qmail server, failure notices. Is the server compromised?

Question

Ive hosted my own email for years now, and only recently have I started receiving failure notices that I have not sent. Below is an example of a header

Hi. This is the qmail-send program at MYSERVER.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<bao-01@msn.com>:
User and password not set, continuing without authentication.
65.55.92.184 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.184.

<karanisthegasman@hotmail.com>:
User and password not set, continuing without authentication.
65.55.92.168 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.168.

<x0laurensays@aim.com>:
User and password not set, continuing without authentication.
64.12.138.161 does not like recipient.
Remote host said: 550 5.1.1 <x0laurensays@aim.com>: Recipient address rejected: aim.com
Giving up on 64.12.138.161.

<shortstuff128@cs.com>:
User and password not set, continuing without authentication.
64.12.91.196 does not like recipient.
Remote host said: 550 5.1.1 <shortstuff128@cs.com>: Recipient address rejected: cs.com
Giving up on 64.12.91.196.

<zerin3@aol.com>:
User and password not set, continuing without authentication.
64.12.91.195 does not like recipient.
Remote host said: 550 5.1.1 <zerin3@aol.com>: Recipient address rejected: aol.com
Giving up on 64.12.91.195.

<apps+opee1eef@facebookmail.com>:
User and password not set, continuing without authentication.
<apps+opee1eef@facebookmail.com> 173.252.79.16 failed after I sent the message.
Remote host said: 554 5.7.1 POL-P8 http://postmaster.facebook.com/response_codes?ip=MYIP#pol-m Message refused

--- Below this line is a copy of the message.

Return-Path: <me@MYSERVER.co.uk>
Received: (qmail 31378 invoked by uid 0); 19 Feb 2014 17:27:42 -0000
Received: from 212.156.182.55.static.turktelekom.com.tr (HELO mycomputer) (me@MYSERVER.co.uk@212.156.182.55)
  by MYSERVER.co.uk with ESMTPA; 19 Feb 2014 17:27:41 -0000
From: "=?ISO-8859-1?Q?frostix28=40aol.com?=" <frostix28@aol.com>
To: "=?ISO-8859-1?Q?micayla12=40aol.com?=" <micayla12@aol.com>,
 "=?ISO-8859-1?Q?bao-01=40msn.com?=" <bao-01@msn.com>,
 "=?ISO-8859-1?Q?yourkissistorture=40yahoo.com?="
 <yourkissistorture@yahoo.com>,
 "=?ISO-8859-1?Q?karanisthegasman=40hotmail.com?="
 <karanisthegasman@hotmail.com>,
 "=?ISO-8859-1?Q?jman5510=40yahoo.com?=" <jman5510@yahoo.com>,
 "=?ISO-8859-1?Q?x0laurensays=40aim.com?=" <x0laurensays@aim.com>,
 "=?ISO-8859-1?Q?zerin3=40aol.com?=" <zerin3@aol.com>,
 "=?ISO-8859-1?Q?shortstuff128=40cs.com?=" <shortstuff128@cs.com>,
 "=?ISO-8859-1?Q?apps+opee1eef=40facebookmail.com?="
 <apps+opee1eef@facebookmail.com>,
 "=?ISO-8859-1?Q?registration=40ebay.com?=" <registration@ebay.com>,
 "=?ISO-8859-1?Q?frostix28=40aol.com?=" <frostix28@aol.com>
Subject: =?ISO-8859-1?Q?frostix28=40aol.com?=
Date: Tue, 19 Feb 2014 06:27:39 +0100
MIME-Version: 1.0
X-mailer: Microsoft Office Outlook, Build 11.0.5510
Reply-To: frostix28@aol.com
Content-type: Multipart/mixed; boundary="4A2C4E38_686FF402_boundary"
Content-Description: Multipart message

--4A2C4E38_686FF402_boundary
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text

=EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;=
 charset=3DUTF-8></head><body><a href=
=3D"http://contactaviators.com/bx/hga.html">http://contactaviators.com/bx/hga.=
html</a></body></html>
--4A2C4E38_686FF402_boundary--

Ive changed myserver address to MYSERVER.co.uk in there and my IP to MYIP. The rest of the message remains unchanged,

From what i can see in the header the email originated from 212.156.182.55 rather than my server, But then the message itself came back to my server.

Is this normal ? Ive checked for open relays etc and all of the online scanners suggest the mail server is et up correctly.

Should I treat this as spam or is this something worse ?

Edit:

Since this has started happening ive been keeping a closer eye on the log files.

One of the lines got me

xinetd[892]: START: smtp pid=22325 from=205.201.134.23

That ip when whois'ed is for mailchimp. Im not sure why mailchip are connecting to me but they seem to be (their connection only lasted 1 sec though according to the logs

mail client i use is Thunderbird, I connect to mail.MYSERVER.co.uk. which has an A record for the IP. No Relays are used just the 1 server with only 1 mx record — exussum, Feb 20 '14 at 09:30
mxtoolbox.com was used to check the mail server. all tests passed — exussum, Feb 20 '14 at 09:32
Ive not changed the set up since October 2011, And I do not reconize any emails on the list besides `registration@ebay.com` but thats a generic one. The IP address which i think sent it was the 212.156.182.55 which is in turkey. My server is hosted in Manchester UK — exussum, Feb 20 '14 at 09:40
In that case, it suggests as if you're being used as a relay despite testing... what service did you use to test for it? http://www.mailradar.com/openrelay/ I assume the server is free of virus's etc and it's not a script on the actual server sending it out? — Dave, Feb 20 '14 at 09:42
All tested completed! No relays accepted by remote host! is the result of that. Server as far as im aware is and no automatic emails are sent from that server — exussum, Feb 20 '14 at 09:46
I wonder then, if they're using an Alias of some sort... They send from IP x.x.x.5 but use an alias to make it appear from you, so when it fails the return message goes to you, not the source. — Dave, Feb 20 '14 at 09:47
And again, I assume the sender `frostix28@aol.com` isn't you? — Dave, Feb 20 '14 at 10:00
Thats correct, Ive not seen / heard that address before this email `me@MYSERVER.co.uk` is my email address in the log above — exussum, Feb 20 '14 at 10:03
Main reason ive changed the addresses is incase it was a real problem, Didnt want to advertise it being broken — exussum, Feb 20 '14 at 10:05
What is the purpose of this mail server? Is it your own, or can anyone 'join' and use your services etc (do you offer email hosting, for example)? — Dave, Feb 20 '14 at 10:08
My own. There are roughly 20 users on there. Mail accounts can only be created by me — exussum, Feb 20 '14 at 10:09
I'm struggling here. I have the same set up with my own mail server and never experienced this... It is worrying in-case the recipient does think it's your server sending the email (blacklisting)... Other than checking out Task Scheduler (to make sure there isn't something running you don't know about), a full virus and malware scan I'm out of ideas. — Dave, Feb 20 '14 at 10:13
Ive had the set up for years now, Yesterday I got 3 of these emails, all from separate IP's but have similar messages. Ill double check all cron jobs and make sure everything is updated. Thanks for your suggestions — exussum, Feb 20 '14 at 10:16
@DaveRook Just had 8 more now, all in the space of 2 minutes :( any way to set up logging to log every mail sent ? — exussum, Feb 20 '14 at 14:28
I don't use the same mail client (I use hMailServer) but there *must* be a way to enable logging. Hopefull you'll see a pattern (to see if anything is sent from you, or if it's only being sent back to you)! — Dave, Feb 21 '14 at 08:45
Please take extended discussion or troubleshooting to [chat]. — slhck, Feb 21 '14 at 09:40

score 0 · Accepted Answer · answered Feb 25 '14 at 13:57

The cause of the spam emails being sent was a the password being leaked / sniffed / guessed. A change of password stopped the spam emails being sent.

It seems like most security related things the user chosen password is the weak point. I didnt even consider it until there was nothing left to try

qmail server, failure notices. Is the server compromised?

1 Answers1