Spam Problem

Posted on 2006-04-03
Last Modified: 2012-06-21

I think someone is using my system to send mass spam e-mails.

My server logs look like this for the past day or two:

Apr  3 15:06:29 postfix/smtp[2549]: 168383693: to=<>,[], delay=141182, status=deferred (host[] said: 421-:  (CON:B1) 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))
Apr  3 15:08:56 postfix/smtp[4731]: 139EC398F: to=<>,[], delay=48233, status=deferred (host[] said: 421-:  (CON:B1) 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))

And there are hundreds if not thousands of these entries...

How can I find out where this is happening? What userid etc. My server has a number of virtual hosts so I've found it difficult to pinpoint the problem. I've been able to identify one perl script that was being abused to send spam and I've already disabled it but it's still happening somewhere else from my server...

Thanks for your help! It would be greatly appreciated!

I have Debian Linux, Postfix and Procmail. My guess is that there's an unsafe php or perl script being abused...
Question by:Julian Matz
    LVL 12

    Accepted Solution

    delete all the mails from the queue to see if the messages are still suck in there..

    postsuper -d ALL

    (note that ALL must be in captial letters)

    perhaps you indeed caught it with the perl script, but the existing mails are still stuck in the queue.

    LVL 21

    Author Comment

    by:Julian Matz
    Hi Heem14,

    That's brilliant!! I never even thought of that! Of course there were so many e-mails that the system could not cope so they ended up in the queue. Too many e-mails were being bounced:
    postfix/bounce[13350]: fatal: lock file defer 1DF8D35BC: Resource temporarily unavailable

    postsuper deleted 1255 messages so I expect that should be the end of that :)

    Thanks a lot for your help! I greatly appreciate it!

    LVL 16

    Expert Comment


    In the postfix config file "" you can set what networks are allowed to send emails
    from your mail server:

    Here is a snip from the file:

    # Specify "mynetworks_style = host" when Postfix should "trust"
    # only the local machine.
    #mynetworks_style = class
    #mynetworks_style = subnet
    #mynetworks_style = host

    # Alternatively, you can specify the mynetworks list by hand, in
    # which case Postfix ignores the mynetworks_style setting.
    # Specify an explicit list of network/netmask patterns, where the
    # mask specifies the number of bits in the network part of a host
    # address.
    # You can also specify the absolute pathname of a pattern file instead
    # of listing the patterns here. Specify type:table for table-based lookups
    # (the value on the table right-hand side is not used).
    #mynetworks =,
    #mynetworks = $config_directory/mynetworks
    #mynetworks = hash:/etc/postfix/network_table

    LVL 25

    Assisted Solution

    Personally I'd error on the side of caution and believe this would happen again.  I'd recommend turning on super verbose logging for about one week.

    There should be and smtp inet line in the config file (usually the first uncommented line) at the end of that line add "-v -v" to the smtpd
    This will record pretty much everything happening involving smtp communication on the server.  So if this happens again you should be able to see exactly the email address the offender is using, the IP they are using, size of email, time span between attempts, etc.

    Thru this you should have a better understanding of how it is happening and what your next step should be.
    LVL 21

    Author Comment

    by:Julian Matz
    Hi xDamox,
    Thank you for your input. I appreciate it, but I don't really understand how your suggestion would help in my situation...

    Hi Cyclops3590,
    Yes, you're right, it could very well happen again. I do give my hosting clients a lot of 'freedom' and flexibility so it would just take one insecure script, so your input is very valuable also!! Thanks!

    My line looks like this:
    smtp      inet  n       -       -       -       -       smtpd

    Just to be sure... This is what I should change it to: ?
    smtp      inet  n       -       -       -       -       smtpd -v -v

    LVL 25

    Assisted Solution

    yup that is the line I was talking about.  However, you want to keep in mind that this will increase the amount being logged by a LOT!!!
    So I would check the size of your mail log file before you make the switch and watch it carefully for the first day or two.  If it gets out of control too quickly then I'd turn it off.  We don't want to fill the partition holding your logs by accident or syslog will shut down and you'll have a bigger problem on your hands because you'll need to delete saved historical logs to free up some space to restart syslog.  I accidentally did that on my server because I forgot to shut it off after I was done needing it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now