Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th January 2008, 06:41
friday friday is offline
Member
 
Join Date: Oct 2006
Posts: 31
Thanks: 4
Thanked 0 Times in 0 Posts
Default Something fishy going on

Using mailgraph, I noticed a huge amount of outbound emails leaving a client's server, and an even larger number of emails being bounced. Many of these outgoing emails leave a log of:

Jan 24 00:40:49 mail postfix/qmgr[19462]: E56095D173A: from=<>, size=17458, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: EA3D15D1BF7: from=<>, size=6695, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: E1CE45D1CAD: from=<>, size=6699, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: EB1095D1C74: from=<>, size=6937, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: EFF5B5D14C4: from=<>, size=16613, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: E86C25D1CA8: from=<>, size=6937, nrcpt=1 (queue active)
Jan 24 00:40:49 mail postfix/qmgr[19462]: EAE665D1697: from=<>, size=6641, nrcpt=1 (queue active)

There are hundreds of logs like this. I've got this funny feeling this isn't a good thing. Any ideas?

Edit: I ran a postsuper command to clear out a queue, and some 2300 odd messages were deleted. I have a feeling that a simple account may have been compromised, such as creating a user named abuse. There was also an info account, and I've changed the password.

I noticed most of the above outbound emails happened at 1AM, and lasted until 2AM.

Last edited by friday; 24th January 2008 at 07:11.
Reply With Quote
Sponsored Links
  #2  
Old 24th January 2008, 08:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Quote:
Jan 24 00:40:49 mail postfix/qmgr[19462]: E56095D173A: from=<>, size=17458, nrcpt=1 (queue active)
These are bounce messages.

The behaviour that you describe might be caused by a compromised account or another possibility is that its a spam attack. Someone is sending spam emails from another server (not yours) but uses a sender email address of a domain that is hosted on your server. All undeliverable messages are going now to your server and if one of the addresses does not exist on your server, it sends a bounce message back.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 25th January 2008, 06:00
friday friday is offline
Member
 
Join Date: Oct 2006
Posts: 31
Thanks: 4
Thanked 0 Times in 0 Posts
 
Default

Thanks Till, your is reply is always appreciated.

Well, the simple, easy-to-figure-out accounts have been either deleted or modified, and with the queue cleared out, the problem seems to have been solved. Judging by last night's logs, I we only sent out and handful, and not the thousands we were doing previously.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 20:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.