol.com Action: delayed Status: 4.4.2 Diagnostic-Code: X-Postfix; delivery temporarily suspended: lost connection with mx-aol.mail.gm0.yahoodns.net[98.137.157.43] while sending RCPT TO Will-Retry-Until: Fri, 28 Dec 2018 10:45:24 -0500 (EST)
Return-Path: <tony@dahbura.com> Received: from authenticated-user (box.fullmoonmanor.net [34.239.193.170]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by box.fullmoonmanor.net (Postfix) with ESMTPSA id E70166BB80; Wed, 26 Dec 2018 10:45:24 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dahbura.com; s=mail; t=1545839134; bh=vMyLkFC9bfhxv9PdliL9NRZMf63869IpqUmjRca0SeQ=; h=Date:Subject:From:To:Cc:From; b=Abj5AWSOxkffPd5i9SVWVwArEWKT6RGuApkVaHMO2rf0C617K087rRM09QZXrJGGH sxxpQSRYE7yjGWpAk3emze3JILat/x+PfSqliLcBRCvHD80DU/rQjAbGDsHsZQl2Hf InV4l/V5lN4D5rzuhn7baf1kjF/4za2YiyfOPx2gtYh/JPQ5SlWiutw9R6RoxNUgTw UMFgYM3OafR2v2OCr7GuSLpN8IOV//t/1oU3e7IaKHW12nAHcX7aZ7TH36w/CVUqkF EDSfVfh7r9SsbOBuqpCN6ZZy9JDdBYVbpcBDKY6V9JwRhW61+hb2Ko17Ah9X+52Tjl XLse5LwPHfZeA== Date: Wed, 26 Dec 2018 16:45:33 +0100 Subject: ONLINE STORE WEBSITE - that denote an opportunity new 70% From: “CANADIAN PHARMACY” <tony@dahbura.com> To: takanori432@gmail.com Cc: nan_433@hotmail.com, amadoreynald433@gmail.com, jcaskey433@gmail.com, ekirchner433@comcast.net, bowes0433@aol.com, jreesela433@gmail.com, mdwatkinsb433@sbcglobal.net Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Message-ID: <vutpdtf-8lmqhf-11@dahbura.com>
This can be almost completely mitigated with proper DKIM, SPF, and DMARC DNS records. Assuming MIAB is the one hosting those, then this should not be happening. Though unfortunately not all SMTP servers check for those so it’s hit or miss.
Yea - AOL and Yahoo servers mentioned in the same email? Someone is definitely trying to spoof your stuff. I would confirm all users are secure and that no one else has access to your system.
I setup the DKIM, SPF, and DMARC records in my external dns provider.
I reset all passwords on the accounts.
I am now getting a lot of Delayed Mail (still being retried). Is this message coming from an upstream server and not my MIAB? I guess these will just timeout over time and this will all subside?
BTW thanks for the rapid assistance on this as I am still trying to figure out what I woke up to this am.
According to the message you copied in a previous post, it is coming from AOL / Yahoo. (Are you relaying through Yahoo??
I hope not. Not sure what I would have done to relay through them? I only have my MIAB server. Do you have some ideas that I can look into and how to stop it if it is doing it?
If you didn’t manually set up relaying then it’s not doing it. It’s not a default feature.
That said, if someone is spoofing email, just make sure you have a proper SPF and DKIM record: https://mxtoolbox.com/spf.aspx
The records are there and came back with check marks. Not sure what else to do. The messages keep coming in and now I cannot mail anyone at Google.com. Sent an email to their postmaster but not sure what else to do?
Still getting messages that say Undelivered Mail Returned to Sender. The actual message being returned has today’s date… is there something else to check that could still be allowing these to send?
It takes time to rebuild a trust reputation with an ESP after a domain/smtp server has sent spam. Also you are on AWS, it has a really low trust rating with many ESPs,
As the bounce messages state, email will be retried until it is 2 days old … so for 2 days from when the spam happened expect these emails to continue.
Two things of note here.
1 You’ve posted your email address when you posted the mail info. One thing I always recommend is masking at least the local part (when I’m doing diagnostics I prefer the domain to be visible mind you)
Spammers have web bots crawling public forums looking for email addresses. So by posting your full address you’re inviting a whole heap of misery on yourself.
- If you are running a mail server, you owe it to yourself to learn how email works and how best to secure it. My advice is start small and learn a little at a time. While MIAB is designed to make running an email server easy, understanding some of the core concepts can be extremely beneficial to you when things go wrong.
3, There’s been some bad advice given here and part of it is down to the confusing nature of some of the Non Delivery Reports. Lets have a look at the AOL one in particular.
First thing to note is that AOL and Yahoo emails have merged. (And no I didn’t know this until today).
Evidence of this can be found first of all by doing a DIG to determine AOL’s mail exchangers.
C:\Users\timdu>dig mx aol.com
; <<>> DiG 9.10.6-P1 <<>> mx aol.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35920
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;aol.com. IN MX
;; ANSWER SECTION:
aol.com. 26 IN MX 10 mx-aol.mail.gm0.yahoodns.net.
;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Dec 29 03:49:46 GMT Standard Time 2018
;; MSG SIZE rcvd: 80
Straight away we can see the server name quoted as the one that lost connection in the NDR.
Further discussion of the merger can be found on the web with a quick search.
(Note: there are also some more disturbing consequences of this merger but I’d rather stay on point.)
So the first thing I see is that the NDR was a result of box.fullmoonmanor.net losing contact with mx-aol.mail.gm0.yahoodns.net. during an attempt to send mail. This can happen as a result of graylisting or a server fault at AOL’s end (however I suspect it’s a deliberate anti spam feature that attempts to tie up an email server believed to be serving spam).
Because of the way email works, if a connection can’t be made your server keeps trying to deliver the mail until either.
- The mail exchanger accepts delivery.
- The retry queue on your mail server expires, at which point a final NDR is sent notifying the sender of this.
The email is quite clearly spam but lets have a look at the headers.
It doesn’t help that the CR/LF pairs are missing so I’m going to repost the headers to make them clearer.
Return-Path: <****@dahbura.com>
Received: from authenticated-user (box.fullmoonmanor.net [34.239.193.170])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested)
by box.fullmoonmanor.net (Postfix) with ESMTPSA id E70166BB80;
Wed, 26 Dec 2018 10:45:24 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dahbura.com; s=mail; t=1545839134;
bh=vMyLkFC9bfhxv9PdliL9NRZMf63869IpqUmjRca0SeQ=; h=Date:Subject:From:To:Cc:From;
b=Abj5AWSOxkffPd5i9SVWVwArEWKT6RGuApkVaHMO2rf0C617K087rRM09QZXrJGGH
sxxpQSRYE7yjGWpAk3emze3JILat/x +PfSqliLcBRCvHD80DU/rQjAbGDsHsZQl2Hf
InV4l/V5lN4D5rzuhn7baf1kjF/4za2YiyfOPx2gtYh/JPQ5SlWiutw9R6RoxNUgTw
UMFgYM3OafR2v2OCr7GuSLpN8IOV//t/1oU3e7IaKHW12nAHcX7aZ7TH36w/CVUqkF
EDSfVfh7r9SsbOBuqpCN6ZZy9JDdBYVbpcBDKY6V9JwRhW61+hb2Ko17Ah9X+52Tjl
XLse5LwPHfZeA==
Date: Wed, 26 Dec 2018 16:45:33 +0100
Subject: ONLINE STORE WEBSITE - that denote an opportunity new 70%
From: “CANADIAN PHARMACY” <****@dahbura.com> To: takanori432@gmail.com
Cc: nan_433@hotmail.com, amadoreynald433@gmail.com, jcaskey433@gmail.com,
ekirchner433@comcast.net, bowes0433@aol.com, jreesela433@gmail.com,
mdwatkinsb433@sbcglobal.net
Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8
Message-ID: <vutpdtf-8lmqhf-11@dahbura.com>
First thing to note is that the ONLY Received: header in the mail is from your box. There are no other servers in the mix. It makes it a bit confusing that the box domain and the email domain is different but a quick dig for the a record for dahbura.com. comes up with the same IP address as the servers.
C:\Users\timdu>dig a dahbura.com
; <<>> DiG 9.10.6-P1 <<>> a dahbura.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14916
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dahbura.com. IN A
;; ANSWER SECTION:
dahbura.com. 299 IN A 34.239.193.170
;; Query time: 43 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Dec 29 04:09:44 GMT Standard Time 2018
;; MSG SIZE rcvd: 56
The DKIM header in the mail is also what I expect to see added by an MIAB server.
From the above - I conclude that this is NOT SPOOFING. The dahbura.com email address has been compromised and your server is being used to send out spam.
You need to change the password for the account in the first instance. And you also need to make sure that you’ve taken the necessary steps to lock down your server such as setting up SSH keys and removing password logins to your VPS.
Tim
TL:DR version - you’ve been hacked.
1 Like
I wanted to post this as a separate request to everyone in this thread.
Please take care NOT to jump to conclusions, I’ve been guilty of this myself on occasion, most notably when I said Virgin Media wasn’t blocking someone’s connection to an email host when they were (although in my defence the user involved had failed to post up some information I’d asked for previously), and it was done inadvertantly by use of diverting DNS to a proxy on Virgin’s web safe system
It’s important to gather evidence but more importantly to review the evidence carefully. I’d be the last one to tell someone they’ve been hacked when they haven’t, but conversely telling someone that spammers are spoofing an email address when the evidence suggests a hacked email server instead is equally unhelpful.
The merger of AOL and Yahoo may well have confused things here, but the headers on the outbound mail speak for themselves.
Tim
Thanks for the explanation. My initial investigation during the event was determined to be that the email account had been compromised. Problem was the amount of mail coming and going was in such high numbers troubleshooting became overwhelming. Thanks again for the great input and advice.