Solved

Linux (centos) server overwhelmed by spam mail, what's going on here (logs)?

Posted on 2015-01-23
17
713 Views
Last Modified: 2015-02-13
My server is receiving (sending?) tons of spam per minute. Server loads up around 40.

A lot of these are "to", does that mean my server is sending these out? I've tested using a number of tools and relaying is turned off.

What's going on?

Jan 23 16:51:59 jazz postfix/error[497]: 4720D14B9D8: to=<ratimcat@yahoo.com>, relay=none, delay=164045, delays=164045/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[495]: 4E8D772545: to=<sniper0704891@aol.com>, relay=none, delay=88986, delays=88986/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/smtp[30666]: 48F9277531: host mx01.gmx.com[74.208.5.27] refused to talk to me: 554-gmx.net (mxgmxus003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip
Jan 23 16:51:59 jazz postfix/error[493]: 401DE9A719: to=<derek.nieveen@yahoo.com>, relay=none, delay=132399, delays=132399/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[485]: 4D6E276B9E: to=<ply500cid@aol.com>, relay=none, delay=285847, delays=285847/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/error[489]: 4D40476CE9: to=<rastamallam@yahoo.com>, relay=none, delay=285731, delays=285731/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[491]: 46D4022EA3: to=<hoangchuongvt@yahoo.com.vn>, relay=none, delay=2737, delays=2737/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-apac.mail.gm0.yahoodns.net[106.10.166.54] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[501]: 498B676B0B: to=<zainalibrahim81@yahoo.com>, relay=none, delay=285894, delays=285894/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[506]: 4F64B36735: to=<idkbutafake@hotmail.com>, relay=none, delay=101097, delays=101097/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[475]: 4CD4C14B8F9: to=<montels@msn.com>, relay=none, delay=164156, delays=164156/0.06/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[483]: 43E939779D: to=<andrine.roen@hotmail.com>, relay=none, delay=231174, delays=231174/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 442712B950: from=<catherine_mckay@(mysite).com>, size=731, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[499]: 4239B14B8E4: to=<piratasom@hotmail.com>, relay=none, delay=164164, delays=164164/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 4235399354: from=<freida_webster@(mysite).com>, size=725, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[477]: 442712B950: to=<narcis.fosso@yahoo.fr>, relay=none, delay=353182, delays=353182/0.01/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[497]: 4235399354: to=<thiagomarqueswyenne@hotmail.com>, relay=none, delay=7876, delays=7876/0.01/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 459E09771F: from=<melba_hines@(mysite).com>, size=847, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 46BF733C2F: from=<willie_spence@(mysite).com>, size=787, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 440E72BF56: from=<leigh_robertson@(mysite).com>, size=728, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 48A9AB2B77: from=<lucile_wall@(mysite).com>, size=759, nrcpt=1 (queue active

Open in new window

0
Comment
Question by:St_Aug_Beach_Bum
  • 6
  • 6
  • 3
  • +1
17 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
grep this smtpid 4720D14B9D8 in your mail log to see the "from"
0
 
LVL 5

Expert Comment

by:R. Toby Richards
Comment Utility
You need to lock down your relay settings. The easiest way to do this will be to install Webmin, and go from there. Once Webmin is installed, you can access it at http(s)://servername.com:10000 (last I checked. You should read the docs).
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
that's not really the best solution.  the author should understand how the application works.

i'd recommend reading this article:

http://www.postfix.org/SMTPD_ACCESS_README.html
0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

I grepped smtpid 4720D14B9D8 in the mail log and didn't find it. I'm refreshing the logs now (takes a while for me to get it since the server is overwhelmed). The number you indicated is different in each line... maybe a fresher one will work? I'll try.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
i use command line, it's faster.

and, it's possible that the smtpid i referenced has rotated to an older log file (maillog.1 or maillog.DATE).
0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
Ok, here's the log with a recent smptid grepped.

It's saying the 'from' is shelley_hicks@(mysite).com  

But there is no such user on my site...

Jan 23 14:31:55 jazz postfix/smtp[8872]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 14:31:56 jazz postfix/smtp[8872]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=323572, delays=323570/0.03/1.8/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 15:41:55 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 15:41:55 jazz postfix/smtp[22681]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:57 jazz postfix/smtp[22681]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=327773, delays=327771/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 16:51:57 jazz postfix/smtp[30641]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:59 jazz postfix/smtp[30641]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=331975, delays=331973/0.01/1.8/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=336160, delays=336158/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 19:12:00 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: to=<scd200@daum.net>, relay=mx4.hanmail.net[180.70.93.98]:25, delay=340378, delays=340376/0/1.8/0, dsn=4.4.5, status=deferred (host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))

Open in new window

0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
So it's not like a hacked account on my server that someone is using (I have very few users, all family members).
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Is the originating IP one that is allowed to relay?  that's the criteria i use.  the "from " header could be forged and i usually ignore.  

i do use smtp auth (using sasl) and look at the username in the authid line to determine when/if accounts are compromised.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
I'm sorry, some of that is greek to me. I don't see the originating ip here in the log.

This would definitely indicate that it's my server sending this stuff out though, correct?

Jan 23 19:59:40 jazz postfix/qmgr[4416]: ED396B34C7: from=<maryann_brooks@andrews.com>, size=964, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/qmgr[4416]: E537F7737E: from=<dianna_sharpe@andrews.com>, size=743, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/error[24430]: E1CB878C95: to=<jtraveler@ymail.com>, relay=none, delay=42998, delays=42998/0.01/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.32] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24419]: E61FD137865: to=<tmmc4321@aol.com>, relay=none, delay=251521, delays=251521/0.01/0/0.09, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24478]: EF17071298: to=<aliesmaesato25@yahoo.com>, relay=none, delay=182607, delays=182607/0/0/0.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24426]: E69A366D06: to=<tracywwwdot@yahoo.co.uk>, relay=none, delay=332143, delays=332143/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24423]: E211475775: to=<jsmith_f250@yahoo.com>, relay=none, delay=298021, delays=298021/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24425]: EAB566B36D: to=<silverman_dan@hotmail.com>, relay=none, delay=310399, delays=310399/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24495]: ED2E5137F9D: to=<soccermid11@hotmail.com>, relay=none, delay=21783, delays=21783/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[22367]: E81EDB8F3F: to=<derogatisleonardo@yahoo.com.ar>, relay=mta5.am0.yahoodns.net[66.196.118.37]:25, delay=134816, delays=134816/0.01/0.22/0.01, dsn=4.7.1, status=deferred (host mta5.am0.yahoodns.net[66.196.118.37] said: 421 4.7.1 [TS03] All messages from 198.211.97.170 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command))
Jan 23 19:59:40 jazz postfix/error[24490]: ED8C67342F: to=<sistriza90@hotmail.com>, relay=none, delay=227803, delays=227803/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24414]: E221A2DDB1: to=<virilover@hotmail.com>, relay=none, delay=280844, delays=280844/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24489]: E56236769C: to=<nightrider3467@yahoo.com>, relay=none, delay=231774, delays=231774/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24497]: E69E314D67E: to=<abedin.mohsen@yahoo.com>, relay=none, delay=91520, delays=91520/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24493]: EB5D429EF7: to=<j_freak77@yahoo.com>, relay=none, delay=272469, delays=272469/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24413]: ECC0F14914C: to=<chrischris7777@aol.com>, relay=none, delay=407383, delays=407383/0/0/0.04, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24475]: E959D318E3: to=<ciscolive@live.com>, relay=none, delay=147336, delays=147336/0/0/0.06, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[21665]: E5D1499C74: to=<jackfreeman@dr.com>, relay=mx00.gmx.com[74.208.5.4]:25, delay=17654, delays=17654/0.01/0.18/0, dsn=4.0.0, status=deferred (host mx00.gmx.com[74.208.5.4] refused to talk to me: 554-gmx.net (mxgmxus002) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip)
Jan 23 19:59:40 jazz postfix/error[24473]: E9EF3B3CF2: to=<armandoguaman123@hotmail.es>, relay=none, delay=96253, delays=96253/0/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[207.46.8.167] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24432]: EAB677725B: to=<shiroike@hotmail.com>, relay=none, delay=88137, delays=88137/0.02/0/0.14, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)

Open in new window

0
 
LVL 5

Expert Comment

by:R. Toby Richards
Comment Utility
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

So it's not like a hacked account on my server that someone is using (I have very few users, all family members).

It sounds to me like one of your users has a virus or other type of malware that is doing this.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I don't do postfix (i'm a sendmail gal).  can you get the headers from a message waiting to be delivered in the mail queue?

in sendmail, the IP attempting to send the message is shown in the logs and it's not clear in the postfix logs.
0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
If I turn off my postfix server, that looks like it stopped mail going in/out for now until this can be figured out.

My server load has come down, but remains higher than normal... would that be just from all the incoming spam or bounced messages being refused?
0
 

Author Comment

by:St_Aug_Beach_Bum
Comment Utility
Yeh, I remember my old server would say who the connection was from in the log... I'm checking on this..
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
both most likely.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
Comment Utility
I don't know much about Postfix, but it may help to have your users require a password when sending e-mail.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
first shings first:
service postfix stop

Now try to find where this mail is received and how. The log sniplets just show you distributing spam.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

MS outlook is a premier email client that enable you to send and receive the e-mails with various file formats of attachments such as document files, media file, and many others formats. There is some scenario occurs when a receiver of an e-mail mes…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now