Cron <admin@servpc> sudo /usr/local/hestia/bin/v-update-sys-rrd

21

And why is this happening, they are going to restrict my service again, in the morning they had me without service

22

First, you should identify what are those mails, if they are spam maybe some of your sites have been hacked, maybe someone is using a valid user because of a weak password, etc.

23

Is there any way to identify that?

24

Viewing the mails in queue you can see the headers and body and you will see if they are sent to random users on other domains.

Use exim -bp to show message-ids:
Use exim -Mvh <message-id> to view the headers.
Use exim -Mvb <message-id> to view the body.
Use exim -Mvl <message-id> to view the log.

Checking exim /var/log/exim4/mainlog and dovecot /var/log/dovecot.log logs could help to identify it too.

1 Like
25

Also, if you think you have been hacked or are sending mails without control, stop Exim’s service.

26

apart from [email protected] with exim -bp others appear like this:
7h 4.6K 1tKhVp-004NZ3-0C [email protected]
[email protected]

7h 4.6K 1tKhVp-004NZ4-2a [email protected]
[email protected]

7h 4.6K 1tKhWr-004NaU-2t [email protected]
[email protected]

7h 4.6K 1tKhY4-004Ncz-1z [email protected]
[email protected]

7h 4.6K 1tKhZ2-004Nga-0B [email protected]
[email protected]

27

Check the mails (headers and body) sent using sandra1 user and if they are spam, change sandra1’s password immediately.

1 Like
28

exim -Mvh [email protected]?

And if I suspend the service, will the delivery stop?

29

You must use the message id, example:

exim4 -Mvh 1tKhVp-004NZ3-0C
30

exim -Mvh [email protected]
exim: malformed message id [email protected] after -Mvh option
root@servpc:~# exim4 -Mvh 1tKhVp-004NZ3-0C
1tKhVp-004NZ3-0C-H
Debian-exim 109 116
[email protected]
1733765137 0
-received_time_usec .062872
-received_time_complete 1733765137.413436
–helo_name mtqj
-host_address [102.130.232.20]:37768
-host_auth dovecot_login
-host_auth_pubname LOGIN
-interface_address [45.79.196.36]:465
-active_hostname 45-79-196-36.ip.linodeusercontent.com
-received_protocol esmtpsa
-aclc _msg_limit 3
200
-body_linecount 204
-max_received_linelength 82
–auth_id [email protected]
-host_lookup_failed
-spam_bar –
-spam_score -2.9
-spam_score_int -28
-tls_cipher TLS1.2:ECDHE_SECP256R1__RSA_SHA512__AES_128_GCM:128
-tls_ourcert -----BEGIN CERTIFICATE-----\nMIIGAjCCBOqgAwIBAgISBFdDWfkEptNF35yFkzGEl33eMA0GCSqGSIb3DQEBCwUA\nMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD\nEwNSMTEwHhcNMjQxMTA0MDkzMzQ5WhcNMjUwMjAyMDkzMzQ4WjAUMRIwEAYDVQQD\nEwlzZXJ2cGMuY2wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC124cu\nR0s3RNaF+ez+m5I+TY77gXZmm3J2XevkkcIyKV5p7GGkIq+PAcAX2vQUKhXLbhgT\n02Baa9YueJlmZyh5of1A9OlanndZbYSne2egZ0jhgpJbKTQrEa4onX0kYJCg4hyF\nZK7hFalUUVh6fQgKjxXQNGD5cd69dVidWp9IWFoAJfr4/TXA+7yimlyepxPSmUgi\nsogl5FUYEWNAh6viUjZyVyVCgx6MxhDYc6ZFIvb8ExxBJABmyJEDc15x2NrroZya\ntortm8aqHE7CG1kVtHjrfXHSkOprNUNyxVKS8h6ZM8IuxhhUobIhT5Iz/n06qVns\nQhRSX1kgYQA0ZinPLOK7VTf5Y+qanwOD038DR+TBhAnH19T1tmRdfvgvK0erhTgA\nMOBinYIdlwELF86az0BQ/VR2VBr2dc2PWjJt0l0JisXZlhMOfRYp9Q9m4sEpfZrU\nKJxZVK5VgiDVLbtakbxvzzaF7t8RLJSH9JIuahaiUdpSMyKB2raFL4YO3R/tqx3v\nDf7x/B4aTOTfnZlxsxs0xmmZIFxwnfzIgWwGEBDLq1dQJwbYiA5DhGss1zov90yv\n/Iw3RGK6NUGFtZR3IsWKt58Vfh0ymV3t5unaOtIQ4+exkJVokWAT3YRPV1vNKEL6\nZiId11BBjgUMqP32a5uLZRwlhkoCNtg7woeoFQIDAQABo4ICLTCCAikwDgYDVR0P\nAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB\nAf8EAjAAMB0GA1UdDgQWBBTLD+FaT46X2KXDcqUij41P2umm0DAfBgNVHSMEGDAW\ngBTFz0ak6vTDwHpslcQtsF6SLybjuTBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUH\nMAGGFmh0dHA6Ly9yMTEuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9y\nMTEuaS5sZW5jci5vcmcvMDMGA1UdEQQsMCqCDm1haWwuc2VydnBjLmNsgglzZXJ2\ncGMuY2yCDXd3dy5zZXJ2cGMuY2wwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEFBgor\nBgEEAdZ5AgQCBIH2BIHzAPEAdgDPEVbu1S58r/OHW9lpLpvpGnFnSrAX7KwB0lt3\nzsw7CAAAAZL2u41HAAAEAwBHMEUCIQD4nOl4sF9eVOwddFoelfltvgFnxcVnVvOG\nNkMM4aJzlAIgB5tCVPc67f/alv8iUnC3H/8xVx6P6It0ErgDe49ppXMAdwATSt8a\ntZhCCXgMb+9MepGkFrcjSc5YV2rfrtqnwqvgIgAAAZL2u44iAAAEAwBIMEYCIQCg\nZpHsV3l3P5IryuDhOiNmZM1zYCb/4SgpR9026ZW09AIhAP5efYFaY9RrKaTPVINT\nf7mfBI9Jz4iAQ+aUuStKWXInMA0GCSqGSIb3DQEBCwUAA4IBAQA1A87osO/xf2dB\n9b0vT33VO0Av+H/16qNmFLbi2uv/7reY8KhpzBmILx9usoC+SpXG+nDfAbYszCdo\nVs+gTEZB/mhMfEC5ctFbTYjhfx/UXzEZig2G3ocb3UPSxJ2+eax8vzQ8nd50O8Ab\nudMEsCuFDXiBGlJZgCYyHFkV+DngBQzeSarCuRIPZJpmACDdbcuHRkm25Rjk2qLE\nLyHtiVaftKEa0xbcNfCOK8U/mlYInqTfu2bRi9vOexTTQflQipe5WXxHQWZUIE3q\naAjCYazpvn7E/W+2Qgyg6OgUMSE3q3zXIFSYy/zT3LMcCnbOH1l2grn1U9uI88GQ\nGsVUVEfo\n-----END CERTIFICATE-----\n
-tls_resumption B
-tls_ver TLS1.2
XX
1
[email protected]

253P Received: from [102.130.232.20] (helo=mtqj)
by servpc.cl with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.96)
(envelope-from [email protected])
id 1tKhVp-004NZ3-0C
for [email protected];
Mon, 09 Dec 2024 14:25:37 -0300
062I Message-ID: [email protected]
048F From: Your Generics Outlet [email protected]
023T To: [email protected]
041 Subject: Limited-time ED pill discounts.
037 Date: Mon, 9 Dec 2024 09:25:55 -0800
018 MIME-Version: 1.0
083 Content-Type: multipart/alternative; boundary=“03a9fee13cf8d66d4ee45cf702e0a1f7b5”
root@servpc:~#

31

That’s spam, change sandra1 password and remove all the mails from queue:

exim -bp | grep [email protected] | awk '{print $3}' | xargs -I {} exim -Mrm {}
1 Like
32

Done, delete the queue and change the password for the mail sandra1

Y además sería conveniente suspenderle el servicio?

33

Now, keep checking the queue

34

I checked [email protected] and [email protected] and the queue is empty

1 Like
35

It seems that the shipment has been stopped, Thank you again for your cooperation and goodwill, for those of us who know less. Thank you very much

2 Likes