Julian Matz
asked on
Spam Problem
Hello!
I think someone is using my system to send mass spam e-mails.
My server logs look like this for the past day or two:
Apr 3 15:06:29 postfix/smtp[2549]: 168383693: to=<kjonested@aol.com>, relay=mailin-01.mx.aol.com [205.188.1 58.121], delay=141182, status=deferred (host mailin-01.mx.aol.com[205.1 88.158.121 ] said: 421-: (CON:B1) http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))
Apr 3 15:08:56 postfix/smtp[4731]: 139EC398F: to=<bratzapattack@aol.com> , relay=mailin-04.mx.aol.com [64.12.138 .89], delay=48233, status=deferred (host mailin-04.mx.aol.com[64.12 .138.89] said: 421-: (CON:B1) http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))
And there are hundreds if not thousands of these entries...
How can I find out where this is happening? What userid etc. My server has a number of virtual hosts so I've found it difficult to pinpoint the problem. I've been able to identify one perl script that was being abused to send spam and I've already disabled it but it's still happening somewhere else from my server...
Thanks for your help! It would be greatly appreciated!
I have Debian Linux, Postfix and Procmail. My guess is that there's an unsafe php or perl script being abused...
I think someone is using my system to send mass spam e-mails.
My server logs look like this for the past day or two:
Apr 3 15:06:29 postfix/smtp[2549]: 168383693: to=<kjonested@aol.com>, relay=mailin-01.mx.aol.com
Apr 3 15:08:56 postfix/smtp[4731]: 139EC398F: to=<bratzapattack@aol.com>
And there are hundreds if not thousands of these entries...
How can I find out where this is happening? What userid etc. My server has a number of virtual hosts so I've found it difficult to pinpoint the problem. I've been able to identify one perl script that was being abused to send spam and I've already disabled it but it's still happening somewhere else from my server...
Thanks for your help! It would be greatly appreciated!
I have Debian Linux, Postfix and Procmail. My guess is that there's an unsafe php or perl script being abused...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
In the postfix config file "main.cf" you can set what networks are allowed to send emails
from your mail server:
Here is a snip from the main.cf file:
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetwor ks
#mynetworks = hash:/etc/postfix/network_ table
In the postfix config file "main.cf" you can set what networks are allowed to send emails
from your mail server:
Here is a snip from the main.cf file:
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetwor
#mynetworks = hash:/etc/postfix/network_
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi xDamox,
Thank you for your input. I appreciate it, but I don't really understand how your suggestion would help in my situation...
Hi Cyclops3590,
Yes, you're right, it could very well happen again. I do give my hosting clients a lot of 'freedom' and flexibility so it would just take one insecure script, so your input is very valuable also!! Thanks!
My master.cf line looks like this:
smtp inet n - - - - smtpd
Just to be sure... This is what I should change it to: ?
smtp inet n - - - - smtpd -v -v
-J.
Thank you for your input. I appreciate it, but I don't really understand how your suggestion would help in my situation...
Hi Cyclops3590,
Yes, you're right, it could very well happen again. I do give my hosting clients a lot of 'freedom' and flexibility so it would just take one insecure script, so your input is very valuable also!! Thanks!
My master.cf line looks like this:
smtp inet n - - - - smtpd
Just to be sure... This is what I should change it to: ?
smtp inet n - - - - smtpd -v -v
-J.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's brilliant!! I never even thought of that! Of course there were so many e-mails that the system could not cope so they ended up in the queue. Too many e-mails were being bounced:
postfix/bounce[13350]: fatal: lock file defer 1DF8D35BC: Resource temporarily unavailable
postsuper deleted 1255 messages so I expect that should be the end of that :)
Thanks a lot for your help! I greatly appreciate it!
-Julian.