Link to home
Start Free TrialLog in
Avatar of Julian Matz
Julian MatzFlag for Ireland

asked on

Spam Problem

Hello!

I think someone is using my system to send mass spam e-mails.

My server logs look like this for the past day or two:

Apr  3 15:06:29 postfix/smtp[2549]: 168383693: to=<kjonested@aol.com>, relay=mailin-01.mx.aol.com[205.188.158.121], delay=141182, status=deferred (host mailin-01.mx.aol.com[205.188.158.121] said: 421-:  (CON:B1)  http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))
Apr  3 15:08:56 postfix/smtp[4731]: 139EC398F: to=<bratzapattack@aol.com>, relay=mailin-04.mx.aol.com[64.12.138.89], delay=48233, status=deferred (host mailin-04.mx.aol.com[64.12.138.89] said: 421-:  (CON:B1)  http://postmaster.info.aol.com/errors/421conb1.html 421 SERVICE NOT AVAILABLE (in reply to end of DATA command))

And there are hundreds if not thousands of these entries...

How can I find out where this is happening? What userid etc. My server has a number of virtual hosts so I've found it difficult to pinpoint the problem. I've been able to identify one perl script that was being abused to send spam and I've already disabled it but it's still happening somewhere else from my server...

Thanks for your help! It would be greatly appreciated!

I have Debian Linux, Postfix and Procmail. My guess is that there's an unsafe php or perl script being abused...
ASKER CERTIFIED SOLUTION
Avatar of Heem14
Heem14

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Julian Matz

ASKER

Hi Heem14,

That's brilliant!! I never even thought of that! Of course there were so many e-mails that the system could not cope so they ended up in the queue. Too many e-mails were being bounced:
postfix/bounce[13350]: fatal: lock file defer 1DF8D35BC: Resource temporarily unavailable


postsuper deleted 1255 messages so I expect that should be the end of that :)

Thanks a lot for your help! I greatly appreciate it!

-Julian.
Hi,

In the postfix config file "main.cf" you can set what networks are allowed to send emails
from your mail server:


Here is a snip from the main.cf file:


# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi xDamox,
Thank you for your input. I appreciate it, but I don't really understand how your suggestion would help in my situation...


Hi Cyclops3590,
Yes, you're right, it could very well happen again. I do give my hosting clients a lot of 'freedom' and flexibility so it would just take one insecure script, so your input is very valuable also!! Thanks!

My master.cf line looks like this:
smtp      inet  n       -       -       -       -       smtpd

Just to be sure... This is what I should change it to: ?
smtp      inet  n       -       -       -       -       smtpd -v -v


-J.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial