Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OPTIONS="-4" in /etc/sysconfig/named

Posted on 2013-06-26
11
Medium Priority
?
1,056 Views
Last Modified: 2013-06-26
I'm having some issues with spam overwhelming my server.

I contacting my hosting company. After look over things, they sent me a message saying:

-------------
I set OPTIONS="-4" in /etc/sysconfig/named and restarted named service.
------------

and that they would be monitoring the logs.

What does setting OPTIONS="-4" in named do?

Chris
0
Comment
Question by:St_Aug_Beach_Bum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 39278992
It tells named to run in IPv4 only (no IPv6).

And which doesn't have a darn thing to do with spam.

Are you running an MTA?
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279035
Yes, postfix.

Hmmm, I'm monitoring the logs and nothing has changed, but you suspected that :)

I'm getting thousands of what look like fake 'to' email address in maillog. My server passes all the 'relay check' tests I can find, I don't think this is a relay issue... not positive though.

I don't know if these 'to' addresses have bcc addresses that are going to users on my server, or if one of my users has a virus on their desktop and is sending these out unknowingly. I don't know enough about reading these to understand - but it would appear we are sending these out.

Here's an example:

(my-ip-was-here) 26 17:51:59 julia postfix/smtp[11660]: 2E38C8C09D: host mx00.gmx.net[213.165.67.114] refused to talk to me: 421-gmx.net (mxgmx006) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=216.119.158.65
(my-ip-was-here) 26 17:51:59 julia postfix/smtp[11486]: 1D21866B04: host mta5.am0.yahoodns.net[66.196.118.36] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html
(my-ip-was-here) 26 17:51:59 julia postfix/error[11571]: 2D5F5D4A69: to=<carlosmay17@yahoo.com>, relay=none, delay=118080, delays=118080/0.05/0/0.04, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/qmgr[11330]: 40C7416F5C5: from=<>, size=4164, nrcpt=1 (queue active)
(my-ip-was-here) 26 17:51:59 julia postfix/error[11571]: 2D5F5D4A69: to=<okinyisikinisamuel@yahoo.com>, relay=none, delay=118080, delays=118080/0.05/0/0.08, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/qmgr[11330]: 9B4C51FEF8C: removed
(my-ip-was-here) 26 17:51:59 julia postfix/error[11571]: 2D5F5D4A69: to=<t.bean252@yahoo.com>, relay=none, delay=118080, delays=118080/0.05/0/0.1, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/error[11529]: 1347776C2B: to=<geauxk@yahoo.com>, relay=none, delay=132611, delays=132610/0.11/0/0.05, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/qmgr[11330]: 1518D379BD: from=<tami@mysite.org>, size=685, nrcpt=9 (queue active)
(my-ip-was-here) 26 17:51:59 julia postfix/qmgr[11330]: 259C1110392: from=<tami@mysite.org>, size=805, nrcpt=4 (queue active)
(my-ip-was-here) 26 17:51:59 julia postfix/error[11570]: 2E47A8714B: to=<blake.cuny@yahoo.com>, relay=none, delay=129357, delays=129356/0.07/0/1.2, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/error[11570]: 2E47A8714B: to=<k8steveog0817@yahoo.com>, relay=none, delay=129357, delays=129356/0.07/0/1.2, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta5.am0.yahoodns.net[98.138.112.37] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
(my-ip-was-here) 26 17:51:59 julia postfix/error[11392]: 40C7416F5C5: to=<piju@mysite.org>, relay=none, delay=8020, delays=8020/0.14/0/0.05, dsn=5.0.0, status=bounced (User unknown in virtual alias table)
(my-ip-was-here) 26 17:51:59 julia postfix/qmgr[11330]: 1F25FB3D50: from=<myvet@mysite.org>, size=660, nrcpt=9 (queue active)
(my-ip-was-here) 26 17:51:59 julia postfix/smtp[11486]: 1D21866B04: host mta5.am0.yahoodns.net[63.250.192.45] refused to talk to me: 421 4.7.0 [TS01] Messages from 216.119.158.65 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html

Open in new window

0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279038
(mysite.org) being where our domain name was.
0
Tutorial: Introduction to Managing a Linux Server

In this tutorial on systemd, we will explore:
-OS/Distro Adoption
-chkconfig and Other Legacy Commands
-Summary and Key Commands

 
LVL 29

Expert Comment

by:Jan Springer
ID: 39279074
So, two ways to lock down smtp relaying:  by IP/subnet and SMTP AUTH.  Are you doing one or both?

If by IP, a customer has to be infected.  If by auth, then someone's credentials are compromised (and are probably also infected).

If you go through your maillog for yesterday, you should be able to see a pattern of who is sending a lot of email or who is sending from multiple foreign addresses.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279315
SMTP AUTH.

I do have one particular user sending mail - but I deleted that user account from the server, and still it's showing in the log that she's sending........  odd.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39279360
You need to stop Postfix, kill all the connections and restart it.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279384
Ok, I did restart postfix, even rebooted the server, would that have killed all the connections or could something have persisted, seems like that would have killed it.

The hosting company is running a maldet scan on it now...
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279395
(and in the meantime, I'm setting up a new server)
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39279422
I see compromised credentials get used to send spam on a regular basis.  It doesn't mean that your server is compromised (unless your accounts have shell access -- that can be a game changer), it just means that a user has a compromised machine.

If Postfix is like Sendmail in that any existing connections get pushed to PID 1 on a restart, then that won't do any good.  A reboot, on the other hand, will take care of any existing open channels.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 39279463
Ok, thank you. They don't have shell access, just email. I don't even host any websites on the server, we just use it for email.

So after the reboot, that should have killed all connections, if I understand you correctly..

I'll let them finish the scan and see what that does, I don't want to try another reboot while they are running the scan, and I'm setting up a vps as a backup just in case they find something and I have to move users to another - hopefully leaving any issues behind.

Thank you, it has been great to have someone to staff this with a bit -

Chris
0
 

Author Closing Comment

by:St_Aug_Beach_Bum
ID: 39279465
Thank you for the original answer and ongoing help!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question