Hi all,
In the last week or so I've had two big spam runs being sent from my proxmox mail gateway - the logs all are like this:
Received: from [xx.xx.xx.xx] (port=42320 helo=pmg.l**********) by mailgate.******** with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from <support@christadelphiansatbath.org.uk>) id 1s2Yr7-0000000067c-1TW7 for varindermander1@gmail.com; Thu, 02 May 2024 17:00:21 +0100
Received: from pmg.*******k (localhost.localdomain [127.0.0.1]) by pmg.******** (Proxmox) with ESMTP id 679951823F6 for <varindermander1@gmail.com>; Thu, 2 May 2024 17:00:21 +0100 (BST)
To: varindermander1@gmail.com
Subject: Review Account
*details intentionally obscured!
PMG *only* has SMTP exposed to the internet - no ssh or login-capable interfaces.
So, unless the headers have been rewritten without me being able to detect (those logs are from the SMTP module on my firewall - since disabled) I haven't got a clue how it's happening. It's obviously not coming from another VM on the network (otherwise there would be more entries in the headers)
Any ideas? The appliance is up to date as far as updates are concerned, there's no other users logged into it (the only other people in the house are my wife and various cats and dogs and none of them have the technical knowledge how to do it, especially the dogs!), chkrootkit shows no rootkits present (not that that's hugely reliable against modern rootkits).
I really hope I don't have to migrate away from PMG as it's taken quite a bit of change for me to put it in (my firewall is quite old and what I'm moving to doesn't have an SMTP proxy so putting in PMG was my first step on that project).
Cheers,
Phil.
PS: Whatever is doing it is bypassing the Tracking Centre - none of the spam emails appear in there
In the last week or so I've had two big spam runs being sent from my proxmox mail gateway - the logs all are like this:
Received: from [xx.xx.xx.xx] (port=42320 helo=pmg.l**********) by mailgate.******** with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from <support@christadelphiansatbath.org.uk>) id 1s2Yr7-0000000067c-1TW7 for varindermander1@gmail.com; Thu, 02 May 2024 17:00:21 +0100
Received: from pmg.*******k (localhost.localdomain [127.0.0.1]) by pmg.******** (Proxmox) with ESMTP id 679951823F6 for <varindermander1@gmail.com>; Thu, 2 May 2024 17:00:21 +0100 (BST)
To: varindermander1@gmail.com
Subject: Review Account
*details intentionally obscured!
PMG *only* has SMTP exposed to the internet - no ssh or login-capable interfaces.
So, unless the headers have been rewritten without me being able to detect (those logs are from the SMTP module on my firewall - since disabled) I haven't got a clue how it's happening. It's obviously not coming from another VM on the network (otherwise there would be more entries in the headers)
Any ideas? The appliance is up to date as far as updates are concerned, there's no other users logged into it (the only other people in the house are my wife and various cats and dogs and none of them have the technical knowledge how to do it, especially the dogs!), chkrootkit shows no rootkits present (not that that's hugely reliable against modern rootkits).
I really hope I don't have to migrate away from PMG as it's taken quite a bit of change for me to put it in (my firewall is quite old and what I'm moving to doesn't have an SMTP proxy so putting in PMG was my first step on that project).
Cheers,
Phil.
PS: Whatever is doing it is bypassing the Tracking Centre - none of the spam emails appear in there
Last edited:
