We recently started to get tons of spam through our server:
I have changed all email passwords for the domain flamingoblinds.co.uk and ban the IP address trying to connect to IMAP but it looks like it's still able to do it.
If I understand you corrrectly, the qscand user isnt the one logging in thats the user the mailservers antivirus system uses. So if you didnt change the passwords for the mailuser then they may still be logging in as that user.
As for blacklisting the IP, thats done via the kernels firewalling system. What are your firewall rules:
According to the dumps in qmhandle he is logging in using info@flamingoblinds.co.uk?!?! There is no such mailuser, it's just an alias to a different user and I have changed all the passwords for that domain.
iptables rules here (long list, .cn, .br and .mx blocked):
I'm not seeing what I expect to see from you /usr/psa/var/log/maillog
Assuming this user is sending via smtp, there should be a "connect" entry and/or a "login" entry before any "from" entries. I'm not seeing either in your log extract.
Authenticated smtp logs can also be found in /var/log/secure depending on your config.
Is romani-online your server? If not, then the header might be faked. The whole thing may be generated by a php or perl script. I'm also baffled as to why the bad guy is using a real domain on your server as the "from" address. I've not seen this done before (though I'm not saying it doesn't happen -- just saying I've not seen it done personally). Normally they use any old address.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>