Link to home
Create AccountLog in
Avatar of ashwanijain
ashwanijainFlag for India

asked on

Postfix Compromised ?

HI

I found that my mail server have been listed with    due to some issue.  According to them my mial server is sending out emails with blank "from " address.  If I check my server logs, I found following relevant logs, does it mean my server have been compromised or its some other issue ?

Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 04:11:32 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=60107, delays=60107/0.04/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 05:18:26 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 05:18:26 mail postfix/smtp[21181]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=64121, delays=64121/0.28/0.14/0, dsn=4.4.1, status=deferred (connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 06:25:11 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 06:25:12 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=68126, delays=68126/0.14/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 07:31:56 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=72131, delays=72131/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 08:38:37 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 08:38:37 mail postfix/smtp[26449]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=76132, delays=76132/0/0.04/0, dsn=4.4.1, status=deferred (connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)
Mar 30 09:45:18 mail postfix/qmgr[18169]: 93DFA29D7DA: to=<spamblocker-challenge@bounce.earthlink.net>, relay=none, delay=80133, delays=80133/0.05/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bounce.mail.pas.earthlink.net[207.217.120.71]: Connection refused)
Mar 30 10:52:17 mail postfix/qmgr[18169]: 93DFA29D7DA: from=<>, size=4899, nrcpt=1 (queue active)


Thanks
Ashwani Jain
Avatar of wesly_chen
wesly_chen
Flag of United States of America image

It seems that those message indicate only one mail stuck in the queue and re-sending.
Go to mail queue check for "93DFA29D7DA" and move to somewhere else for further diagnosis.

You need to get the full mail (header portion) to see where the mail coming from (source IP).
Avatar of ashwanijain

ASKER

HI

These emails seems to be generated from my own mail server with to address "spamblocker-challenge@bounce.earthlink.net"
Please post the email header.
Please suggest how to get the email header ?
If you use sendmail, it should be in //var/spool/mqueue.
HI

I am using postfix and these logs are from yesterdays log, these mails does not exist in mailq as of now.
ASKER CERTIFIED SOLUTION
Avatar of David Beveridge
David Beveridge
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer