ashwanijain
asked on
Postfix Compromised ?
HI
I found that my mail server have been listed with due to some issue. According to them my mial server is sending out emails with blank "from " address. If I check my server logs, I found following relevant logs, does it mean my server have been compromised or its some other issue ?
Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=60107, delays=60107/0.04/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 05:18:26 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 05:18:26 mail postfix/smtp[21181]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=64121, delays=64121/0.28/0.14/0, dsn=4.4.1, status=deferred (connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 06:25:11 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 06:25:12 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=68126, delays=68126/0.14/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=72131, delays=72131/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 08:38:37 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 08:38:37 mail postfix/smtp[26449]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=76132, delays=76132/0/0.04/0, dsn=4.4.1, status=deferred (connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@ bounce.ear thlink.net >, relay=none, delay=80133, delays=80133/0.05/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink. net[207.21 7.120.71]: Connection refused)
Mar 30 10:52:17 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Thanks
Ashwani Jain
I found that my mail server have been listed with due to some issue. According to them my mial server is sending out emails with blank "from " address. If I check my server logs, I found following relevant logs, does it mean my server have been compromised or its some other issue ?
Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 05:18:26 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 05:18:26 mail postfix/smtp[21181]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 06:25:11 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 06:25:12 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 08:38:37 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 08:38:37 mail postfix/smtp[26449]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@
Mar 30 10:52:17 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Thanks
Ashwani Jain
ASKER
HI
These emails seems to be generated from my own mail server with to address "spamblocker-challenge@bou nce.earthl ink.net"
These emails seems to be generated from my own mail server with to address "spamblocker-challenge@bou
Please post the email header.
ASKER
Please suggest how to get the email header ?
If you use sendmail, it should be in //var/spool/mqueue.
ASKER
HI
I am using postfix and these logs are from yesterdays log, these mails does not exist in mailq as of now.
I am using postfix and these logs are from yesterdays log, these mails does not exist in mailq as of now.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Go to mail queue check for "93DFA29D7DA" and move to somewhere else for further diagnosis.
You need to get the full mail (header portion) to see where the mail coming from (source IP).