?
Solved

Linux (centos) server overwhelmed by spam mail, what's going on here (logs)?

Posted on 2015-01-23
17
Medium Priority
?
864 Views
Last Modified: 2015-02-13
My server is receiving (sending?) tons of spam per minute. Server loads up around 40.

A lot of these are "to", does that mean my server is sending these out? I've tested using a number of tools and relaying is turned off.

What's going on?

Jan 23 16:51:59 jazz postfix/error[497]: 4720D14B9D8: to=<ratimcat@yahoo.com>, relay=none, delay=164045, delays=164045/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[495]: 4E8D772545: to=<sniper0704891@aol.com>, relay=none, delay=88986, delays=88986/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/smtp[30666]: 48F9277531: host mx01.gmx.com[74.208.5.27] refused to talk to me: 554-gmx.net (mxgmxus003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip
Jan 23 16:51:59 jazz postfix/error[493]: 401DE9A719: to=<derek.nieveen@yahoo.com>, relay=none, delay=132399, delays=132399/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[485]: 4D6E276B9E: to=<ply500cid@aol.com>, relay=none, delay=285847, delays=285847/0/0/0.07, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 16:51:59 jazz postfix/error[489]: 4D40476CE9: to=<rastamallam@yahoo.com>, relay=none, delay=285731, delays=285731/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[491]: 46D4022EA3: to=<hoangchuongvt@yahoo.com.vn>, relay=none, delay=2737, delays=2737/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-apac.mail.gm0.yahoodns.net[106.10.166.54] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[501]: 498B676B0B: to=<zainalibrahim81@yahoo.com>, relay=none, delay=285894, delays=285894/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.25] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[506]: 4F64B36735: to=<idkbutafake@hotmail.com>, relay=none, delay=101097, delays=101097/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[475]: 4CD4C14B8F9: to=<montels@msn.com>, relay=none, delay=164156, delays=164156/0.06/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[483]: 43E939779D: to=<andrine.roen@hotmail.com>, relay=none, delay=231174, delays=231174/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 442712B950: from=<catherine_mckay@(mysite).com>, size=731, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[499]: 4239B14B8E4: to=<piratasom@hotmail.com>, relay=none, delay=164164, delays=164164/0.06/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 4235399354: from=<freida_webster@(mysite).com>, size=725, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/error[477]: 442712B950: to=<narcis.fosso@yahoo.fr>, relay=none, delay=353182, delays=353182/0.01/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/error[497]: 4235399354: to=<thiagomarqueswyenne@hotmail.com>, relay=none, delay=7876, delays=7876/0.01/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 459E09771F: from=<melba_hines@(mysite).com>, size=847, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 46BF733C2F: from=<willie_spence@(mysite).com>, size=787, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 440E72BF56: from=<leigh_robertson@(mysite).com>, size=728, nrcpt=1 (queue active)
Jan 23 16:51:59 jazz postfix/qmgr[4416]: 48A9AB2B77: from=<lucile_wall@(mysite).com>, size=759, nrcpt=1 (queue active

Open in new window

0
Comment
Question by:St_Aug_Beach_Bum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 3
  • +1
17 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40566911
grep this smtpid 4720D14B9D8 in your mail log to see the "from"
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40566916
You need to lock down your relay settings. The easiest way to do this will be to install Webmin, and go from there. Once Webmin is installed, you can access it at http(s)://servername.com:10000 (last I checked. You should read the docs).
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40566924
that's not really the best solution.  the author should understand how the application works.

i'd recommend reading this article:

http://www.postfix.org/SMTPD_ACCESS_README.html
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567054
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

I grepped smtpid 4720D14B9D8 in the mail log and didn't find it. I'm refreshing the logs now (takes a while for me to get it since the server is overwhelmed). The number you indicated is different in each line... maybe a fresher one will work? I'll try.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40567063
i use command line, it's faster.

and, it's possible that the smtpid i referenced has rotated to an older log file (maillog.1 or maillog.DATE).
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567095
Ok, here's the log with a recent smptid grepped.

It's saying the 'from' is shelley_hicks@(mysite).com  

But there is no such user on my site...

Jan 23 14:31:55 jazz postfix/smtp[8872]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 14:31:56 jazz postfix/smtp[8872]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=323572, delays=323570/0.03/1.8/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 15:41:55 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 15:41:55 jazz postfix/smtp[22681]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:56 jazz postfix/smtp[22681]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 15:41:57 jazz postfix/smtp[22681]: 4BD142500A: to=<scd200@daum.net>, relay=mx3.hanmail.net[211.110.65.14]:25, delay=327773, delays=327771/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 16:51:57 jazz postfix/smtp[30641]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:58 jazz postfix/smtp[30641]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 16:51:59 jazz postfix/smtp[30641]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=331975, delays=331973/0.01/1.8/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:43 jazz postfix/smtp[8075]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 18:01:44 jazz postfix/smtp[8075]: 4BD142500A: to=<scd200@daum.net>, relay=mx1.hanmail.net[211.110.65.13]:25, delay=336160, delays=336158/0.01/1.9/0, dsn=4.4.5, status=deferred (host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))
Jan 23 19:12:00 jazz postfix/qmgr[4416]: 4BD142500A: from=<shelley_hicks@(mysite).com>, size=730, nrcpt=1 (queue active)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx2.hanmail.net[180.70.93.97] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:01 jazz postfix/smtp[16064]: 4BD142500A: host mx3.hanmail.net[211.110.65.14] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: host mx1.hanmail.net[211.110.65.13] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT)
Jan 23 19:12:02 jazz postfix/smtp[16064]: 4BD142500A: to=<scd200@daum.net>, relay=mx4.hanmail.net[180.70.93.98]:25, delay=340378, delays=340376/0/1.8/0, dsn=4.4.5, status=deferred (host mx4.hanmail.net[180.70.93.98] refused to talk to me: 421 4.4.5 CCRT 198.211.97.170: Connection refused. Server is busy(RT))

Open in new window

0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567100
So it's not like a hacked account on my server that someone is using (I have very few users, all family members).
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40567127
Is the originating IP one that is allowed to relay?  that's the criteria i use.  the "from " header could be forged and i usually ignore.  

i do use smtp auth (using sasl) and look at the username in the authid line to determine when/if accounts are compromised.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567202
I'm sorry, some of that is greek to me. I don't see the originating ip here in the log.

This would definitely indicate that it's my server sending this stuff out though, correct?

Jan 23 19:59:40 jazz postfix/qmgr[4416]: ED396B34C7: from=<maryann_brooks@andrews.com>, size=964, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/qmgr[4416]: E537F7737E: from=<dianna_sharpe@andrews.com>, size=743, nrcpt=1 (queue active)
Jan 23 19:59:40 jazz postfix/error[24430]: E1CB878C95: to=<jtraveler@ymail.com>, relay=none, delay=42998, delays=42998/0.01/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.138.112.32] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24419]: E61FD137865: to=<tmmc4321@aol.com>, relay=none, delay=251521, delays=251521/0.01/0/0.09, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24478]: EF17071298: to=<aliesmaesato25@yahoo.com>, relay=none, delay=182607, delays=182607/0/0/0.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24426]: E69A366D06: to=<tracywwwdot@yahoo.co.uk>, relay=none, delay=332143, delays=332143/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx-eu.mail.am0.yahoodns.net[188.125.69.79] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24423]: E211475775: to=<jsmith_f250@yahoo.com>, relay=none, delay=298021, delays=298021/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24425]: EAB566B36D: to=<silverman_dan@hotmail.com>, relay=none, delay=310399, delays=310399/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24495]: ED2E5137F9D: to=<soccermid11@hotmail.com>, relay=none, delay=21783, delays=21783/0/0/0.09, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[22367]: E81EDB8F3F: to=<derogatisleonardo@yahoo.com.ar>, relay=mta5.am0.yahoodns.net[66.196.118.37]:25, delay=134816, delays=134816/0.01/0.22/0.01, dsn=4.7.1, status=deferred (host mta5.am0.yahoodns.net[66.196.118.37] said: 421 4.7.1 [TS03] All messages from 198.211.97.170 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command))
Jan 23 19:59:40 jazz postfix/error[24490]: ED8C67342F: to=<sistriza90@hotmail.com>, relay=none, delay=227803, delays=227803/0/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24414]: E221A2DDB1: to=<virilover@hotmail.com>, relay=none, delay=280844, delays=280844/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24489]: E56236769C: to=<nightrider3467@yahoo.com>, relay=none, delay=231774, delays=231774/0.01/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24497]: E69E314D67E: to=<abedin.mohsen@yahoo.com>, relay=none, delay=91520, delays=91520/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24493]: EB5D429EF7: to=<j_freak77@yahoo.com>, relay=none, delay=272469, delays=272469/0/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.38] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24413]: ECC0F14914C: to=<chrischris7777@aol.com>, relay=none, delay=407383, delays=407383/0/0/0.04, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Jan 23 19:59:40 jazz postfix/error[24475]: E959D318E3: to=<ciscolive@live.com>, relay=none, delay=147336, delays=147336/0/0/0.06, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[65.55.33.135] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/smtp[21665]: E5D1499C74: to=<jackfreeman@dr.com>, relay=mx00.gmx.com[74.208.5.4]:25, delay=17654, delays=17654/0.01/0.18/0, dsn=4.0.0, status=deferred (host mx00.gmx.com[74.208.5.4] refused to talk to me: 554-gmx.net (mxgmxus002) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=198.211.97.170&c=bip)
Jan 23 19:59:40 jazz postfix/error[24473]: E9EF3B3CF2: to=<armandoguaman123@hotmail.es>, relay=none, delay=96253, delays=96253/0/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[207.46.8.167] while sending RCPT TO)
Jan 23 19:59:40 jazz postfix/error[24432]: EAB677725B: to=<shiroike@hotmail.com>, relay=none, delay=88137, delays=88137/0.02/0/0.14, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.55.37.120] while sending RCPT TO)

Open in new window

0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40567210
I do have virtualmin/webmin installed on the server, I'm not sure how to lock down relaying... though I do have it turned off, if that's what you mean. All the online tools I use to test mail relaying say it's locked down.

So it's not like a hacked account on my server that someone is using (I have very few users, all family members).

It sounds to me like one of your users has a virus or other type of malware that is doing this.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40567211
I don't do postfix (i'm a sendmail gal).  can you get the headers from a message waiting to be delivered in the mail queue?

in sendmail, the IP attempting to send the message is shown in the logs and it's not clear in the postfix logs.
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567225
If I turn off my postfix server, that looks like it stopped mail going in/out for now until this can be figured out.

My server load has come down, but remains higher than normal... would that be just from all the incoming spam or bounced messages being refused?
0
 

Author Comment

by:St_Aug_Beach_Bum
ID: 40567232
Yeh, I remember my old server would say who the connection was from in the log... I'm checking on this..
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40567233
both most likely.
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40567235
I don't know much about Postfix, but it may help to have your users require a password when sending e-mail.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40568594
first shings first:
service postfix stop

Now try to find where this mail is received and how. The log sniplets just show you distributing spam.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question