Someone was able to hack my mail account

kevin kevin at kevinslair.com
Thu Dec 10 21:41:44 UTC 2009 

Please if anyone knows how to stop this with postfix and amavisd-new 
please let me know !!!

I am clueless how someone outside $mynetworks was able to do it.

Here is the log:

Dec 10 15:14:35 mail dovecot: auth(default): new auth connection:
pid=23648
Dec 10 15:14:37 mail dovecot: auth(default): new auth connection:
pid=23649
Dec 10 15:14:37 mail postfix/smtpd[23649]: connect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:38 mail postfix/smtpd[23649]: NOQUEUE: filter: RCPT from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]:
<atienoalice at kevinslair.com>: Sender address triggers FILTER
amavisfeed:[127.0.0.1]:10024; from=<atienoalice at kevinslair.com>
to=<support at kevinslair.com> proto=ESMTP helo=<windowsb894c86>
Dec 10 15:14:39 mail postfix/smtpd[23649]: 985869EAA9:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:40 mail postfix/cleanup[23653]: 985869EAA9:
message-id=<001501ca79dd$cc8a4ef0$7f000001 at windowsb894c86>
Dec 10 15:14:40 mail postfix/qmgr[2538]: 985869EAA9:
from=<atienoalice at kevinslair.com>, size=917, nrcpt=1 (queue active)
Dec 10 15:14:40 mail postfix/smtpd[23649]: disconnect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail dovecot: auth(default): new auth connection:
pid=23658
Dec 10 15:14:41 mail postfix/smtpd[23658]: connect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/smtpd[23658]: 3D8869EAAC:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail postfix/cleanup[23653]: 3D8869EAAC:
message-id=<001501ca79dd$cc8a4ef0$7f000001 at windowsb894c86>
Dec 10 15:14:41 mail postfix/smtpd[23658]: disconnect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/qmgr[2538]: 3D8869EAAC:
from=<atienoalice at kevinslair.com>, size=2621, nrcpt=1 (queue active)
Dec 10 15:14:41 mail postfix/smtp[23654]: 985869EAA9:
to=<support at kevinslair.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=3.4, delays=2.1/0.02/0.01/1.3, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=22280-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
3D8869EAAC)
Dec 10 15:14:41 mail postfix/qmgr[2538]: 985869EAA9: removed
Dec 10 15:14:41 mail spamd[2472]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 33537
Dec 10 15:14:41 mail spamd[2472]: spamd: setuid to kevin succeeded
Dec 10 15:14:41 mail spamd[2472]: spamd: processing message
<001501ca79dd$cc8a4ef0$7f000001 at windowsb894c86> for kevin:502
Dec 10 15:14:42 mail spamd[2472]: spamd: clean message (-98.2/5.0) for
kevin:502 in 1.2 seconds, 2731 bytes.
Dec 10 15:14:42 mail spamd[2472]: spamd: result: . -98 -
BAYES_50,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST
scantime=1.2,size=2731,user=kevin,uid=502,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33537,mid=<001501ca79dd$cc8a4ef0$7f000001 at windowsb894c86>,bayes=0.499810,autolearn=no
Dec 10 15:14:42 mail spamd[2460]: prefork: child states: II
Dec 10 15:14:43 mail postfix/local[23659]: 3D8869EAAC:
to=<kevin at kevinslair.com>, orig_to=<support at kevinslair.com>,
relay=local, delay=1.8, delays=0.47/0.01/0/1.3, dsn=2.0.0, status=sent
(delivered to command: /usr/bin/procmail)
Dec 10 15:14:43 mail postfix/qmgr[2538]: 3D8869EAAC: removed


the amavisd-new log just shows that it was passed. The ip address: 
88.26.49.165 is not in $mynetworks and I am confused how it allowed it 
to send. I really don't want anymore email going out of my server as 
spam. Also, I don't have a user with atienoalice at kevinslair.com email 
address.



This is the message headers:

Start of headers --

 From - Thu Dec 10 15:18:06 2009
X-Account-Key: account2
X-UIDL: 000070314a016525
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: 

Return-Path: <atienoalice at kevinslair.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on 
mail.kevinslair.com
X-Spam-Level:
X-Spam-Status: No, score=-98.2 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
	RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST autolearn=no 
version=3.2.5
X-Original-To: support at kevinslair.com
Delivered-To: support at kevinslair.com
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.kevinslair.com (Postfix) with ESMTP id 3D8869EAAC
	for <support at kevinslair.com>; Thu, 10 Dec 2009 15:14:41 -0500 (EST)
X-Amavis-Modified: Mail body modified (using disclaimer) - 
mail.kevinslair.com
X-Virus-Scanned: amavisd-new at kevinslair.com
Received: from mail.kevinslair.com ([127.0.0.1])
	by localhost (mail.kevinslair.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cMKr6GHgfe-F for <support at kevinslair.com>;
	Thu, 10 Dec 2009 15:14:40 -0500 (EST)
Received: from windowsb894c86 (165.Red-88-26-49.staticIP.rima-tde.net 
[88.26.49.165])
	by mail.kevinslair.com (Postfix) with ESMTP id 985869EAA9
	for <support at kevinslair.com>; Thu, 10 Dec 2009 15:14:38 -0500 (EST)
Message-ID: <001501ca79dd$cc8a4ef0$7f000001 at windowsb894c86>
From: "Atieno Alice" <atienoalice at kevinslair.com>
To: <support at kevinslair.com>
Subject: First class male desire promotion, Heat up your intimating
Date: Thu, 10 Dec 2009 21:14:36 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="koi8-r";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-Spam: Not detected
X-Mras: Ok

Bring harmony in your night in-outs, Bone-on to be prolonged.

http://profiles.yahoo.com/blog/CKQKWB7FSAAT4LWZ7UQGKDUGUA

END of headers --

Please someone help !!!!

Thanks,
Kevin


Mail Service Provided by:
Kevins Lair, Ent
mailto:kevin at kevinslair.com

_________________________________________________________________________________

Think before you print.

This message and any attachments may contain information that is protected 
by law as privileged and confidential, and is transmitted for the sole use 
of the intended recipient(s). If you are not the intended recipient, you 
are hereby notified that any use, dissemination, copying or retention of 
this e-mail or the information contained herein is strictly prohibited. If 
you have received this e-mail in error, please immediately notify the 
sender by e-mail, and permanently delete this e-mail.


All outgoing e-mail is scanned for virus and potentially hazardous material

_________________________________________________________________________________

More information about the fedora-list mailing list