Unrecognized mails sent from my mail server - please help to find the "hole"

Question

Since about 2 weeks, I am receiving from time to time (about 2-3 times per week) similar emails:

What do I have:

A VPS (webserver) with Wordpress, configured to send emails via SMTP, thanks to the WP SMTP Mail plugin.
A VPS - only mailserver

What did I do:

Upgraded wordpress, all the plugins.
Checked if there are unrecognized files. Or recently edited files. Didn't find anything suspicious;
I installed Wordfence security to check for vulnerabilities and legit files with injected code. Nothing found.
I changed the email password in the webserver

The problem is that even after this, somebody seems to be sending emails via my webserver.

Here is for example what happened today. And it's always a similar story. A few emails sent...

# journalctl -fn 1000 | grep sakura
Sep 30 07:30:57 mail01 postfix/cleanup[4143]: 61A7FF93: message-id=<vw5uL7UMIQ0H5Fb7o3KoZF7NMQ73saNBhiLITT5fmo@www12052uj.sakura.ne.jp>
Sep 30 07:30:58 mail01 postfix/smtpd[4159]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:37:43 mail01 postfix/smtpd[4435]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:37:46 mail01 postfix/smtpd[4435]: 6D68EC3A: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:37:47 mail01 postfix/cleanup[4473]: 6D68EC3A: message-id=<aIjPxjvWOUhSbINj0zB2rS9Sv92eW6Kh873VboODnA@www12052uj.sakura.ne.jp>
Sep 30 08:37:47 mail01 postfix/smtpd[4435]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:39:12 mail01 postfix/smtpd[4435]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:39:14 mail01 postfix/smtpd[4435]: C1BECC3A: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:39:15 mail01 postfix/cleanup[4473]: C1BECC3A: message-id=<CdRJerGkONpdwo23q8vV7e8lYtGhEcme3KTcSgjU4Y@www12052uj.sakura.ne.jp>
Sep 30 08:39:16 mail01 postfix/smtpd[4435]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:42:20 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:42:23 mail01 postfix/smtpd[4486]: 3EC9C348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:42:23 mail01 postfix/cleanup[4492]: 3EC9C348: message-id=<jY8O1Wpu5kkGl8FKQQkYWJYiwqSsfsD36JLVlw1Jv4@www12052uj.sakura.ne.jp>
Sep 30 08:42:24 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:42:53 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:42:55 mail01 postfix/smtpd[4486]: 81B33348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:42:56 mail01 postfix/cleanup[4492]: 81B33348: message-id=<SKh0c00J1etjgOT64POgThsKKXVyfeeDaHBt0bkMLdo@www12052uj.sakura.ne.jp>
Sep 30 08:42:56 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:43:21 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:43:23 mail01 postfix/smtpd[4486]: E19F3C3A: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:43:24 mail01 postfix/cleanup[4492]: E19F3C3A: message-id=<CXXxWtGwZ4Cwy2NlxVO0z4eA0UMdQJ80VcUvGvqF7Q@www12052uj.sakura.ne.jp>
Sep 30 08:43:25 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:43:31 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:43:34 mail01 postfix/smtpd[4486]: 65E1F348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:43:35 mail01 postfix/cleanup[4492]: 65E1F348: message-id=<vvTRnzhRlIAChmDmRsamI7LQVfvxyt0r2WUtQYUTo@www12052uj.sakura.ne.jp>
Sep 30 08:43:35 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:43:57 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:00 mail01 postfix/smtpd[4486]: 0890F348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:44:00 mail01 postfix/cleanup[4492]: 0890F348: message-id=<efxLLPUEQRMqMkLAOIbyCWaJtlAeereJwU2ormaKOK0@www12052uj.sakura.ne.jp>
Sep 30 08:44:01 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:10 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:12 mail01 postfix/smtpd[4486]: E8A37C3A: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:44:13 mail01 postfix/cleanup[4492]: E8A37C3A: message-id=<9fnMFTPEpAUW5C1PLHxlApaiucMQOO77dp8UwX9dxU@www12052uj.sakura.ne.jp>
Sep 30 08:44:14 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:24 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:27 mail01 postfix/smtpd[4486]: 6738FF8E: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:44:28 mail01 postfix/cleanup[4492]: 6738FF8E: message-id=<b2cORcvDG9xmALsT019zmYoUdqY90LJqlScDWwq7fIw@www12052uj.sakura.ne.jp>
Sep 30 08:44:28 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:36 mail01 postfix/smtpd[4486]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:44:38 mail01 postfix/smtpd[4486]: C49AB348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:44:39 mail01 postfix/cleanup[4492]: C49AB348: message-id=<fWGmOWECMsY2AxCZpT6V31QHEi5mFQMrsK5JL4m3A@www12052uj.sakura.ne.jp>
Sep 30 08:44:40 mail01 postfix/smtpd[4486]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4713]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4704]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4711]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4714]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4719]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:18 mail01 postfix/smtpd[4721]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:19 mail01 postfix/smtpd[4712]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:19 mail01 postfix/smtpd[4726]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:20 mail01 postfix/smtpd[4728]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:20 mail01 postfix/smtpd[4730]: connect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:21 mail01 postfix/smtpd[4704]: 48848348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4713]: 4C9F2F8E: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4711]: 50345F93: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4714]: 5426AF9E: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4719]: 5F474FA9: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4721]: 70B5AFAE: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:21 mail01 postfix/smtpd[4712]: 86EA2FB3: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:22 mail01 postfix/cleanup[4733]: 48848348: message-id=<3qLKINucOuWydZnpobH6S6Us5LBBzdPcO3zIz36Ml0@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4734]: 4C9F2F8E: message-id=<0tDZPVlAs0LFISxgtHTiaJxaAVyZNHpKpsPAOjZAk@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4735]: 50345F93: message-id=<PcTP3ElTKIRir9RANpc4aOMecWBdftLDTCUKNAiz4@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4736]: 5426AF9E: message-id=<uTAOZeY806wbCI93o9uilV9pTPbGXoUmYBndlFXA@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4740]: 5F474FA9: message-id=<RloSdki9xi4DXLa1YLVicDpIUSGbpIvAN0MhlmEng0@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4743]: 70B5AFAE: message-id=<5c9I105B1hnLmMSYf4bTfjplDLbytoTED8PE9BbXY@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/cleanup[4746]: 86EA2FB3: message-id=<SrKLsZchRS9rMrlGMxKlOkcJFRWDsHp2IIjGAtUT0FA@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 postfix/smtpd[4726]: 4D8A7FB9: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:22 mail01 postfix/smtpd[4704]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4713]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4711]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4714]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4719]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4728]: ABDD3C3A: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:22 mail01 postfix/smtpd[4721]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:22 mail01 postfix/smtpd[4730]: BB156FC3: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.com
Sep 30 08:56:22 mail01 postfix/smtpd[4712]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:23 mail01 postfix/cleanup[4733]: 4D8A7FB9: message-id=<czLvyJDuOdTSsy9fICg4I1HzkUXGEXBuxIsSbHDNQc@www12052uj.sakura.ne.jp>
Sep 30 08:56:23 mail01 postfix/cleanup[4734]: ABDD3C3A: message-id=<iuqwelZVtDjFP5QzSw0dItIWjXq8iVnPQJq91ELgEZs@www12052uj.sakura.ne.jp>
Sep 30 08:56:23 mail01 postfix/cleanup[4735]: BB156FC3: message-id=<mLefBr3sNdwSmDWlNEE4tB7pcO2xFQ15olg3cLsJDo@www12052uj.sakura.ne.jp>
Sep 30 08:56:23 mail01 postfix/smtpd[4726]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:24 mail01 postfix/smtpd[4730]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]
Sep 30 08:56:24 mail01 postfix/smtpd[4728]: disconnect from www12052uj.sakura.ne.jp[133.242.204.66]

I also checked the webserver nginx access/error logs. In order to see if at that time there was some kind of access to "strange" files. Unfortunately no luck.

Here you can see a specific mail:

# journalctl -fn 1000 | grep 48848348
Sep 30 08:56:21 mail01 postfix/smtpd[4704]: 48848348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=myemail@example.coml
Sep 30 08:56:22 mail01 postfix/cleanup[4733]: 48848348: message-id=<3qLKINucOuWydZnpobH6S6Us5LBBzdPcO3zIz36Ml0@www12052uj.sakura.ne.jp>
Sep 30 08:56:22 mail01 opendkim[477]: 48848348: DKIM-Signature field added (s=default, d=example.com)
Sep 30 08:56:22 mail01 postfix/qmgr[16502]: 48848348: from=<myemail@example.coml>, size=11589, nrcpt=1 (queue active)
Sep 30 08:56:22 mail01 postfix/smtp[4748]: 48848348: to=<somebody'semail@hotmail.com>, relay=hotmail-com.olc.protection.outlook.com[104.47.125.33]:25, delay=1.8, delays=1.1/0.03/0.53/0.16, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.125.33] said: 550 5.7.1 Unfortunately, messages from [myserwerIP] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [SG2APC01FT004.eop-APC01.prod.protection.outlook.com] (in reply to MAIL FROM command))
Sep 30 08:56:22 mail01 postfix/smtp[4748]: 48848348: lost connection with hotmail-com.olc.protection.outlook.com[104.47.125.33] while sending RCPT TO
Sep 30 08:56:22 mail01 postfix/bounce[4752]: 48848348: sender non-delivery notification: CDC92FBE
Sep 30 08:56:22 mail01 postfix/qmgr[16502]: 48848348: removed

And this is the header of the email that bounced back in my outlook:

 **Return-Path: <myemail@example.com>
Received: from www12052uj.sakura.ne.jp (www12052uj.sakura.ne.jp [133.242.204.66])
    (Authenticated sender: myemail@example.com)
    by my.post.server (Postfix) with ESMTPSA id 61A7FF93
    for <somebody'semail@hotmail.com>; Wed, 30 Sep 2020 07:30:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
    d=example.com; s=default; t=1601443858;
    bh=utfoNWMb99AFg4TWR+gOqliMry7aOaKuFBDaWQsfoqw=;
    h=Date:To:From:Subject;
    b=oTPGnF35jN21TclrQ8j3+cr+eR+ltiZ6jANJ2a4XJVcFFc7cCcup+Snip2tdBXA08
     tsZ4juS2+Nd15xaZAR3YZC9nyKc/1Vobw+prHFAohp5DOiLtJ2RNOJeoLPEuQGfyPg
     qohhzwvMobXsdFn4MgNFnJqmDvZazXyc5rdhMFXY=
Date: Wed, 30 Sep 2020 05:30:54 +0000
To: somebody'semail@hotmail.com
From: =?UTF-8?B?Qk5MX0dydXBwb19CbnBfUGFyaWJhcw==?= <myemail@example.com>
Subject: =?UTF-8?B?TmVzc3VuYSByaXNwb3N0YSBhbGxhIG5vc3RyYSByaWNoaWVzdGEgZGkgdmVyaWZpY2FyZQ==?=
Message-ID: <vw5uL7UMIQ0H5Fb7o3KoZF7NMQ73saNBhiLITT5fmo@www12052uj.sakura.ne.jp>
X-Mailer: PHPMailer 6.1.4 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit**

Does anybody understand what is happening here? From my understanding PHPMailer 6.1.4 suggests that mails are being sent with php mail() without loggin in into my server. However, the line Sep 30 08:56:21 mail01 postfix/smtpd[4704]: 48848348: client=www12052uj.sakura.ne.jp[133.242.204.66], sasl_method=LOGIN, sasl_username=mymail@example.com suggests me that somebody is able to login even if I changed the mail password.

Please help to troubleshoot and find the root cause of this problem, so that I can fix it.

If I understand correctly the wordpress and the mail server are on two separate servers, correct ? So I guess the attacker directly used the mail server on port 25 without using the wordpress. You should use the local firewall of the mail server to only allow connection on port 25 from the IP of your wordpress — Sibwara, Sep 30 '20 at 07:34
Yes, they are on 2 different machines and in 2 different countries. I can set iptables to only allow the webserver, outlook, phones, etc. However this can be a workaround. Secure, but still a workaround. It doesn't fix the fact that somebody is able to send emails from my webserver. They should not be able to do it. I even changed the password. — Pikk, Sep 30 '20 at 07:37

Unrecognized mails sent from my mail server - please help to find the "hole"

0 Answers0