Problems with Email

P. S. I double checked my server for an SPF and it is indeed already set up like this:

v=spf1 +a +mx +ip4:[MYSERVERIP] +a:aweber.com +include:_spf.google.com ~all

There are two most likely sources for these messages, neither of which has anything to do with your SPF record or anything else in DNS.

First is an insecure web form that generates e-mail. Check any Wordpress plugins or other web applications you have running. Anything which allows the user to specify a destination e-mail address is a potential problem. This includes less-obvious things such as a plugin which lets users e-mail each other - if spammers can create an unverified account with someone else's e-mail address, they then have an avenue to spam that user.

Select one of the Yahoo destination e-mail addresses and look through your mail logs for the first occurrence of that address to see if the source is local. The following log examples show what this might look like (localhost will appear as 127.0.0.1 instead of ::1 if you don't have IPv6 set up):

# Local message submitted via sendmail command
Jun 19 03:51:13 linode postfix/pickup[9252]: 341F6119B: uid=0 from= <root>Jun 19 03:51:13 linode postfix/cleanup[9992]: 341F6119B: message-id=<20150619075113.341F6119B@example.org>
Jun 19 03:51:13 linode postfix/qmgr[2281]: 341F6119B: from=<root@example.org>, size=617, nrcpt=1 (queue active)
Jun 19 03:51:13 linode postfix/cleanup[9992]: 39C41116B: message-id=<20150619075113.341F6119B@example.org>
Jun 19 03:51:13 linode postfix/qmgr[2281]: 39C41116B: from=<root@example.org>, size=742, nrcpt=6 (queue active)
Jun 19 03:51:13 linode postfix/local[9995]: 341F6119B: to=<root@example.org>, relay=local, delay=0.05, delays=0.02/0.02/0/0.01, dsn=2.0.0, status=sent (forwarded as 39C41116B)
Jun 19 03:51:13 linode postfix/qmgr[2281]: 341F6119B: removed

# Local message submitted via SMTP
Jun  7 09:22:11 linode postfix/smtpd[24385]: connect from localhost[::1]
Jun  7 09:22:11 linode postfix/smtpd[24385]: 9A8FEC57: client=localhost[::1]
Jun  7 09:22:11 linode postfix/cleanup[24409]: 9A8FEC57: message-id= <mailman.59.1433683330.2122.example@example.org>Jun  7 09:22:11 linode postfix/qmgr[2300]: 9A8FEC57: from=<mailman-bounces@none.example.org>, size=10664, nrcpt=1 (queue active)
Jun  7 09:22:11 linode postfix/smtpd[24385]: disconnect from localhost[::1]
Jun  7 09:22:12 linode postfix/smtp[24407]: 9A8FEC57: to=<someoneelse@elsewhere.org>, relay=smtp.elsewhere.org[1.2.3.4]:25, delay=0.6, delays=0.04/0/0.49/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 23C8CA3EE)
Jun  7 09:22:12 linode postfix/qmgr[2300]: 9A8FEC57: removed</someoneelse@elsewhere.org></mailman-bounces@none.example.org></mailman.59.1433683330.2122.example@example.org></root@example.org></root@example.org></root@example.org></root>

The second most likely source is that Postfix is improperly configured to relay messages. Supposedly MXToolbox checks for this, but it may not be foolproof. You can look in your logs for the first occurrence of a victim e-mail address and see if it's preceded by a connect message from a non-local source, such as this:

Jun  7 07:34:19 linode postfix/smtpd[23139]: connect from 5r4wv.sabbage.eu[64.74.161.39]
Jun  7 07:34:19 linode postfix/smtpd[23139]: 8B1C0C55: client=5r4wv.sabbage.eu[64.74.161.39]
Jun  7 07:34:19 linode postfix/cleanup[23140]: 8B1C0C55: message-id=<105018811725353010501214209112475250@5r4wv.sabbage.eu>
Jun  7 07:34:19 linode postfix/qmgr[2300]: 8B1C0C55: from=<onlineeducationtoday@sabbage.eu>, size=7530, nrcpt=1 (queue active)
Jun  7 07:34:19 linode postfix/local[23141]: 8B1C0C55: to=<example@example.org>, relay=local, delay=0.38, delays=0.21/0.02/0/0.16, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post example)
Jun  7 07:34:19 linode postfix/qmgr[2300]: 8B1C0C55: removed</example@example.org></onlineeducationtoday@sabbage.eu>

Hello and thank you so much for responding to my post.

Sadly I did not keep any copies of the mails that were in queue. After learning that 100,000 emails were bouncing around in my queue I freaked out and deleted them all before I could do any sort of forensics. I did try to restore a back up to my server to see if I could find it that way but the incident occurred between backups.

I will take a look at any and all plugins to see if any are at risk. I know I did have issues with files being uploaded to the wordfence cache folder and other folders. I think I cleaned it up ok (That incident I wasn't able to find a cause either). One of them was a "proxy.php" file which may have been used for locally relaying emails as you mentioned. Certainly the domain in question has been under attack for the last few days so I'm going to take a closer look with the WordPress files.

And if this incident happens again (hopefully it won't). I know what to look for.

Thanks again for your help.

If your server has been compromised, nuke it from orbit: it's the only way to be sure. Then start with a fresh install, configure your web services, and restore your databases.

(BTW, my log example for relaying is not 100% exactly what you'd see - in this case, the destination was a local address.)

It happened again… I think I'm over my head. I've done everything I could do

Here is the mail log. I'm at point I'm just shut down my server after all these years. I have no idea how to fix this and starting from scratch is not really an option. I set up server using a script and info from VPSBible.com That side is pretty much halfway workable (Long story it went through changes and left some of its original users in the dark.) . I learned to shore up things pretty much. At some point I was using OSSEC but later I got sick of the emails it sent.

Dec 16 16:26:38 mymail postfix/cleanup[16801]: 244D12411C: message-id=<20151216162638.244D12411C@mymail.myserver>

Dec 16 16:26:38 mymail postfix/qmgr[17107]: 244D12411C: from=<marisa_foster@mydomain.com>, size=710, nrcpt=1 (queue active)

Dec 16 16:26:38 mymail postfix/error[11189]: 244D12411C: to=<tanyamathur1@yahoo.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)

Dec 16 16:26:38 mymail postfix/pickup[16692]: 27AF52411D: uid=33 from=<marisa_foster@mydomain.com>

Dec 16 16:26:38 mymail postfix/cleanup[16801]: 27AF52411D: message-id=<20151216162638.27AF52411D@mymail.myserver>

Dec 16 16:26:38 mymail postfix/qmgr[17107]: 27AF52411D: from=<marisa_foster@mydomain.com>, size=710, nrcpt=1 (queue active)

Dec 16 16:26:38 mymail postfix/error[11192]: 27AF52411D: to=<tanyamathur6@yahoo.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)

Dec 16 16:26:38 mymail postfix/pickup[16692]: 2B00E2411E: uid=33 from=<marisa_foster@mydomain.com>

Dec 16 16:26:38 mymail postfix/cleanup[16801]: 2B00E2411E: message-id=<20151216162638.2B00E2411E@mymail.myserver>

Dec 16 16:26:38 mymail postfix/qmgr[17107]: 2B00E2411E: from=<marisa_foster@mydomain.com>, size=711, nrcpt=1 (queue active)

Dec 16 16:26:38 mymail postfix/pickup[16692]: 2E0C12411F: uid=33 from=<marisa_foster@mydomain.com>

Dec 16 16:26:38 mymail postfix/cleanup[16801]: 2E0C12411F: message-id=<20151216162638.2E0C12411F@mymail.myserver>

Dec 16 16:26:38 mymail postfix/qmgr[17107]: 2E0C12411F: from=<marisa_foster@mydomain.com>, size=710, nrcpt=1 (queue active)

Dec 16 16:26:38 mymail postfix/error[11212]: 2E0C12411F: to=<tanyamayer32@yahoo.com>, relay=none, delay=0.02, delays=0.01/0/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.33] while sending RCPT TO)

Dec 16 16:26:38 mymail postfix/pickup[16692]: 33D2B24120: uid=33 from=<marisa_foster@mydomain.com>

Dec 16 16:26:38 mymail postfix/cleanup[16801]: 33D2B24120: message-id=<20151216162638.33D2B24120@mymail.myserver>

Dec 16 16:26:38 mymail postfix/qmgr[17107]: 33D2B24120: from=<marisa_foster@mydomain.com>, size=708, nrcpt=1 (queue active)

Here one with more detail:

Dec 16 16:34:40 mail postfix/smtp[18468]: 20110B2FE5: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 554 5.7.1 CCRX 173.255.237.18: Connection refused. Your IP address is blocked(anti-spam). If you need, please contact hanmailcs@daumcorp.com.

Dec 16 16:34:40 mail postfix/smtp[18525]: 687C1B3278: to=<shome41@bigpond.com>, relay=extmail.bigpond.com[61.9.189.122]:25, delay=934, delays=933/0.23/0.93/0, dsn=4.0.0, status=deferred (host extmail.bigpond.com[61.9.189.122] refused to talk to me: 554 nschwcmgw04p BigPond Inbound IB104b. Connection refused. 173.255.237.18 is listed on the Exploits Block List (XBL). Please visit http://www.spamhaus.org/xbl/ for more information.)

Dec 16 16:34:40 mail postfix/smtp[18495]: 3824A240FC: to=<security@myserver.com>, relay=ALT1.ASPMX.L.GOOGLE.com[64.233.190.26]:25, delay=542, delays=541/0.31/0.99/0.34, dsn=4.2.1, status=deferred (host ALT1.ASPMX.L.GOOGLE.com[64.233.190.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 https://support.google.com/mail/answer/6592 r85si6370981vke.56 - gsmtp (in reply to RCPT TO command))

Dec 16 16:34:40 mail postfix/smtp[18510]: BCD60B3319: host mx.vgs.untd.com[64.136.52.37] refused to talk to me: 550 IP 173.255.237.18 in zen.spamhaus.org : Access Denied, please see www.spamhaus.org

Dec 16 16:34:40 mail postfix/smtp[18509]: B2440B2C43: to=<security@myserver.com>, relay=ALT1.ASPMX.L.GOOGLE.com[64.233.190.26]:25, delay=1169, delays=1167/0.34/0.9/0.31, dsn=4.2.1, status=deferred (host ALT1.ASPMX.L.GOOGLE.com[64.233.190.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 https://support.google.com/mail/answer/6592 p21si6372161vke.80 - gsmtp (in reply to RCPT TO command))

Dec 16 16:34:40 mail postfix/smtp[18473]: EFC79B332E: to=<sydpat22@yahoo.com.au>, relay=mta7.am0.yahoodns.net[98.136.217.202]:25, delay=585, delays=583/0.13/0.94/0.07, dsn=4.7.0, status=deferred (host mta7.am0.yahoodns.net[98.136.217.202] said: 421 4.7.0 [TS01] Messages from 173.255.237.18 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))

Dec 16 16:34:40 mail postfix/smtp[18493]: E1446B3340: to=<simba38@bigpond.com>, relay=extmail.bigpond.com[61.9.189.122]:25, delay=911, delays=909/0.22/0.92/0, dsn=4.0.0, status=deferred (host extmail.bigpond.com[61.9.189.122] refused to talk to me: 554 nschwcmgw04p BigPond Inbound IB104b. Connection refused. 173.255.237.18 is listed on the Exploits Block List (XBL). Please visit http://www.spamhaus.org/xbl/ for more information.)

Dec 16 16:34:40 mail postfix/smtp[18459]: 8B251B3192: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi211 cox 173.255.237.18 blocked. Error Code: IPBL0001 - Refer to Error Codes section at http://postmaster.cox.net/confluence/di … rror+Codes">http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.

Dec 16 16:34:40 mail postfix/smtp[18476]: DE73E2414F: to=<tengjw@singnet.com.sg>, relay=mx-fuse-1.singnet.com.sg[202.40.249.79]:25, delay=428, delays=426/0.15/1.1/0, dsn=4.0.0, status=deferred (host mx-fuse-1.singnet.com.sg[202.40.249.79] refused to talk to me: 520 Blacklisted)

Dec 16 16:34:40 mail postfix/smtp[18483]: 74D60B3289: to=<shome@libpac.com>, relay=alt1.aspmx.l.google.com[64.233.190.26]:25, delay=934, delays=933/0.33/0.88/0.29, dsn=4.2.1, status=deferred (host alt1.aspmx.l.google.com[64.233.190.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 https://support.google.com/mail/answer/6592 7si6372954vkj.74 - gsmtp (in reply to RCPT TO command))

Dec 16 16:34:40 mail postfix/smtp[18479]: 7228824186: to=<torun.tysse.landsvik@nordea.com>, relay=cluster4a.eu.messagelabs.com[85.158.139.103]:25, delay=354, delays=353/0.33/1.1/0.1, dsn=4.0.0, status=deferred (host cluster4a.eu.messagelabs.com[85.158.139.103] said: 421 Service Temporarily Unavailable (in reply to RCPT TO command))

Dec 16 16:34:40 mail postfix/smtp[18512]: 1F2FFB325F: to=<security@myserver.com>, relay=ALT1.ASPMX.L.GOOGLE.com[64.233.190.26]:25, delay=938, delays=936/0.35/0.98/0.37, dsn=4.2.1, status=deferred (host ALT1.ASPMX.L.GOOGLE.com[64.233.190.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 https://support.google.com/mail/answer/6592 195si6353668vkg.117 - gsmtp (in reply to RCPT TO command))

Dec 16 16:34:40 mail postfix/smtp[18457]: CAE74B331B: to=<sydowprop@telkomsa.net>, relay=mx2.telkomsa.net[196.25.211.172]:25, delay=585, delays=583/0.3/1.5/0, dsn=4.0.0, status=deferred (host mx2.telkomsa.net[196.25.211.172] refused to talk to me: 554-as5.telkomsa.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)

Dec 16 16:34:40 mail postfix/smtp[18468]: 20110B2FE5: to=<sbgshin@daum.net>, relay=mx2.hanmail.net[180.70.93.97]:25, delay=1023, delays=1021/0.2/2/0, dsn=4.7.1, status=deferred (host mx2.hanmail.net[180.70.93.97] refused to talk to me: 554 5.7.1 CCRX 173.255.237.18: Connection refused. Your IP address is blocked(anti-spam). If you need, please contact hanmailcs@daumcorp.com.)

Dec 16 16:34:40 mail postfix/smtp[18507]: B9238B2D4E: to=<sanpietro9@vodafone.it>, relay=mx.vodafone.arubamail.it[62.149.178.10]:25, delay=1141, delays=1139/0.33/1.7/0, dsn=4.0.0, status=deferred (host mx.vodafone.arubamail.it[62.149.178.10] refused to talk to me: 554 mxcmd02.vf.aruba.it bizsmtp uGaf1r0040QWJit01 Connection refused from 173.255.237.18. See http://www.spamhaus.org/query/bl?ip=173.255.237.18 for more information.)

Dec 16 16:34:40 mail postfix/smtp[18494]: 3D125241A3: to=<torus@comcast.net>, relay=mx1.comcast.net[96.114.157.80]:25, delay=330, delays=328/0.3/1.9/0, dsn=4.0.0, status=deferred (host mx1.comcast.net[96.114.157.80] refused to talk to me: 554 resimta-po-20v.sys.comcast.net comcast 173.255.237.18 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-erro … p#BL000001">http://postmaster.comcast.net/smtp-error-codes.php#BL000001)

Dec 16 16:34:41 mail postfix/smtp[18510]: BCD60B3319: to=<shomeraz@juno.com>, relay=mx.dca.untd.com[64.136.44.37]:25, delay=920, delays=917/0.36/2.2/0, dsn=4.0.0, status=deferred (host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 IP 173.255.237.18 in zen.spamhaus.org : Access Denied, please see www.spamhaus.org )

Dec 16 16:34:41 mail postfix/smtp[18459]: 8B251B3192: to=<shaut@cox.net>, relay=mx.west.cox.net[68.6.19.3]:25, delay=978, delays=976/0.31/2.3/0, dsn=4.0.0, status=deferred (host mx.west.cox.net[

I found obfuscated code pasted repeatedly in /wp-includes/js/tinymce/plugins on the wordpress installation. Not sure if this is an internal hack or an external one.

Wordfence and other such plugins did nothing to stop the repeated POST requests from various IPs.

I'm looking at getting my wordpress installs professionally hosted at this point.

It was a week ago I ripped apart that website.. deleted the database and everything only for this to happen. Hackers win

Its been 4? years.. good run for a very amateur webmistress but I'm no match for morons who spend 24/7 trying to find ways to spam people and such. And in general don't have much business running a server unless I'm professionally trained. So I'm out!

Thanks to you and everyone on this forum for your help.

Yeah, an insecure Wordpress installation can certainly cause this. A hosted service is a good idea if you can't keep on top of it yourself. Good luck!

Thanks! Good Luck to you too! Happy Holidays!