Spam being sent again from an email account

Vipul.K · April 15, 2023, 7:09am

SYSTEM INFORMATION
OS type and version	Ubuntu 20.04
Virtualmin version	7.5

I seem to have gotten into a similar situation to this from last year - Spam being sent from an email account - Virtualmin - Virtualmin Community

I disabled the server, changed the email password, restarted apache and postfix but the spam is not stopping. The only thing I can do to stop it is to stop postfix itself. Checkout some of the maillog

Apr 15 11:36:53 primary dovecot: imap-login: Login: user=<sales@tooneywheels.in>, method=PLAIN, rip=185.30.176.169, lip=139.162.61.248, mpid=2378171, TLS, session=<FN2pw1n5wJG5HrCp>
Apr 15 11:36:53 primary postfix/smtp[2378114]: 5295384843: to=<cheyne156@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=21562, delays=21553/4.1/4.1/0.26, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:53 primary postfix/smtp[2378114]: 5295384843: to=<mattdave1@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=21562, delays=21553/4.1/4.1/0.26, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378124]: 5577C834E4: to=<niguy@videotron.ca>, relay=mx.videotron.ca[24.201.245.37]:25, delay=536, delays=527/0.11/2.2/6.4, dsn=4.1.0, status=deferred (host mx.videotron.ca[24.201.245.37] said: 452 4.1.0 nZ3epdvBA0Aa7nZ3fp19q9 service temporarily unavailable AUP#EML-041 (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378165]: A0D7B8241E: to=<acy2731@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=29807, delays=29798/4.1/4.5/0.32, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378159]: B7AF984B48: to=<liam.madison@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=17167, delays=17158/4.8/3.9/0.25, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378155]: 1581484A84: host mta7.am0.yahoodns.net[67.195.228.94] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378155]: 1581484A84: lost connection with mta7.am0.yahoodns.net[67.195.228.94] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378116]: F2B7084860: host mta6.am0.yahoodns.net[67.195.228.111] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378116]: F2B7084860: lost connection with mta6.am0.yahoodns.net[67.195.228.111] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378115]: F375C84982: host mta5.am0.yahoodns.net[67.195.204.79] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378115]: F375C84982: lost connection with mta5.am0.yahoodns.net[67.195.204.79] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378156]: 5B0C8837BB: to=<john_smit@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=27950, delays=27941/4.6/4.4/0.26, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378122]: 5AC3E837B9: to=<nialldfitzpatrick@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=27950, delays=27941/4.7/4.3/0.24, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378118]: 602EC82521: host mta6.am0.yahoodns.net[67.195.228.110] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378118]: 602EC82521: lost connection with mta6.am0.yahoodns.net[67.195.228.110] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378149]: 2F37D8341F: host mta7.am0.yahoodns.net[67.195.204.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378149]: 2F37D8341F: lost connection with mta7.am0.yahoodns.net[67.195.204.73] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378138]: 5AC6E837BA: to=<gmanfife@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=27951, delays=27941/4.7/4.4/0.34, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378144]: 619A984857: host mta6.am0.yahoodns.net[98.136.96.91] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378150]: 1DB1084B12: host mta7.am0.yahoodns.net[67.195.204.77] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378150]: 1DB1084B12: lost connection with mta7.am0.yahoodns.net[67.195.204.77] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378144]: 619A984857: lost connection with mta6.am0.yahoodns.net[98.136.96.91] while sending RCPT TO
Apr 15 11:36:54 primary postfix/smtp[2378153]: 58D6283365: to=<smurfy_uk_81@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.74]:25, delay=30306, delays=30296/4.6/4.6/0.33, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.74] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378119]: 533B882519: to=<kafimd@yahoo.co.uk>, relay=mx-eu.mail.am0.yahoodns.net[188.125.72.73]:25, delay=32126, delays=32116/4.1/5.1/0.32, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
Apr 15 11:36:54 primary postfix/smtp[2378152]: 0F0B783641: host mta6.am0.yahoodns.net[67.195.204.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 11:36:54 primary postfix/smtp[2378152]: 0F0B783641: lost connection with mta6.am0.yahoodns.net[67.195.204.73] while sending RCPT TO

I’m curious about the login this time. Does that session part mean that the user is logged in via their session? Is this a case of session hijacking?

stefan1959 · April 15, 2023, 7:50am

the IP that is connecting, do you know it, maybe disable the email address until sorted. Bit weird you change password and the still able to login.

Vipul.K · April 15, 2023, 7:59am

No, roundcube is not enabled

stefan1959 · April 15, 2023, 8:00am

Sorry, roundcude rip address would be local ip. like 127.0.0.1

another possibility is if its your email address, you computer is sending it.

Vipul.K · April 15, 2023, 9:01am

Well, its not my email, its the website owner’s and I talked to them and they say they don’t use it. I deleted the email but here’s the kicker, the emails are still being added to the queue. How is this possible?

Here are some recent logs after deleting the email

Apr 15 14:24:47 primary postfix/smtpd[2408479]: warning: hostname exzell.poppopprision.com does not resolve to address 141.98.11.93: Name or service not known
Apr 15 14:24:47 primary postfix/smtpd[2408479]: connect from unknown[141.98.11.93]
Apr 15 14:24:51 primary postfix/smtpd[2408479]: warning: unknown[141.98.11.93]: SASL LOGIN authentication failed: authentication failure
Apr 15 14:24:51 primary postfix/smtpd[2408479]: disconnect from unknown[141.98.11.93] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 15 14:25:08 primary postfix/smtpd[2407914]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:09 primary postfix/smtp[2408526]: connect to mx02.bis7.eu.blackberry.com[178.239.87.3]:25: Connection timed out
Apr 15 14:25:09 primary postfix/smtpd[2407914]: 726CE8216C: client=ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Apr 15 14:25:10 primary postfix/cleanup[2408591]: 726CE8216C: message-id=<57AD9539CA1937FBD8221AA2710DD833@tooneywheels.in>
Apr 15 14:25:10 primary postfix/qmgr[2394646]: 726CE8216C: from=<sales@tooneywheels.in>, size=3657, nrcpt=3 (queue active)
Apr 15 14:25:10 primary postfix/smtpd[2407914]: disconnect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116] ehlo=1 auth=1 mail=1 rcpt=3 data=1 quit=1 commands=8
Apr 15 14:25:10 primary postfix/smtpd[2407915]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:10 primary postfix/smtpd[2407914]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:10 primary postfix/smtpd[2408592]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:12 primary postfix/smtp[2408540]: 726CE8216C: to=<tonylayton@hotmail.co.uk>, relay=eur.olc.protection.outlook.com[104.47.18.97]:25, delay=2.9, delays=1.2/0/1.5/0.16, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.18.97] said: 550 5.7.1 Unfortunately, messages from [139.162.61.248] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [AM6EUR05FT064.eop-eur05.prod.protection.outlook.com 2023-04-15T08:55:12.030Z 08DB3D8B18F099BB] (in reply to MAIL FROM command))
Apr 15 14:25:12 primary postfix/smtp[2408540]: 726CE8216C: lost connection with eur.olc.protection.outlook.com[104.47.18.97] while sending RCPT TO
Apr 15 14:25:12 primary postfix/smtp[2408530]: 726CE8216C: to=<kevbuzza@live.co.uk>, relay=eur.olc.protection.outlook.com[104.47.17.161]:25, delay=3, delays=1.2/0/1.6/0.17, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.17.161] said: 550 5.7.1 Unfortunately, messages from [139.162.61.248] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR05FT011.eop-eur05.prod.protection.outlook.com 2023-04-15T08:55:12.152Z 08DB3D40C4C2A7D3] (in reply to MAIL FROM command))
Apr 15 14:25:12 primary postfix/smtp[2408530]: 726CE8216C: lost connection with eur.olc.protection.outlook.com[104.47.17.161] while sending RCPT TO
Apr 15 14:25:12 primary postfix/smtp[2408529]: 726CE8216C: to=<ottawa_dirtsquirrels@live.ca>, relay=nam.olc.protection.outlook.com[104.47.55.161]:25, delay=3.4, delays=1.2/0/2/0.23, dsn=5.7.1, status=bounced (host nam.olc.protection.outlook.com[104.47.55.161] said: 550 5.7.1 Unfortunately, messages from [139.162.61.248] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BN8NAM12FT060.eop-nam12.prod.protection.outlook.com 2023-04-15T08:55:12.582Z 08DB3D80F81DCE3F] (in reply to MAIL FROM command))
Apr 15 14:25:12 primary postfix/smtp[2408529]: 726CE8216C: lost connection with nam.olc.protection.outlook.com[104.47.55.161] while sending RCPT TO
Apr 15 14:25:12 primary postfix/cleanup[2408591]: ACEA6822F1: message-id=<20230415085512.ACEA6822F1@primary.gs-server-2.com>
Apr 15 14:25:12 primary postfix/qmgr[2394646]: ACEA6822F1: from=<>, size=9251, nrcpt=1 (queue active)
Apr 15 14:25:12 primary postfix/bounce[2408594]: 726CE8216C: sender non-delivery notification: ACEA6822F1
Apr 15 14:25:12 primary postfix/qmgr[2394646]: 726CE8216C: removed
Apr 15 14:25:12 primary postfix/error[2408595]: ACEA6822F1: to=<sales@tooneywheels.in>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.1.1, status=bounced (User unknown in virtual alias table)
Apr 15 14:25:12 primary postfix/qmgr[2394646]: ACEA6822F1: removed
Apr 15 14:25:13 primary postfix/smtpd[2407914]: 114288216C: client=ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Apr 15 14:25:13 primary postfix/smtpd[2408592]: 13772822EF: client=ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Apr 15 14:25:13 primary postfix/smtpd[2407915]: 1698B822F1: client=ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in
Apr 15 14:25:14 primary postfix/cleanup[2408591]: 114288216C: message-id=<5CA69E32C1123CF0D32911A97A42A548@tooneywheels.in>
Apr 15 14:25:14 primary postfix/cleanup[2408596]: 13772822EF: message-id=<12E8D07C8F5C72BE9D675FE7342D616B@tooneywheels.in>
Apr 15 14:25:14 primary postfix/qmgr[2394646]: 114288216C: from=<sales@tooneywheels.in>, size=3557, nrcpt=3 (queue active)
Apr 15 14:25:14 primary postfix/cleanup[2408597]: 1698B822F1: message-id=<6B91A905F6250BC7E41E269E4D5EF647@tooneywheels.in>
Apr 15 14:25:14 primary postfix/qmgr[2394646]: 13772822EF: from=<sales@tooneywheels.in>, size=3572, nrcpt=3 (queue active)
Apr 15 14:25:14 primary postfix/qmgr[2394646]: 1698B822F1: from=<sales@tooneywheels.in>, size=3585, nrcpt=3 (queue active)
Apr 15 14:25:14 primary postfix/smtpd[2407914]: disconnect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116] ehlo=2 starttls=1 auth=1 mail=1 rcpt=3 data=1 quit=1 commands=10
Apr 15 14:25:14 primary postfix/smtpd[2408592]: disconnect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116] ehlo=2 starttls=1 auth=1 mail=1 rcpt=3 data=1 quit=1 commands=10
Apr 15 14:25:14 primary postfix/smtpd[2407915]: disconnect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116] ehlo=2 starttls=1 auth=1 mail=1 rcpt=3 data=1 quit=1 commands=10
Apr 15 14:25:15 primary postfix/smtpd[2407914]: connect from ec2-35-89-81-116.us-west-2.compute.amazonaws.com[35.89.81.116]
Apr 15 14:25:15 primary postfix/smtp[2408534]: 13772822EF: to=<ewabrzoz08@gmail.com>, relay=gmail-smtp-in.l.google.com[2404:6800:4003:c01::1b]:25, delay=2.6, delays=1.2/0/0.65/0.72, dsn=2.0.0, status=sent (250 2.0.0 OK  1681548915 132-20020a63028a000000b00502f0d2abc5si6871696pgc.725 - gsmtp)
Apr 15 14:25:15 primary postfix/smtp[2408527]: 114288216C: to=<leila-du-17@live.fr>, relay=eur.olc.protection.outlook.com[104.47.17.161]:25, delay=2.6, delays=1.2/0/1.2/0.18, dsn=5.7.1, status=bounced (host eur.olc.protection.outlook.com[104.47.17.161] said: 550 5.7.1 Unfortunately, messages from [139.162.61.248] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR05FT007.eop-eur05.prod.protection.outlook.com 2023-04-15T08:55:15.412Z 08DB3C627808F3E1] (in reply to MAIL FROM command))
Apr 15 14:25:15 primary postfix/smtp[2408527]: 114288216C: lost connection with eur.olc.protection.outlook.com[104.47.17.161] while sending RCPT TO
Apr 15 14:25:15 primary postfix/smtp[2408491]: 114288216C: to=<oliver.bernard@hotmail.ca>, relay=hotmail-com.olc.protection.outlook.com[104.47.30.97]:25, delay=2.8, delays=1.2/0/1.4/0.17, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.30.97] said: 550 5.7.1 Unfortunately, messages from [139.162.61.248] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [VI1EUR03FT034.eop-EUR03.prod.protection.outlook.com 2023-04-15T08:55:15.611Z 08DB3C94A563ADE4] (in reply to MAIL FROM command))
Apr 15 14:25:15 primary postfix/smtp[2408491]: 114288216C: lost connection with hotmail-com.olc.protection.outlook.com[104.47.30.97] while sending RCPT TO
Apr 15 14:25:15 primary postfix/smtp[2408531]: 1698B822F1: host mta5.am0.yahoodns.net[67.195.228.110] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 14:25:15 primary postfix/smtp[2408531]: 1698B822F1: lost connection with mta5.am0.yahoodns.net[67.195.228.110] while sending RCPT TO
Apr 15 14:25:15 primary postfix/smtp[2408489]: 114288216C: host mta5.am0.yahoodns.net[98.136.96.75] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 14:25:15 primary postfix/smtp[2408489]: 114288216C: lost connection with mta5.am0.yahoodns.net[98.136.96.75] while sending RCPT TO
Apr 15 14:25:15 primary postfix/smtp[2408533]: 13772822EF: host mta7.am0.yahoodns.net[98.136.96.74] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 14:25:15 primary postfix/smtp[2408533]: 13772822EF: lost connection with mta7.am0.yahoodns.net[98.136.96.74] while sending RCPT TO
Apr 15 14:25:15 primary postfix/smtp[2408538]: 1698B822F1: host mta6.am0.yahoodns.net[67.195.228.110] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 14:25:15 primary postfix/smtp[2408538]: 1698B822F1: lost connection with mta6.am0.yahoodns.net[67.195.228.110] while sending RCPT TO
Apr 15 14:25:16 primary postfix/smtp[2408528]: 13772822EF: host mx-eu.mail.am0.yahoodns.net[188.125.72.73] said: 421 4.7.0 [TSS04] Messages from 139.162.61.248 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
Apr 15 14:25:16 primary postfix/smtp[2408528]: 13772822EF: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.72.73] while sending RCPT TO

This is making no sense to me.

stefan1959 · April 15, 2023, 9:22am

delete the queue, receiving servers are blocking so best to clear.

Vipul.K · April 15, 2023, 9:23am

I’ve been doing that. These are new, they are still showing up

stefan1959 · April 15, 2023, 9:34am

I’m at a loss if the still queuing. Any forms or insecure software on the website?

Vipul.K · April 15, 2023, 10:17am

I’m checking that. Meanwhile, does this help?

Vipul.K · April 15, 2023, 10:42am

I disabled every server in virtualmin and still getting mails added to queue

Is it not possible to know who requested the mail to be sent, the php file or user, anything that can narrow down?

stefan1959 · April 15, 2023, 11:12am

In you log file are you still seeing this? That the login sending the mail and that IP is in the header you posted.

Vipul.K · April 15, 2023, 11:18am

Yes. The IP keeps changing slightly though. One recent entry is

Apr 15 16:43:40 primary postfix/smtpd[2439029]: DD7C782225: client=ec2-35-87-94-65.us-west-2.compute.amazonaws.com[35.87.94.65], sasl_method=LOGIN, sasl_username=sales@tooneywheels.in

stefan1959 · April 15, 2023, 11:19am

Login should fail if you have disabled the account.

Vipul.K · April 15, 2023, 11:32am

I have completely deleted the email account and disabled the server.

I’ve checked that my server is not an open relay.

One thing might have fixed the issue. I added smtpd_sender_restrictions = reject_unknown_sender_domain to postfix/main.cf. Haven’t had more in the queue in the last 20 mins. Fingers crossed.

Edit: Nope, nevermind, they were taking a break apparently.

Vipul.K · April 15, 2023, 11:47am

If anyone wants to take this up as a job, we can talk about it.

stefan1959 · April 15, 2023, 12:03pm

Check webmin users and groups. I can’t understand how there can be a login.

Vipul.K · April 15, 2023, 12:22pm

What am I to check exactly?

stefan1959 · April 15, 2023, 12:30pm

Well that where all the users on the system are. Check that user isn’t in there.

Vipul.K · April 15, 2023, 1:10pm

No its not. And the spam has stopped again since last hour. Will see how it goes through the night, it started at 1 am last night (local time)

RJM_Web_Design · April 15, 2023, 2:51pm

I would pore over the Apache logs. This smells to me like someone exploiting a vulnerable Web form.

Richard