My Inbox is full with Undelivered Mail Returned to Sender

Hello all,

This is very strange. I’m getting 100+ email in my inbox

" Undelivered Mail Returned to Sender"

and i can see that

“/bin/clamscan -”

is taking too much resources

I don’t know what is happening

My first guess would be that a computer on your network is infected or compromised and is sending forth ponderous amounts of spam into the ether, including some addressed to non-existent email address, and some that is rejected as spam.

You need to read the whole headers to find out the specific reasons, but they may be lies anyway. Many mail systems send out generic failure messages or “no such user” messages regardless of the actual reasons.

Another possibility is that your password has been compromised, and someone is sending out spam remotely using your credentials.

Your first step should be to change your password, just in case. Then peruse the mail log to get some idea of what’s happening and where. You also should read the full headers on the bounced messages. Make SPF strict for a while ( -all instead of ~all to hard-fail mail from unauthorized IP’s), and enable DMARC with a Quarantine policy.

The combination of the bounce messages and the clamscam activity make it almost a certainty that outgoing spam is the issue. I’d act quickly before your server winds up on every blocklist in the world.

Richard

1 Like

Thank you for your reply,

I have done everything you said but i’m still getting those emails… i’m confused and i don’t know what to do

This issue happens only to 4 email address and the other emails are not getting anything

Do the four addresses have anything in common (same domain, same password, checked from the same device, etc.)?

If this is in fact a response to a spam barrage through your server, you’ll likely be contacted by your host with a warning, or possibly even get your service suspended without a warning, depending on their policies. You may also wind up on blocklists – there are about a bazillion of them – if that’s the case.

You may want to start checking your server against blocklists frequently. https://mxtoolbox.com/blacklists.aspx and https://www.ultratools.com/tools/spamDBLookup are good places to start. They only check against a handful of lists, but they tend to be the more popular one.

It’s also possible that the mail is spoofed, of course, in which case most likely nothing would happen because the mail wouldn’t be going through your server. Changing the TXT entry for SPF to -all will help reduce spoofed mails getting through, as will DMARC, but neither makes it impossible.

You should also run virus scans on your computer(s), again, just in case; and keep an eye on SpamAssassin and Clam resource usage.

Richard

1 Like

Clamscan is not usable anymore. It is impossible for it to start fast enough.

You either need to turn off AV scanning or use clamdscan.

Edit: also note that Virtualmin does not offer to setup clamscan anymore…it is either off or uses clamdscan.

Yes every email belongs to the same domain and few emails have set with the same password and logged in with same devices

I have temporary disabled Postfix Mail just to keep the resources low.

What if i clean install virtualmin and recreate all email address with different passwords will this help me?

Please can you tell me how to do that

Thank you

I think reinstalling Virtualmin would be premature at this point. You don’t know for sure whether there’s a problem on your server itself.

It’s possible that someone grabbed the passwords from one of the numerous breaches over the past few years if you were using the same email / password combinations on one or more of the sites that were breached.

It’s also possible that your personal computer (or the computer(s) of the user(s) of the email addresses in question) is/are compromised with a keylogger or other malware that is grabbing the credentials.

In those cases, re-setting the passwords of the accounts in question from a computer you know is not infected or compromised in any way would be a more measured next step. Or just disable the account in question while sorting things out. Reinstalling Virtualmin seems a bit of an extreme move that wouldn’t even fix the problem if it’s with a client computer.

You need the diagnosis before applying the cure.

Richard

Thank you so much @RJM_Web_Design i will follow what you say and try to figure out what is going on. currently i have disabled the infected accounts.

Now everything looks fine i change all the password. now i have another issue i enabled “greylisting” feature now i’m not receiving any emails but can send without any problem.

greylisting enabled but it showing it is not fully enabled.

I need to disable this feature this is never gonna work as expected. how can i disable it? i don’t see any option to do that.

1 Like

It should be in Virtualmin > Email Settings > Email Greylisting. I say “should be” because I have it disabled, and there’s an Enable button there. I’m assuming the opposite would also be true.

It may be that you have to fully enable it before disabling it. Since the mail’s not working anyway, I suppose it’s worth a try. Your call, though.

I’ve always found greylisting to be a pretty pointless feature that causes more problems than it’s worth. Others, however, swear by it. I guess it’s an inverse function of how effective one’s other anti-spam measures are.

Richard

Yes the problem is once i enable it says it is enabled but when i refresh the panel it is still showing the same enable button and no disable button showing :frowning:

Oh noooo i’m starting to receive spam email again :frowning:

|Return-Path:|<info@aciservice.na.it>|
|---|---|
|X-Spam-Checker-Version:|SpamAssassin 3.4.2 (2018-09-13) on svps.myserver.net|
|X-Spam-Level:|**|
|X-Spam-Status:|No, score=2.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_BOUND_DD_DIGITS, MIME_HTML_ONLY,MISSING_MID,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2 autolearn=no autolearn_force=no version=3.4.2|
|X-Original-To:|lakshan@mydomain.net|
|Delivered-To:|lakshan-mydomain.net@svps.myserver.net|
|Received:|from smtpcmd10105.aruba.it (smtpcmd10105.aruba.it [62.149.156.105]) by mydomain.net (Postfix) with ESMTP id 6BB2010817E5 for <lakshan@mydomain.net>; Wed, 16 Sep 2020 17:00:38 -0500 (CDT)|
|Authentication-Results:|mydomain.net; dkim=pass (2048-bit key; unprotected) header.d=aruba.it header.i=@aruba.it header.b="A3/VBus8"; dkim-atps=neutral|
|Received:|from [47.53.90.142] ([47.53.90.142]) by smtpcmd10.ad.aruba.it with bizsmtp id Um0c2301b34Gq8n01m0dfY; Thu, 17 Sep 2020 00:00:37 +0200|
|Date:|Thu, 17 Sep 2020 00:00:37 +0100|
|From:|"東 憲太郎" <info@aciservice.na.it>|
|To:|"椎野 真美" <lakshan@mydomain.net>|
|Subject:|Re: 年始社長挨拶のお願い|
|MIME-Version:|1.0|

Above is the header of the email and i have no idea what is that aruba.it and info@aciservice,na.it

Note: mydomain.net and myserver.net is not the actual name i change it for my privacy

Maybe become a Spamcop reporter. It’s especially easy if you use Mailwasher Pro.

I’ve been a Spamcop reporter since there was such a thing. I think that once you file enough non-munged spam reports, the spammers put you on some kind of “don’t spam this guy because he reports you” list.

I’m guessing I’ve reported somewhere around a quarter million spam emails by now. Maybe more. I used to report dozens every day, but now it averages two or three most days.

Just an idea, mind you. If you must receive spam, you may as well put it to good use.

Richard

1 Like

Thank you Richard for your support

1 Like