Solved

Linux (centos) server overwhelmed by spam mail, what's going on here (logs)?

Posted on 2015-01-23
17
771 Views
Last Modified: 2015-02-13
My server is receiving (sending?) tons of spam per minute. Server loads up around 40.

A lot of these are "to", does that mean my server is sending these out? I've tested using a number of tools and relaying is turned off.

What's going on?

Jan 23 16:51:59 jazz postfix/error[497]: 4720D14B9D8: to=<ratimcat@yahoo.com>, relay=none, delay=164045, delays=164045/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[495]: 4E8D772545: to=<sniper0704891@aol.com>, relay=none, delay=88986, delays=88986/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/smtp[30666]: 48F9277531: host mx01.gmx.com[74.208.5.27] refused to talk to me: 554-gmx.net (mxgmxus003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip
Jan 23 16:51:59 jazz postfix/error[493]: 401DE9A719: to=<derek.nieveen@yahoo.com>, relay=none, delay=132399, delays=132399/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[485]: 4D6E276B9E: to=<ply500cid@aol.com>, relay=none, delay=285847, delays=285847/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/error[489]: 4D40476CE9: to=<rastamallam@yahoo.com>, relay=none, delay=285731, delays=285731/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[491]: 46D4022EA3: to=<hoangchuongvt@yahoo.com.vn>, relay=none, delay=2737, delays=2737/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-apac.mail.gm0.yahoodns.net[106.10.166.54] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[501]: 498B676B0B: to=<zainalibrahim81@yahoo.com>, relay=none, delay=285894, delays=285894/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[506]: 4F64B36735: to=<idkbutafake@hotmail.com>, relay=none, delay=101097, delays=101097/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[475]: 4CD4C14B8F9: to=<montels@msn.com>, relay=none, delay=164156, delays=164156/0.06/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[483]: 43E939779D: to=<andrine.roen@hotmail.com>, relay=none, delay=231174, delays=231174/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 442712B950: from=<catherine_mckay@(mysite).com>, size=731, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[499]: 4239B14B8E4: to=<piratasom@hotmail.com>, relay=none, delay=164164, delays=164164/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 4235399354: from=<freida_webster@(mysite).com>, size=725, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[477]: 442712B950: to=<narcis.fosso@yahoo.fr>, relay=none, delay=353182, delays=353182/0.01/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[497]: 4235399354: to=<thiagomarqueswyenne@hotmail.com>, relay=none, delay=7876, delays=7876/0.01/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 459E09771F: from=<melba_hines@(mysite).com>, size=847, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 46BF733C2F: from=<willie_spence@(mysite).com>, size=787, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 440E72BF56: from=<leigh_robertson@(mysite).com>, size=728, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 48A9AB2B77: from=<lucile_wall@(mysite).com>, size=759, nrcpt=1 (queue active

Open in new window

0
Comment
Question by:St_Aug_Beach_Bum
  • 6
  • 6
  • 3
  • +1
17 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40566911
grep this smtpid 4720D14B9D8 in your mail log to see the "from"
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40566916
You need to lock down your relay settings. The easiest way to do this will be to install Webmin, and go from there. Once Webmin is installed, you can access it at http(s)://servername.com:10000 (last I checked. You should read the docs).
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40566924
that's not really the best solution.  the author should understand how the application works.

i'd recommend reading this article:

http://www.postfix.org/SMTPD_ACCESS_README.html
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567054
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

I grepped smtpid 4720D14B9D8 in the mail log and didn't find it. I'm refreshing the logs now (takes a while for me to get it since the server is overwhelmed). The number you indicated is different in each line... maybe a fresher one will work? I'll try.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40567063
i use command line, it's faster.

and, it's possible that the smtpid i referenced has rotated to an older log file (maillog.1 or maillog.DATE).
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567095
Ok, here's the log with a recent smptid grepped.

It's saying the 'from' is shelley_hicks@(mysite).com  

But there is no such user on my site...

Jan 23 14:31:55 jazz postfix/smtp[8872]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 14:31:56 jazz postfix/smtp[8872]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=323572, delays=323570/0.03/1.8/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 15:41:55 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 15:41:55 jazz postfix/smtp[22681]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:57 jazz postfix/smtp[22681]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=327773, delays=327771/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 16:51:57 jazz postfix/smtp[30641]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:59 jazz postfix/smtp[30641]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=331975, delays=331973/0.01/1.8/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=336160, delays=336158/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 19:12:00 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: to=<scd200@daum.net>, relay=mx4.hanmail.net[180.70.93.98]:25, delay=340378, delays=340376/0/1.8/0, dsn=4.4.5, status=deferred (host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))

Open in new window

0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567100
So it's not like a hacked account on my server that someone is using (I have very few users, all family members).
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40567127
Is the originating IP one that is allowed to relay?  that's the criteria i use.  the "from " header could be forged and i usually ignore.  

i do use smtp auth (using sasl) and look at the username in the authid line to determine when/if accounts are compromised.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567202
I'm sorry, some of that is greek to me. I don't see the originating ip here in the log.

This would definitely indicate that it's my server sending this stuff out though, correct?

Jan 23 19:59:40 jazz postfix/qmgr[4416]: ED396B34C7: from=<maryann_brooks@andrews.com>, size=964, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/qmgr[4416]: E537F7737E: from=<dianna_sharpe@andrews.com>, size=743, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/error[24430]: E1CB878C95: to=<jtraveler@ymail.com>, relay=none, delay=42998, delays=42998/0.01/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.32] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24419]: E61FD137865: to=<tmmc4321@aol.com>, relay=none, delay=251521, delays=251521/0.01/0/0.09, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24478]: EF17071298: to=<aliesmaesato25@yahoo.com>, relay=none, delay=182607, delays=182607/0/0/0.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24426]: E69A366D06: to=<tracywwwdot@yahoo.co.uk>, relay=none, delay=332143, delays=332143/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24423]: E211475775: to=<jsmith_f250@yahoo.com>, relay=none, delay=298021, delays=298021/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24425]: EAB566B36D: to=<silverman_dan@hotmail.com>, relay=none, delay=310399, delays=310399/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24495]: ED2E5137F9D: to=<soccermid11@hotmail.com>, relay=none, delay=21783, delays=21783/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[22367]: E81EDB8F3F: to=<derogatisleonardo@yahoo.com.ar>, relay=mta5.am0.yahoodns.net[66.196.118.37]:25, delay=134816, delays=134816/0.01/0.22/0.01, dsn=4.7.1, status=deferred (host mta5.am0.yahoodns.net[66.196.118.37] said: 421 4.7.1 [TS03] All messages from 198.211.97.170 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command))
Jan 23 19:59:40 jazz postfix/error[24490]: ED8C67342F: to=<sistriza90@hotmail.com>, relay=none, delay=227803, delays=227803/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24414]: E221A2DDB1: to=<virilover@hotmail.com>, relay=none, delay=280844, delays=280844/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24489]: E56236769C: to=<nightrider3467@yahoo.com>, relay=none, delay=231774, delays=231774/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24497]: E69E314D67E: to=<abedin.mohsen@yahoo.com>, relay=none, delay=91520, delays=91520/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24493]: EB5D429EF7: to=<j_freak77@yahoo.com>, relay=none, delay=272469, delays=272469/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24413]: ECC0F14914C: to=<chrischris7777@aol.com>, relay=none, delay=407383, delays=407383/0/0/0.04, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24475]: E959D318E3: to=<ciscolive@live.com>, relay=none, delay=147336, delays=147336/0/0/0.06, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[21665]: E5D1499C74: to=<jackfreeman@dr.com>, relay=mx00.gmx.com[74.208.5.4]:25, delay=17654, delays=17654/0.01/0.18/0, dsn=4.0.0, status=deferred (host mx00.gmx.com[74.208.5.4] refused to talk to me: 554-gmx.net (mxgmxus002) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip)
Jan 23 19:59:40 jazz postfix/error[24473]: E9EF3B3CF2: to=<armandoguaman123@hotmail.es>, relay=none, delay=96253, delays=96253/0/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[207.46.8.167] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24432]: EAB677725B: to=<shiroike@hotmail.com>, relay=none, delay=88137, delays=88137/0.02/0/0.14, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)

Open in new window

0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40567210
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

So it's not like a hacked account on my server that someone is using (I have very few users, all family members).

It sounds to me like one of your users has a virus or other type of malware that is doing this.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40567211
I don't do postfix (i'm a sendmail gal).  can you get the headers from a message waiting to be delivered in the mail queue?

in sendmail, the IP attempting to send the message is shown in the logs and it's not clear in the postfix logs.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567225
If I turn off my postfix server, that looks like it stopped mail going in/out for now until this can be figured out.

My server load has come down, but remains higher than normal... would that be just from all the incoming spam or bounced messages being refused?
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567232
Yeh, I remember my old server would say who the connection was from in the log... I'm checking on this..
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40567233
both most likely.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40567235
I don't know much about Postfix, but it may help to have your users require a password when sending e-mail.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40568594
first shings first:
service postfix stop

Now try to find where this mail is received and how. The log sniplets just show you distributing spam.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Resolve DNS query failed errors for Exchange
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question