Chris Andrews
asked on
OPTIONS="-4" in /etc/sysconfig/named
I'm having some issues with spam overwhelming my server.
I contacting my hosting company. After look over things, they sent me a message saying:
-------------
I set OPTIONS="-4" in /etc/sysconfig/named and restarted named service.
------------
and that they would be monitoring the logs.
What does setting OPTIONS="-4" in named do?
Chris
I contacting my hosting company. After look over things, they sent me a message saying:
-------------
I set OPTIONS="-4" in /etc/sysconfig/named and restarted named service.
------------
and that they would be monitoring the logs.
What does setting OPTIONS="-4" in named do?
Chris
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
(mysite.org) being where our domain name was.
So, two ways to lock down smtp relaying: by IP/subnet and SMTP AUTH. Are you doing one or both?
If by IP, a customer has to be infected. If by auth, then someone's credentials are compromised (and are probably also infected).
If you go through your maillog for yesterday, you should be able to see a pattern of who is sending a lot of email or who is sending from multiple foreign addresses.
If by IP, a customer has to be infected. If by auth, then someone's credentials are compromised (and are probably also infected).
If you go through your maillog for yesterday, you should be able to see a pattern of who is sending a lot of email or who is sending from multiple foreign addresses.
ASKER
SMTP AUTH.
I do have one particular user sending mail - but I deleted that user account from the server, and still it's showing in the log that she's sending........ odd.
I do have one particular user sending mail - but I deleted that user account from the server, and still it's showing in the log that she's sending........ odd.
You need to stop Postfix, kill all the connections and restart it.
ASKER
Ok, I did restart postfix, even rebooted the server, would that have killed all the connections or could something have persisted, seems like that would have killed it.
The hosting company is running a maldet scan on it now...
The hosting company is running a maldet scan on it now...
ASKER
(and in the meantime, I'm setting up a new server)
I see compromised credentials get used to send spam on a regular basis. It doesn't mean that your server is compromised (unless your accounts have shell access -- that can be a game changer), it just means that a user has a compromised machine.
If Postfix is like Sendmail in that any existing connections get pushed to PID 1 on a restart, then that won't do any good. A reboot, on the other hand, will take care of any existing open channels.
If Postfix is like Sendmail in that any existing connections get pushed to PID 1 on a restart, then that won't do any good. A reboot, on the other hand, will take care of any existing open channels.
ASKER
Ok, thank you. They don't have shell access, just email. I don't even host any websites on the server, we just use it for email.
So after the reboot, that should have killed all connections, if I understand you correctly..
I'll let them finish the scan and see what that does, I don't want to try another reboot while they are running the scan, and I'm setting up a vps as a backup just in case they find something and I have to move users to another - hopefully leaving any issues behind.
Thank you, it has been great to have someone to staff this with a bit -
Chris
So after the reboot, that should have killed all connections, if I understand you correctly..
I'll let them finish the scan and see what that does, I don't want to try another reboot while they are running the scan, and I'm setting up a vps as a backup just in case they find something and I have to move users to another - hopefully leaving any issues behind.
Thank you, it has been great to have someone to staff this with a bit -
Chris
ASKER
Thank you for the original answer and ongoing help!
ASKER
Hmmm, I'm monitoring the logs and nothing has changed, but you suspected that :)
I'm getting thousands of what look like fake 'to' email address in maillog. My server passes all the 'relay check' tests I can find, I don't think this is a relay issue... not positive though.
I don't know if these 'to' addresses have bcc addresses that are going to users on my server, or if one of my users has a virus on their desktop and is sending these out unknowingly. I don't know enough about reading these to understand - but it would appear we are sending these out.
Here's an example:
Open in new window