Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st April 2008, 23:12
dactor dactor is offline
Junior Member
 
Join Date: Jan 2008
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Default too much spam traffic....provider threatning to close account if continue using ispco

Hello

I have a vps account unmanaged with a provider. when I look into my mail.log I see too much traffic that is not related to me domains.

the following is an excerpt from my log:

Apr 21 15:34:34 li7-94 postfix/smtp[19001]: 0F22D1469B: to=<caleb.everettmv@nextrasgr.it>, relay=none, delay=103575, delays=103545/0.08/30/0, dsn=4.4.1, status=deferred (connect to nextrasgr.it[195.46.218.192]: Connection timed out)
Apr 21 15:34:34 li7-94 postfix/smtp[19004]: connect to unccvm.uncc.edu[152.15.40.22]: Connection timed out (port 25)
Apr 21 15:34:34 li7-94 postfix/smtp[19004]: C683F14661: to=<ali00dmh@unccvm.uncc.edu>, relay=none, delay=170726, delays=170696/0.09/30/0, dsn=4.4.1, status=deferred (connect to unccvm.uncc.edu[152.15.40.22]: Connection timed out)
Apr 21 15:34:34 li7-94 postfix/smtp[19002]: connect to wishthumbs.vg[72.20.110.8]: Connection timed out (port 25)
Apr 21 15:34:34 li7-94 postfix/smtp[19003]: connect to eumc.eu.int[193.154.180.197]: Connection timed out (port 25)
Apr 21 15:34:34 li7-94 postfix/smtp[19003]: 3A3E714679: to=<jo.goodey@eumc.eu.int>, relay=none, delay=172677, delays=172647/0.11/30/0, dsn=4.4.1, status=deferred (connect to eumc.eu.int[193.154.180.197]: Connection timed out)
Apr 21 15:35:04 li7-94 postfix/smtp[19002]: connect to wishthumbs.vg[208.87.149.250]: Connection timed out (port 25)
Apr 21 15:35:04 li7-94 postfix/smtp[19002]: 4556814665: to=<iraq@wishthumbs.vg>, relay=none, delay=172761, delays=172701/0.06/60/0, dsn=4.4.1, status=deferred (connect to wishthumbs.vg[208.87.149.250]: Connection timed out)
Apr 21 15:39:04 li7-94 postfix/qmgr[4400]: 3B43714654: from=<5fswdf34s@citigroup.com>, size=1433, nrcpt=1 (queue active)
Apr 21 15:39:04 li7-94 postfix/qmgr[4400]: 2E8BD146B5: from=<serv24@creval.it>, size=1679, nrcpt=1 (queue active)
Apr 21 15:39:04 li7-94 postfix/qmgr[4400]: 75491146BE: from=<serv24@creval.it>, size=1689, nrcpt=1 (queue active)
Apr 21 15:39:05 li7-94 postfix/smtp[19077]: connect to mail.tuttocitta.it[212.48.3.171]: Connection refused (port 25)
Apr 21 15:39:05 li7-94 postfix/smtp[19077]: 2E8BD146B5: to=<yachtclubferrara@tuttocitta.it>, relay=none, delay=105631, delays=105631/0.07/0.4/0, dsn=4.4.1, status=deferred (connect to mail.tuttocitta.it[212.48.3.171]: Connection refused)
Apr 21 15:39:08 li7-94 postfix/smtp[19079]: 75491146BE: to=<presidente@bandascecilialbavilla.it>, relay=none, delay=55140, delays=55137/0.06/3.8/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=bandascecilialbavilla.it type=MX: Host not found, try again)
Apr 21 15:39:35 li7-94 postfix/smtp[19078]: connect to neighborhoodexclusive.com[66.246.195.42]: Connection timed out (port 25)
Apr 21 15:39:35 li7-94 postfix/smtp[19078]: 3B43714654: to=<info@neighborhoodexclusive.com>, relay=none, delay=174929, delays=174899/0.08/30/0, dsn=4.4.1, status=deferred (connect to neighborhoodexclusive.com[66.246.195.42]: Connection timed out)
Apr 21 15:44:04 li7-94 postfix/qmgr[4400]: 6F31A146C3: from=<asec@creval.it>, size=1679, nrcpt=1 (queue active)
Apr 21 15:44:04 li7-94 postfix/qmgr[4400]: C6EE7146CC: from=<serv24@creval.it>, size=1671, nrcpt=1 (queue active)
Apr 21 15:44:04 li7-94 postfix/qmgr[4400]: BB520146D5: from=<serv24@creval.it>, size=1647, nrcpt=1 (queue active)
Apr 21 15:44:07 li7-94 postfix/smtp[19143]: C6EE7146CC: to=<spyroviaggi@spyroviaggi.it>, relay=none, delay=105564, delays=105560/0.07/3.2/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=spyroviaggi.it type=MX: Host not found, try again)
Apr 21 15:44:34 li7-94 postfix/smtp[19144]: connect to krak.it[82.98.86.162]: Connection timed out (port 25)
Apr 21 15:44:34 li7-94 postfix/smtp[19144]: BB520146D5: to=<quadri@krak.it>, relay=none, delay=105556, delays=105526/0.06/30/0, dsn=4.4.1, status=deferred (connect to krak.it[82.98.86.162]: Connection timed out)
Apr 21 15:44:34 li7-94 postfix/smtp[19142]: connect to almamegretta.com[66.246.195.42]: Connection timed out (port 25)
Apr 21 15:44:34 li7-94 postfix/smtp[19142]: 6F31A146C3: to=<d.rad@almamegretta.com>, relay=none, delay=48955, delays=48925/0.05/30/0, dsn=4.4.1, status=deferred (connect to almamegretta.com[66.246.195.42]: Connection timed out)
Apr 21 15:49:04 li7-94 postfix/qmgr[4400]: 095DE146DC: from=<serv24@creval.it>, size=1665, nrcpt=1 (queue active)
Apr 21 15:49:04 li7-94 postfix/qmgr[4400]: 31AD6146A1: from=<asec@creval.it>, size=1667, nrcpt=1 (queue active)

I tried to figure out what is the problem and why am I getting these hits but with no luck. The provider has shutdown the server couple of times till I resolve this issue. I dont see how can I go about investigating this further. My only catch I found was the clamAV is out of date and needed update. I am also not sure if it is a spamassassin problem.

is there like a daily administration and maintenance steps to do on ISPconfig!!??

can someone help me please. I dont want to remove ISPconfig and want to solve the issues.

Ramis
Reply With Quote
Sponsored Links
  #2  
Old 21st April 2008, 23:16
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,385
Thanks: 833
Thanked 5,485 Times in 4,317 Posts
Default

Quote:
I dont want to remove ISPconfig and want to solve the issues.
This wont help you at all as this is no ISPConfig problem.

Your server is most likely a open relay or someone uses a website or script which is hosted on your server to send spam mails. Please post the content of the main.cf file
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st April 2008, 23:33
dactor dactor is offline
Junior Member
 
Join Date: Jan 2008
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Default

this is main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = li7-XX.members.XXX.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = li7-XX.members.XXX.com,localhost.li7-XX.members.XXX.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names



i also have the old main.cf before installing ISPConfig
Reply With Quote
  #4  
Old 22nd April 2008, 11:41
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,385
Thanks: 833
Thanked 5,485 Times in 4,317 Posts
Default

The main.cf is fine and your server is not a open relay. But you should check this with a open relay test too:

http://www.abuse.net/relay.html

A possible other source of the spam is a vulnerable mail form or a cms system. You should check all mail forms and if possible update all CMS systems on your server to the latest versions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
dactor (22nd April 2008)
  #5  
Old 22nd April 2008, 11:53
dactor dactor is offline
Junior Member
 
Join Date: Jan 2008
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Thanks a million Till for the verification,

I did check my mail queue system to find that its full (as shown above), then I did:

postsuper -d ALL (to delete all mail queue)

then checked mailq:

/usr/bin/mailq

and found that things are back to normal (kinda). my mail log file has been reasonably active since yesterday clearing of mailq.

this is weird though!!!!! lets wait and see...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 09:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.