View Single Post
  #5  
Old 29th March 2013, 11:08
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 94
Thanks: 14
Thanked 3 Times in 3 Posts
Default problem seems to be solved for now

Ok, the problem seems to be fixed for now. I'll post a little summary of the problem and of what i did, as this may be interesting to other ISPConfig 3 users that also use the standard postfix settings.

1. My mailserver sent masses of spam-mails to seemingly random accounts (mostly @yahoo.com) My log was full of lines like this:
Code:
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<ho08132000@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hot7495@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hwahwa09091203@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<i5325@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
2. There were lots of logins from a mailaccount on my server, all from the same IP

3. As a result of the many spam mails, yahoo blocked the IP of my server.

What i did was the following:

1. Panicked and tried to find out what the hell was going on...
2. Tried some stuff that didn't work, most of which i can't remember in the correct order now..
3. What i think did the trick was that i changed the password of the account which i thought was compromised, and removed all mail from the queue (which was completely clogged up). Afterwards there were no more outgoing spam-mails in my mail.log.

The hardest part was finding the compromised account, because the mail log was filling up so fast, it was hard to find useful information. If anyone has some info on how to identify a compromised account quickly, i would be glad to hear it.


I still see spam-mail blocks in my mail log, but the spam comes from the outside now, and get's blocked, if i interpret it correctly. Here's a short snippet:

Code:
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0DBC22134107: from=<ellipsej7@verbatim.com>, size=2461, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0EAAD213410A: from=<2B6FC5FB46@albrightins.com>, size=5221, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: F400621340DF: from=<fusilladejs@google.com>, size=1797, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: E426E2134109: from=<ramoni0838@adsensesurf.com>, size=2865, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7DB341FBE351: from=<F86E74B2E@acecars.net>, size=5396, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 79D781FBE34F: from=<27FD215@4-action.com>, size=5261, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7F4632134152: from=<mabelhliz634@maaslichtengeluid.com>, size=2694, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7929F21340AA: from=<nutmegkp4@8pdi.com>, size=2482, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: D6F7F1FBE353: from=<386C4DDC@akmar.info>, size=5178, nrcpt=1 (queue active)
which get's followed by:

Code:
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 1D1B7213410B: from=<rabbiesw62@megacs.com>, size=2489, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/pipe[330]: 647FA2138021: to=<smuglyaguirre@domainOnMyServer.at>, orig_to=<smuglyaguirre@vitak.at>, relay=maildrop, delay=8889, delays=8889/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/smuglyaguirre/337.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[324]: A6F4B1FBE2A7: to=<evalyn.danby@domainOnMyServer.at>, orig_to=<evalyn.danby@vitak.at>, relay=maildrop, delay=42406, delays=42406/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/evalyn.danby/332.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[315]: B38AF21340DE: to=<markus.novak@domainOnMyServer.at>, orig_to=<markus.novak@vitak.at>, relay=maildrop, delay=25730, delays=25730/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/markus.novak/339.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[336]: BF10F213419A: to=<kontaktformular@domainOnMyServer.at>, orig_to=<kontaktformular@vitak.at>, relay=maildrop, delay=2384, delays=2384/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/kontaktformular/343.0.
So i guess that's all right?

Are there some best practices for preventing something like this in the future? It may be that another account gets compromised, and i don't want to go throught this again.

PS: even though i didn't get repies here in the forum, i still got quick help via private messages - so thanks for that!
Reply With Quote