Server emitting phish spam to steal access credentials, probably thanks to a compromised password.
Problem started around Thu, 28 Oct 2021 23:30 UTC, still going on on Sun, 31 Oct 2021.
The compromised machine appears to be 18.104.22.168, but the spam is delivered through 22.214.171.124.
mx1.librem.one. 300 IN A 126.96.36.199 (source is .89)
smtp.librem.one. 300 IN A 188.8.131.52
Received: from mx1.librem.one (HELO mx1.librem.one) (184.108.40.206)
by x (x) with (AES256-SHA encrypted) ESMTPS; Fri, 29 Oct 2021 xx:xx:xx +0000
Received: from smtp.librem.one (unknown [220.127.116.11])
by mx1.librem.one (Postfix) with ESMTPS id x;
Fri, 29 Oct 2021 xx:xx:xx -0700 (PDT)
Content-Type: multipart/alternative; boundary=»===============x==»
Subject: Your mailbox quota is almost full.
To: Recipients <firstname.lastname@example.org>
From: Mail System Administrator <email@example.com>
Date: Fri, 29 Oct 2021 xx:xx:xx +0000
Your mailbox quota is almost full. Do this now in order to prevent your account from being blocked.
Click <A href=»https://tearbelt.com/Dox/ge/1/»>Login Here</A> to reduce size automatically, so that all pending mails can be delivered to you. Dear User
Current size Maximum size
Thanks, Mail System Administrator This notification was sent to you Unsubscribe now.