Spam Problem

Hello!

I think someone is using my system to send mass spam e-mails.

My server logs look like this for the past day or two:

Apr  3 15:06:29 postfix/smtp[2549]: 168383693: to=<kjonested@aol.com>, relay=mailin-01.mx.aol.com[205.188.158.121], delay=141182, status=deferred (host mailin-01.mx.aol.com[205.188.158.121] said: 421-:  (CON:B1)  http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))
Apr  3 15:08:56 postfix/smtp[4731]: 139EC398F: to=<bratzapattack@aol.com>, relay=mailin-04.mx.aol.com[64.12.138.89], delay=48233, status=deferred (host mailin-04.mx.aol.com[64.12.138.89] said: 421-:  (CON:B1)  http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))

And there are hundreds if not thousands of these entries...

How can I find out where this is happening? What userid etc. My server has a number of virtual hosts so I've found it difficult to pinpoint the problem. I've been able to identify one perl script that was being abused to send spam and I've already disabled it but it's still happening somewhere else from my server...

Thanks for your help! It would be greatly appreciated!

I have Debian Linux, Postfix and Procmail. My guess is that there's an unsafe php or perl script being abused...
LVL 21
Julian M.Web DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Heem14Commented:
delete all the mails from the queue to see if the messages are still suck in there..


postsuper -d ALL

(note that ALL must be in captial letters)

perhaps you indeed caught it with the perl script, but the existing mails are still stuck in the queue.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Julian M.Web DeveloperAuthor Commented:
Hi Heem14,

That's brilliant!! I never even thought of that! Of course there were so many e-mails that the system could not cope so they ended up in the queue. Too many e-mails were being bounced:
postfix/bounce[13350]: fatal: lock file defer 1DF8D35BC: Resource temporarily unavailable


postsuper deleted 1255 messages so I expect that should be the end of that :)

Thanks a lot for your help! I greatly appreciate it!

-Julian.
0
xDamoxCommented:
Hi,

In the postfix config file "main.cf" you can set what networks are allowed to send emails
from your mail server:


Here is a snip from the main.cf file:


# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Cyclops3590Commented:
Personally I'd error on the side of caution and believe this would happen again.  I'd recommend turning on super verbose logging for about one week.

There should be and smtp inet line in the master.cf config file (usually the first uncommented line) at the end of that line add "-v -v" to the smtpd
This will record pretty much everything happening involving smtp communication on the server.  So if this happens again you should be able to see exactly the email address the offender is using, the IP they are using, size of email, time span between attempts, etc.

Thru this you should have a better understanding of how it is happening and what your next step should be.
0
Julian M.Web DeveloperAuthor Commented:
Hi xDamox,
Thank you for your input. I appreciate it, but I don't really understand how your suggestion would help in my situation...


Hi Cyclops3590,
Yes, you're right, it could very well happen again. I do give my hosting clients a lot of 'freedom' and flexibility so it would just take one insecure script, so your input is very valuable also!! Thanks!

My master.cf line looks like this:
smtp      inet  n       -       -       -       -       smtpd

Just to be sure... This is what I should change it to: ?
smtp      inet  n       -       -       -       -       smtpd -v -v


-J.
0
Cyclops3590Commented:
yup that is the line I was talking about.  However, you want to keep in mind that this will increase the amount being logged by a LOT!!!
So I would check the size of your mail log file before you make the switch and watch it carefully for the first day or two.  If it gets out of control too quickly then I'd turn it off.  We don't want to fill the partition holding your logs by accident or syslog will shut down and you'll have a bigger problem on your hands because you'll need to delete saved historical logs to free up some space to restart syslog.  I accidentally did that on my server because I forgot to shut it off after I was done needing it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.