Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th June 2007, 13:18
Jorem Jorem is offline
Senior Member
 
Join Date: Oct 2005
Posts: 139
Thanks: 5
Thanked 4 Times in 4 Posts
Default Sendmail / php spam problem

I think there is a leak in one of the mailforms on the server. Last night the server send around 500.000 spam emails form my server using sendmail and I think the send mail() function from php.

Everytime I shutdown sendmail it stops. As soon as I activate Sendmail again the loads rizes and spam mails are send form the server.

How can I fins out which script is the one with the leak?

I use CentOS 4.4 with ISPConfig and this is a part of the maillog:

Jun 20 13:09:43 joremserver postfix/smtp[12908]: connect to f.mx.mail.yahoo.com[209.191.88.247]: read timeout (port 25)

Jun 20 13:09:45 joremserver postfix/smtp[12639]: connect to f.mx.mail.yahoo.com[68.142.202.247]: read timeout (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to e.mx.mail.yahoo.com[216.39.53.1]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:46 joremserver postfix/smtp[12639]: connect to g.mx.mail.yahoo.com[209.191.88.239]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:09:49 joremserver postfix/smtpd[15563]: connect from omr-d24.mx.aol.com[205.188.249.68]

Jun 20 13:09:51 joremserver postfix/smtpd[15563]: 0753D1000006: client=omr-d24.mx.aol.com[205.188.249.68]

Jun 20 13:09:51 joremserver postfix/cleanup[17166]: 0753D1000006: message-id=<200706201109.l5KB9eIE008475@omr-d24.mx.aol.com>

Jun 20 13:10:04 joremserver postfix/smtp[12908]: connect to b.mx.mail.yahoo.com[66.196.97.250]: server refused to talk to me: 421 Message from (85.92.128.10) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (port 25)

Jun 20 13:10:04 joremserver postfix/smtp[12760]: connect to d.mx.mail.yahoo.com[216.39.53.2]: read timeout (port 25)

Jun 20 13:10:05 joremserver postfix/smtp[12760]: E54BD1000047: to=<johnwayneluver_03@yahoo.com>, relay=g.mx.mail.yahoo.com[206.190.53.191], delay=332, status=sent (250 ok dirdel)

Jun 20 13:10:05 joremserver postfix/qmgr[7586]: warning: qmgr_active_done_3_generic: remove E54BD1000047 from active: No such file or directory

Jun 20 13:10:07 joremserver postfix/smtp[12639]: 7C7AC100005E: to=<oseojeahere@yahoo.com>, relay=c.mx.mail.yahoo.com[68.142.237.182], delay=662, status=deferred (host c.mx.mail.yahoo.com[68.142.237.182] said: 421 Message temporarily deferred - 4.16.51. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html (in reply to end of DATA command))

Jun 20 13:10:07 joremserver postfix/qmgr[7586]: warning: qmgr_active_corrupt: save corrupt file queue active id 7C7AC100005E: No such file or directory

Thanks for your help.
Reply With Quote
Sponsored Links
  #2  
Old 20th June 2007, 15:29
Jorem Jorem is offline
Senior Member
 
Join Date: Oct 2005
Posts: 139
Thanks: 5
Thanked 4 Times in 4 Posts
Default

Is there maybe some kind of mailfiltering for sendmail before the email is sent?

All the spam mails are then deleted before they are sent. Sounds great, but is this possible?
Reply With Quote
  #3  
Old 20th June 2007, 15:40
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 212
Thanked 648 Times in 294 Posts
Default

You mention Sendmail, but i guess you're using Postfix as your MTA.
You can check if your postfix que with:

PHP Code: mailq

and release or delete them with the postsuper command

PHP Code:
postsuper -r *QUEUE ID* (for releasing one)
postsuper -r ALL (for releasing ALL)
postsuper -d *QUEUE ID* (for deleting one)
postsuper -d ALL (for deleting ALL)

You must try to find the insecure webform and make it more secure!
Probably the messages are sent by using the user www-data (on Debian).
If you are using suPHP, it is more easy to locate the form, as the php-scripts are executed my the administrator user/group of the website.
__________________
Hans

MrHostman | Master in managed hosting

Last edited by Hans; 20th June 2007 at 15:52.
Reply With Quote
  #4  
Old 20th June 2007, 15:54
Jorem Jorem is offline
Senior Member
 
Join Date: Oct 2005
Posts: 139
Thanks: 5
Thanked 4 Times in 4 Posts
 
Default

Thanks for the help Hans,

I did the commands yesterday and the que is empty now. I also thought that Postfix did the email. But when I shutdown sendmail no mail is sended anymore and the server load goes down. The moment I start sendmail it is about 5 minutes and the load goes up again.

That's why I thought it had something to do with sendmail.

I use CentOS and in the maillogs I can't see where they are sent from. On another forum I read about the X-Tracker for the mailheaders. That worked great on Debian, but not on CentOS. With the php patch every mail header has the info of the user and script it is send from.

Now it is going to be a never ending search I'm afraid. (zoeken naar een speld in een hooiberg zoals wij dat zeggen). Or is there also such a script for CentOS maybe? I found: http://www.webhostgear.com/232.html
But I did not get it to work.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 09:29
php eating cpu shajazzi Server Operation 15 15th August 2007 01:19
Slightly Confused (DNS & Server Help) JohnnyBGoode Installation/Configuration 26 14th August 2007 09:54
Apache2 Freezes celtic Server Operation 31 28th May 2007 17:18


All times are GMT +2. The time now is 22:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.