mail sent from my computer to my server

Topic

New Reply

I am finding emails being sent from my windows computer to my server from an unknown source.  This is causing my servers firewall to block my IP and I cannot access my server. These emails are sent out ever 5 minutes. I can whitelist my IP with the firewall but when my IP changes we are back to being blocked.

Does anyone have any idea of what could be sending mail every 5 minutes to my server?

 

Reply | Quote

Replies

Is the email addressed to you? Maybe a clue as to what may be sending if you read the email. Do you have any programs set up to send automated email such as backup software, accounting software etc?

If not something you have set up I would suggest a very in-depth virus/malware scan as you may be compromised and/or your network may be compromised. Check router etc.

Reply | Quote

The emails are to an email address I have used in the past but not recently.  I have deleted the domain name from my server and changed the DNS at my registrar to stop direction to my server.  I have flushed the DNS on my windows computer and waited a few days for the DNS to clear from the internet servers.  I can’t read the email because the only thing I have is a rejection in my servers mail log file showing it came from my computer IP.  When I change my IP via my VPN the logs show the new IP every 5 minutes.

I don’t think my server IP will get blacklisted because it is not coming from my server.  It is coming from my windows computer to my server. I have just now downloaded Malwarebytes and will run a check with that.  I have Norton as a firewall/Virus program.

 

 

Reply | Quote

BTW I would NOT whitelist the IP until you get it solved. You may get your server IP blacklisted and a real pain to clean up.

Reply | Quote

Viewing the email source / headers will allow you to see exactly where the emails are coming from. It is possible the IP address is being spoofed, but your email server should be testing for that and dropping the email.
What is the email server?

cheers, Paul

Reply | Quote

Thank you Paul,

I don’t have any headers.  All I have is my server log saying it was blocked and my IP is blacklisted on my server so I cannot reach my server unless I whitelist my windows computers IP.

Reply | Quote

What email program are you using?
Do you have the same problem if you access/login your email server directly from the Internet using your browser?
Is your IP being blocked/blacklisted by other websites you access?

I would start by running several different malware removal programs – Malwarebytes Free, SuperAntiSpyware Free, any other of your choice, as well as a conplete scan with your main A/V program.

Are you using a VPN?
VPNs are used to hide IP addresses, and because of this, they get used for nefarious reasons. When that happens, the Internet community blacklists the IP. The blacklisted IPs are then blocked by firewalls and anti-spam software. If you are using a VPN, try this:

To find out what your IP address is, use whatsmyipaddress.com and click on “My IP” at the top.
Copy that IP address into these websites to see the status of your IP address:

StopForumSpam.com      CleanTalk.org     IPVoid.com

1 user thanked author for this post.

Roger Bara

Reply | Quote

What specific program is going the blacklisting on your server?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

If all of the emails are to the same address and regular intervals I would start thinking some automated program on your machine might be the issue. As an example we have antivirus programs set to email us issues on multiple machines. One machine had an old setting in it and when the a/v expired started sending emails every 30 minutes or so.

1 user thanked author for this post.

Roger Bara

Reply | Quote

thanks to you all.   I didn’t expect such a quick out pouring of help.

I have been trying to figure this out for a few days. What cyberSAR said last is what I am thinking.  Some program on my windows computer is trying to send an email every 5 minutes. I have checked all my other computers using the same wifi and the problem stops when I disconnect my windows lap top from the internet. What I need help with is, how to find what is sending the email.  The email address it is sending to is one that I rarely have used and now I have disabled it as I previously described so that there is no DNS pointing to my server for that domain name. If I could just whitelist my ISP issued IP once that would do it but they change it and then I get blocked again and so on….   I need to find what is sending it on my windows laptop and how it knows to go to my server.

 

Reply | Quote

Whitelisting the IP may be convenient but doesn’t solve the issue. Check task scheduler and look through settings for programs installed on your machine. Maybe set the old address back up so you can receive the emails and you may get a clue as to what is doing it. From your description it doesn’t sound like malware sending spam. You’re probably getting your IP blocked due to sending limits or possibly a bad password/setting failing logon to your server. You can also go through your startup list and disable programs to help narrow it down.

1 user thanked author for this post.

Roger Bara

Reply | Quote

Maybe help, maybe not –
Take a stroll through the Task Scheduler forest? Is there something triggered every 5 minutes?

1 user thanked author for this post.

Roger Bara

Reply | Quote

I only do the whitelist so I can function until I find the fix.  If I don’t whitelist I can’t access my server.

It appears that something is trying to log in to the IMAP mailserver and cannot authenticate because there is no mail account with that name. I can’t create the mail account because I don’t know what password was used. I need to find out what is sending the attempt to log in and stop it on my computer.  As suggested I have checked the task scheduler and the startup programs but no luck yet. (Thanks!)

This is the entries I get every 5 minutes in my server maillog:

Apr 23 16:17:01 echo dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<r@bara.us>, method=PLAIN, rip=xx.xxx.xx.xx, lip=xx.xxx.xx.xx, session=<p/D/UKrAIOQYDlX1>
Apr 23 16:22:01 echo dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<r@bara.us>, method=PLAIN, rip=xxx.xxx.xx.xxx, lip=xx.xxx.xx.xxx, session=<65niYqrA0OYYDlX1>

 

Is there some way to see what is being sent out over the internet from my computer?  Some kind of terminal SSH command?

Reply | Quote

Wireshark may help you see what’s going on.  https://www.wireshark.org/

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Roger Bara

Reply | Quote

Thanks Susan,  I have downloaded and will try to figure out how to use it.

 

Reply | Quote

Could it not be that someone has inducted Roger’s computer into a botnet without asking first?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Another needle in the grass.

In a Command Prompt: RESMON -or –
Task Manager > (tab) Performance > Resource Monitor

In Resmon:
In tab Overview, see the Network panel -or-
Tab Network.

Perhaps you can spot something that flits in and out periodically.

Reply | Quote

Thanks all. I will be working on all your suggestions and let you know if I get it solved. Laying off until tomorrow.

Reply | Quote

Do you use outlook ? There are multiple complains regarding outlook sending emails every couple of minutes.

https://www.google.com/search?q=outlook+sends+emails+every+5+minutes

Reply | Quote

I can’t see any such complaints about Outlook in those search results.

Reply | Quote

b wrote:

I can’t see any such complaints about Outlook in those search results.

Just a sample

Reply | Quote

I presume you didn’t click on any of those search results to see what they’re actually talking about?

Reply | Quote

I do not use Outlook.  I use Thunderbird. I have shut down Thunderbird and still get the emails.

 

The problem continues.   Still trying to figure out Wireshark

1 user thanked author for this post.

Alex5723

Reply | Quote

In Wireshark you need to monitor outgoing IMAP connections, but you already know it’s the laptop so this is of little value.

I would use Resource Monitor to see what apps are using network bandwidth.
In RM, TCP Connections, there is a Remote Port column. Look in there for port 143, or the IP of your mail server. Port 143 is the default IMAP port.

cheers, Paul

1 user thanked author for this post.

Roger Bara

Reply | Quote

Just wanted to let everyone know.  The problem is solved.  By the process of elimination I shut down one by one programs that I always have running and found that a calendar, database program I have used for years was trying to check mail every 5 minutes.  Why it suddenly started this I don’t know.  The program is Chaos Intellect.  It has a part that will do email but I never really used it.  I apparently tried it and put in an old email address years ago but never used it and never had a problem until a few weeks ago.

Anyway thanks to all that tried to help.  I really appreciate it!

Roger

1 user thanked author for this post.

cyberSAR

Reply | Quote

Glad you got it figured out. I remember using Chaos software many years ago. I remember it as being very useful. Not sure why we stopped using it.

1 user thanked author for this post.

Roger Bara

Reply | Quote

I have been using it for along time.   Never completely happy with it but seems to fit my needs for a PIM. If you have any suggestions for something else I’d appreciate it.

Thanks for all the help.   Glad to finally get this problem solved.

Reply | Quote