Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th January 2009, 18:18
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Question How Would I Secure A SMTP Server Other Than Using SMTP Auth ??

Hello Group...

As of December 28, 2008 the server I am going to ask questions about was configured to utilize Postfix mail server with SMTP-AUTH and TLS.

My question is what else would I do to stop spammers from utilizing my Email server?
I am not sure if my server is being impersonated or what??

My bandwidth provider Verizon Business abuse team has sent me an Email abuse report stating that my server 65.197.209.3 giganetwireless.net is being used to transmit spam.

Below is the output after running 'tail -f /var/log/mail.log' (I have no Email address www-data@giganetwireless.net uid=33):
Code:
Jan 26 10:47:35 giganetwireless postfix/cleanup[31813]: C276535CDFB0: message-id=<20090126184735.C276535CDFB0@giganetwireless.net>
Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: C3E4D35CE0FF: uid=33 from=<www-data>
Jan 26 10:47:35 giganetwireless postfix/cleanup[31812]: C3E4D35CE0FF: message-id=<20090126184735.C3E4D35CE0FF@giganetwireless.net>
Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: C4FC335CE100: uid=33 from=<www-data>
Jan 26 10:47:35 giganetwireless postfix/cleanup[31811]: C4FC335CE100: message-id=<20090126184735.C4FC335CE100@giganetwireless.net>
Jan 26 10:47:35 giganetwireless postfix/smtp[8847]: certificate verification failed for suprilinx.com.br: num=18:self signed certificate
Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: CEEF835CE101: uid=33 from=<www-data>
Jan 26 10:47:35 giganetwireless postfix/cleanup[31815]: CEEF835CE101: message-id=<20090126184735.CEEF835CE101@giganetwireless.net>
Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: D29C135CE102: uid=33 from=<www-data>
Jan 26 10:47:35 giganetwireless postfix/cleanup[30245]: D29C135CE102: message-id=<20090126184735.D29C135CE102@giganetwireless.net>
Jan 26 10:47:35 giganetwireless postfix/smtp[32106]: certificate verification failed for mail.stillnet.com.br: num=18:self signed certificate
Jan 26 10:47:36 giganetwireless postfix/smtp[19151]: certificate verification failed for abelisauro.starbks.com.br: num=18:self signed certificate
Jan 26 10:47:36 giganetwireless postfix/smtp[25751]: D200B3595D0D: to=<andre4@sti.com.br>, relay=mx.br.inter.net[200.142.77.19]:25, conn_use=3, delay=1142, delays=0.03/1125/6.3/10, dsn=5.1.1, status=bounced (host mx.br.inter.net[200.142.77.19] said: 550 5.1.1 <andre4@sti.com.br>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Jan 26 10:47:36 giganetwireless postfix/smtp[32033]: ED207359DCB3: to=<andre1@super.com.br>, relay=mail3.netpar.com.br[200.103.225.17]:25, delay=1143, delays=0.03/1124/3.2/16, dsn=2.0.0, status=sent (250 Ok: queued as C3CC13C0062)
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: ED207359DCB3: removed
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 2D40D359572C: from=<>, size=6755, nrcpt=1 (queue active)
Jan 26 10:47:36 giganetwireless postfix/local[536]: 2D40D359572C: to=<www-data@giganetwireless.net>, relay=local, delay=169, delays=169/0/0/0.03, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 2D40D359572C: removed
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: D7F1C359583E: from=<www-data@giganetwireless.net>, size=4834, nrcpt=1 (queue active)
Jan 26 10:47:36 giganetwireless postfix/smtpd[5454]: 2A4E2359572C: client=slbnat3.br.inter.net[200.142.77.7]
Jan 26 10:47:36 giganetwireless postfix/smtp[17153]: 29EBD359DE02: to=<andre@sysnetway.com.br>, relay=none, delay=1139, delays=0.06/1138/0.97/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=sysnetway.com.br type=AAAA: Host found but no data record of requested type)
Jan 26 10:47:36 giganetwireless postfix/cleanup[30257]: 69B3F35CE104: message-id=<20090126184736.69B3F35CE104@giganetwireless.net>
Jan 26 10:47:36 giganetwireless postfix/bounce[25445]: 29EBD359DE02: sender non-delivery notification: 69B3F35CE104
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 29EBD359DE02: removed
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 0F6FB35CDD3A: from=<www-data@giganetwireless.net>, size=4827, nrcpt=1 (queue active)
Jan 26 10:47:36 giganetwireless postfix/cleanup[31810]: 2A4E2359572C: message-id=<20090126184733.9D7E7A3F25C@robusta.br.inter.net>
Jan 26 10:47:36 giganetwireless postfix/smtp[15411]: 4722B359DE07: to=<andre_carioca@starmedia.c>, relay=none, delay=1139, delays=0.15/1138/1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=starmedia.c type=AAAA: Host not found)
Jan 26 10:47:36 giganetwireless postfix/cleanup[30284]: 805A1359DE02: message-id=<20090126184736.805A1359DE02@giganetwireless.net>
Jan 26 10:47:36 giganetwireless postfix/bounce[25445]: 4722B359DE07: sender non-delivery notification: 805A1359DE02
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 4722B359DE07: removed
Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 83D21359DDC5: from=<www-data@giganetwireless.net>, size=4824, nrcpt=1 (queue active)
Jan 26 10:47:36 giganetwireless postfix/smtpd[1499]: connect from zeus.solar.com.br[200.199.212.49]
I have just created an Email account www-data@giganetwireless.net and in came nearly 1000's Undelivered Mail Returned to Sender messages!
What does this mean when somone can utilize my server using www-data as the user name to send Spam?

What would can I do to stop or at least control this from happening?
I just don't understand how a Email server that uses SMTP-AUTH can be used as a spammer network which tends to operate from South America??

Description of incident:
Code:
-From : From 3816469853.b414d312@bounces.spamcop.net Mon Jan 26 06:32:21 2009
Received : from omzesmtp03a.verizonbusiness.com (omzesmtp03a.verizonbusiness.com [199.249.25.201])    by pdcetmsdrs03.mcilink.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0Q6WL912442    for <abuse@pdcetmsdrs03.mcilink.com>; Mon, 26 Jan 2009 06:32:21 GMT
Received : from omzesmtp03a.verizonbusiness.com ([127.0.0.1]) by firewall.verizonbusiness.com (Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007; 32bit)) with ESMTP id <0KE200727FHXCR00@firewall.verizonbusiness.com> for abuse@verizonbusiness.com; Mon, 26 Jan 2009 06:32:21 +0000 (GMT)
Received : from sc-smtp1-bulkmx.soma.ironport.com ([204.15.82.123]) by firewall.verizonbusiness.com (Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007; 32bit)) with ESMTP id <0KE20074EFHWCO00@firewall.verizonbusiness.com> for abuse@uu.net; Mon, 26 Jan 2009 06:32:21 +0000 (GMT)
Received : from sc-app9.spamcop.net ([204.15.82.88]) by sc-smtp-vip.soma.ironport.com with SMTP; Sun, 25 Jan 2009 22:32:20 -0800
Received : from [200.161.138.186] by spamcop.net    with HTTP; Mon, 26 Jan 2009 06:32:20 +0000 (GMT)
>From : ITM NETWORKS - Abuse <3816469853@reports.spamcop.net>
To : abuse@uu.net
Subject : [SpamCop (65.197.209.3) id:3816469853]
Precedence : list
Message-id : <rid_3816469853@msgid.spamcop.net>
Date : Sun, 25 Jan 2009 18:12:32 -0300
X-SpamCop-sourceip : 65.197.209.3
X-Mailer : http://www.spamcop.net/ v2

The Header of the offencive Email
Code:
Return-Path: <www-data@giganetwireless.net>
Received: from mail.giganetwireless.net [65.197.209.3] by winmail1mx.winserversecure.com with SMTP;
   Sun, 25 Jan 2009 18:12:32 -0300
Received: by giganetwireless.net (Postfix, from userid 33)
    id 8D03C359673E; Sun, 25 Jan 2009 10:16:12 -0800 (PST)
Date: Sun Jan 25 09:59:40 PST 2009
From: Caixa Economica Federal <cef@ns1.gov.br>
To: x
X-SmarterMail-Spam: SPF_None, Custom Header [user in Received:5;]
X-SmarterMail-TotalSpamWeight: 15
Thanking you in advance for your suggestions and time.

Best Regards

Last edited by giganet; 26th January 2009 at 20:30. Reason: Abuse Email Information
Reply With Quote
Sponsored Links
  #2  
Old 27th January 2009, 18:48
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

www-data is the user that your Apache web server runs under, so I guess you have a vulnerable contact form or web application that spammers abuse to send their spam.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
giganet (28th January 2009)
  #3  
Old 28th January 2009, 06:49
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Default

Thank you Falko

Later yesterday i did find the referrence to www-data in httpd.conf.

I don't have many applications on this domain so I will go through all of them uintil I find the problem.
Reply With Quote
  #4  
Old 28th January 2009, 21:33
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Exclamation

I have scoured this domain for applications or form based communications that spammers could be using.

This domain giganetwireless.net has no web-site, it's index redirects to my .com address.

Joomla was installed and I have removed it thinking it's contact form was being exploited.

I just can't seem to put my finger on the what spammers are using to funnel spam through my server

Can anyone help me get to the bottom of this??

Thanking you in advance for your help...

Best Regads
Reply With Quote
  #5  
Old 29th January 2009, 18:16
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Now that you're removed Joomla, is your server still being abused?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
giganet (29th January 2009)
  #6  
Old 29th January 2009, 18:40
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Arrow

Thank you Falko

After removing Joomla things changed somewhat, but I feel we are still being abused.

When I run 'netstat -tap' this is the average results:
Code:
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:mysql                 *:*                     LISTEN     3684/mysqld
tcp        0      0 *:www                   *:*                     LISTEN     8961/apache2
tcp        0      0 *:54000                 *:*                     LISTEN     1192/sshd
tcp        0      0 *:81                    *:*                     LISTEN     18008/ispconfig_htt
tcp        0      0 *:ftp                   *:*                     LISTEN     6827/proftpd: (acce
tcp        0      0 65.197.209.15:domain    *:*                     LISTEN     22183/named
tcp        0      0 65.197.209.11:domain    *:*                     LISTEN     22183/named
tcp        0      0 65.197.209.9:domain     *:*                     LISTEN     22183/named
tcp        0      0 65.197.209.8:domain     *:*                     LISTEN     22183/named
tcp        0      0 65.197.209.7:domain     *:*                     LISTEN     22183/named
tcp        0      0 mail.webmail.gig:domain *:*                     LISTEN     22183/named
tcp        0      0 giganetwireless.:domain *:*                     LISTEN     22183/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     22183/named
tcp        0      0 mail.giganetwire:domain *:*                     LISTEN     29463/named
tcp        0      0 65.197.209.20:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.19:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.18:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.17:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.16:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.14:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.13:domain    *:*                     LISTEN     12001/named
tcp        0      0 65.197.209.12:domain    *:*                     LISTEN     12001/named
tcp        0      0 *:smtp                  *:*                     LISTEN     9644/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     22183/named
tcp        0      0 *:https                 *:*                     LISTEN     8961/apache2
tcp        0      1 giganetwireless.n:46919 serverbr7.com:smtp      SYN_SENT   9718/smtp
tcp        0      1 giganetwireless.n:43865 horus5.uol.com.br:smtp  SYN_SENT   9715/smtp
tcp        0      1 giganetwireless.n:40587 chih30122037-01.ps:smtp SYN_SENT   9704/smtp
tcp        0      1 giganetwireless.n:35289 69.64.159.1:smtp        SYN_SENT   9714/smtp
tcp        0      1 giganetwireless.n:48613 www173.sedoparking:smtp SYN_SENT   9739/smtp
tcp        0      1 giganetwireless.n:35720 oecbr01i-mx.idc.br:smtp SYN_SENT   9702/smtp
tcp        0      0 giganetwireless.n:58059 ardent.xo.com:smtp      ESTABLISHED9671/smtp
tcp        0      1 giganetwireless.n:47379 radius.memlane.com:smtp SYN_SENT   9736/smtp
tcp        0      1 giganetwireless.n:59436 www.millenniumbcp.:smtp SYN_SENT   9735/smtp
tcp        0      1 giganetwireless.n:33829 64.20.60.99:smtp        SYN_SENT   9712/smtp
tcp        0      1 giganetwireless.n:59509 www.millenniumbcp.:smtp SYN_SENT   9681/smtp
tcp        0      1 giganetwireless.n:39152 195.210.91.40:smtp      SYN_SENT   9687/smtp
tcp        0      1 giganetwireless.n:45026 mta-v10.mail.vip.m:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:48598 www173.sedoparking:smtp SYN_SENT   9677/smtp
tcp        0      1 giganetwireless.n:38818 rootdc.ukzn.ac.za:smtp  SYN_SENT   9696/smtp
tcp        0      1 giganetwireless.n:52718 69.25.47.166:smtp       SYN_SENT   9684/smtp
tcp        0      0 giganetwireless.n:58052 ardent.xo.com:smtp      ESTABLISHED9678/smtp
tcp        0      1 giganetwireless.n:46819 smtp.astron.net.au:smtp SYN_SENT   9670/smtp
tcp        0      1 giganetwireless.n:48595 www173.sedoparking:smtp SYN_SENT   9662/smtp
tcp        0      0 giganetwireless.n:48806 correio.redeintegr:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:34340 www163.sedoparking:smtp SYN_SENT   9752/smtp
tcp        0      1 giganetwireless.n:50147 62-127-98-49.telen:smtp SYN_SENT   9724/smtp
tcp        0      1 giganetwireless.n:56061 ptr-216-8-179-26.p:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:50147 62-127-98-49.telen:smtp SYN_SENT   9724/smtp
tcp        0      1 giganetwireless.n:34339 webmail.infraero.c:smtp SYN_SENT   9750/smtp
tcp        0      1 giganetwireless.n:34147 209.10.134.188:smtp     SYN_SENT   9722/smtp
tcp        0      0 giganetwireless.n:57412 mta-v14.mail.vip.r:smtp ESTABLISHED9656/smtp
tcp        0      1 giganetwireless.n:53541 mail.vivo.net.br:smtp   SYN_SENT   9751/smtp
tcp        0      1 giganetwireless.n:35537 www.rdzarana.com:smtp   SYN_SENT   9698/smtp
tcp        0      1 giganetwireless.n:59892 amazonas.uol.com.b:smtp SYN_SENT   9710/smtp
tcp        0      1 giganetwireless.n:57950 mail.pmgi.com:smtp      SYN_SENT   9734/smtp
tcp        0      1 giganetwireless.n:40600 mx3.2send-svt.net:smtp  SYN_SENT   9723/smtp
tcp        0      1 giganetwireless.n:55895 ptr-216-8-179-26.p:smtp SYN_SENT   9693/smtp
tcp        0      1 giganetwireless.n:59128 localhost:smtp          SYN_SENT   -
tcp        0      1 giganetwireless.n:56207 exch-temp.perth.le:smtp SYN_SENT   9741/smtp
tcp        0      0 giganetwireless.n:50486 indefatigable.xo.c:smtp ESTABLISHED-
tcp        0      1 giganetwireless.n:38147 64.69.82.202:smtp       SYN_SENT   9679/smtp
tcp        0      1 giganetwireless.n:36536 www161.sedoparking:smtp SYN_SENT   9694/smtp
tcp        0      1 giganetwireless.n:41230 ca.af.3845.static.:smtp SYN_SENT   9666/smtp
tcp        0      0 giganetwireless.n:33105 mail.turboseg.com.:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:58762 64.20.35.155:smtp       SYN_SENT   9697/smtp
tcp        0      1 giganetwireless.n:51179 vip-vr20.tuk.traff:smtp SYN_SENT   9746/smtp
tcp        0      0 giganetwireless.n:38695 terra.grupoequipav:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:59513 207.46.31.61:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:38695 terra.grupoequipav:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:60237 69-46-228-35.parke:smtp SYN_SENT   9688/smtp
tcp        0      1 giganetwireless.n:59445 207.46.31.61:smtp       SYN_SENT   9664/smtp
tcp        0      1 giganetwireless.n:59117 mta-v15.mail.vip.r:smtp SYN_SENT   9745/smtp
tcp        0      1 giganetwireless.n:40068 mailserver01.mailu:smtp SYN_SENT   9728/smtp
tcp        0      1 giganetwireless.n:35333 208.45.133.107:smtp     SYN_SENT   9703/smtp
tcp        0      1 giganetwireless.n:53227 66.150.161.44:smtp      SYN_SENT   9729/smtp
tcp        0      1 giganetwireless.n:57411 216.66.64.29:smtp       SYN_SENT   9743/smtp
tcp        0      0 giganetwireless.n:45229 lagosnet.com.br:smtp    TIME_WAIT  -
tcp        0      1 giganetwireless.n:45034 69-46-228-57.parke:smtp SYN_SENT   9682/smtp
tcp        0      1 giganetwireless.n:40084 66.246.235.42:smtp      SYN_SENT   9706/smtp
tcp        0      0 giganetwireless.n:42909 ns2.comnt.com.br:smtp   TIME_WAIT  -
tcp        0      1 giganetwireless.n:47543 www167.sedoparking:smtp SYN_SENT   9658/smtp
tcp        0      1 giganetwireless.n:54715 www175.sedoparking:smtp SYN_SENT   9747/smtp
tcp        0      1 giganetwireless.n:35300 69.64.159.1:smtp        SYN_SENT   9742/smtp
tcp        0      0 giganetwireless.n:57425 mta-v14.mail.vip.r:smtp ESTABLISHED-
tcp        0      1 giganetwireless.n:56217 89.104.215.152:smtp     SYN_SENT   9674/smtp
tcp        0      1 giganetwireless.n:41165 gaivota.ipen.br:smtp    SYN_SENT   9680/smtp
tcp        0      1 giganetwireless.n:47771 69.64.147.249:smtp      SYN_SENT   9683/smtp
tcp        0      1 giganetwireless.n:47771 69.64.147.249:smtp      SYN_SENT   9683/smtp
tcp        0      0 giganetwireless.n:50492 indefatigable.xo.c:smtp ESTABLISHED-
tcp        0      1 giganetwireless.n:51024 ns.nesteoil.com:smtp    SYN_SENT   9726/smtp
tcp        0      1 giganetwireless.n:59172 200.185.134.56:smtp     SYN_SENT   9733/smtp
tcp        0      1 giganetwireless.n:37017 uranio.alanet.com.:smtp SYN_SENT   9708/smtp
tcp        0      1 giganetwireless.n:49835 200-196-243-166.ti:smtp SYN_SENT   9673/smtp
tcp        0      1 giganetwireless.n:59485 207.46.31.61:smtp       SYN_SENT   -
tcp        0      1 giganetwireless.n:47836 campinas.unimedcam:smtp SYN_SENT   9740/smtp
tcp        0      1 giganetwireless.n:46124 windows5.digiweb.c:smtp SYN_SENT   9730/smtp
tcp        0      1 giganetwireless.n:59068 mta-v15.mail.vip.r:smtp SYN_SENT   9665/smtp
tcp        0      1 giganetwireless.n:50987 67.215.165.31:smtp      SYN_SENT   9709/smtp
tcp        0      1 giganetwireless.n:47827 63.240.17.163:smtp      SYN_SENT   9713/smtp
tcp        0      1 giganetwireless.n:47592 www167.sedoparking:smtp SYN_SENT   9676/smtp
tcp        0      1 giganetwireless.n:34410 148.240.4.32:smtp       SYN_SENT   9721/smtp
tcp        0      1 giganetwireless.n:56082 200.87.136.211:smtp     SYN_SENT   -
tcp        0      0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:53390 66.150.161.44:smtp      SYN_SENT   -
tcp        0      1 giganetwireless.n:36649 www161.sedoparking:smtp SYN_SENT   9659/smtp
tcp        0      1 giganetwireless.n:44262 mx1.2send-svt.net:smtp  SYN_SENT   -
tcp        0      1 giganetwireless.n:43023 wf.networksolution:smtp SYN_SENT   -
tcp        0      0 giganetwireless.n:45500 lagosnet.com.br:smtp    TIME_WAIT  -
tcp        0      1 giganetwireless.n:39788 smtp.mtmcampos.com:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:41906 horus6.uol.com.br:smtp  SYN_SENT   -
tcp        0      0 giganetwireless.n:57506 mail.redelago.com.:smtp TIME_WAIT  -
tcp        0      0 giganetwireless.n:48800 mx1.fmzmidiadigita:smtp TIME_WAIT  -
tcp        0    148 giganetwireless.n:54000 65.197.209.10:63695     ESTABLISHED7545/sshd: bender [
tcp        0      0 giganetwireless.n:48514 mta-v12.mail.vip.r:smtp ESTABLISHED9657/smtp
tcp        0    148 giganetwireless.n:54000 65.197.209.10:63695     ESTABLISHED7545/sshd: bender [
tcp        0      0 giganetwireless.n:48514 mta-v12.mail.vip.r:smtp ESTABLISHED9657/smtp
tcp        0      1 giganetwireless.n:59688 207.46.31.61:smtp       SYN_SENT   -
tcp        0      1 giganetwireless.n:59658 207.46.31.61:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:53510 triumph.bcentralho:smtp ESTABLISHED-
tcp        0      1 giganetwireless.n:39789 mx01.mail.bellsout:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:59665 207.46.31.61:smtp       SYN_SENT   -
tcp        0      1 giganetwireless.n:43001 www.sbc.com:smtp        SYN_SENT   -
tcp        0      1 giganetwireless.n:51783 200-102-210-81.pae:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:51394 ws10170.us.odebrec:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:44273 andromeda.frontier:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:43824 maxmail2.websitedy:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:54877 www175.sedoparking:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:51394 ws10170.us.odebrec:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:44273 andromeda.frontier:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:43824 maxmail2.websitedy:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:54877 www175.sedoparking:smtp SYN_SENT   -
tcp        0      0 giganetwireless.n:51196 faplan.razaoinfo.c:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:59701 207.46.31.61:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:56355 mx1.bcmg.com.br:smtp    TIME_WAIT  -
tcp        0      1 giganetwireless.n:59701 207.46.31.61:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:56355 mx1.bcmg.com.br:smtp    TIME_WAIT  -
tcp        0      0 giganetwireless.n:45596 lagosnet.com.br:smtp    TIME_WAIT  -
tcp        0      0 giganetwireless.n:36663 icis.pcz.pl:smtp        TIME_WAIT  -
tcp        0      0 giganetwireless.n:34245 linux.acia.com.br:smtp  TIME_WAIT  -
tcp        0      0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT   -
tcp        0      0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:53390 66.150.161.44:smtp      SYN_SENT   -
tcp        0      0 giganetwireless.n:58193 ardent.xo.com:smtp      TIME_WAIT  -
tcp        0      0 giganetwireless.n:45593 lagosnet.com.br:smtp    TIME_WAIT  -
tcp        0      0 giganetwireless.n:51263 faplan.razaoinfo.c:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:44262 mx1.2send-svt.net:smtp  SYN_SENT   -
tcp        0      1 giganetwireless.n:43023 wf.networksolution:smtp SYN_SENT   -
tcp        0      1 giganetwireless.n:38516 rrcs-67-52-107-24.:smtp SYN_SENT   -
tcp        0     12 giganetwireless.n:42162 200.101.14.100:smtp     ESTABLISHED-
tcp        0      0 giganetwireless.n:35073 itans.servpro.com.:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:32945 64.20.60.106:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:49653 hermes.digi.com.br:smtp TIME_WAIT  -
tcp        0      0 giganetwireless.n:35073 itans.servpro.com.:smtp TIME_WAIT  -
tcp        0      1 giganetwireless.n:32945 64.20.60.106:smtp       SYN_SENT   -
tcp        0      0 giganetwireless.n:49653 hermes.digi.com.br:smtp TIME_WAIT  -
tcp6       0      0 *:imaps                 *:*                     LISTEN     12060/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     12103/couriertcpd
tcp6       0      0 *:32998                 *:*                     LISTEN     3900/sshd
tcp6       0      0 *:pop3                  *:*                     LISTEN     9303/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     11985/couriertcpd
tcp6       0      0 *:smtp                  *:*                     LISTEN     9644/master
tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     22183/named

Likewise when I run 'tail -f /var/log/mail.log' on the mail.log I receive these results:
Code:
Jan 29 09:33:14 giganetwireless postfix/error[9814]: CF6A71C88A51: to=<anderson2@bahianet.com.br>, relay=none, delay=256266, delays=256133/133/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9797]: CD936359EE02: to=<apaecedit@bahianet.com.br>, relay=none, delay=326292, delays=326160/132/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9790]: CEB6235AF190: to=<angelojr3@bahianet.com.br>, relay=none, delay=255612, delays=255479/133/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EC913359F395: from=<www-data@giganetwireless.net>, size=4771, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9789]: EF3CC1C88D5F: to=<andrea@bahianet.com.br>, relay=none, delay=256256, delays=256256/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9783]: C666735AF18F: to=<angelojr1@bahianet.com.br>, relay=none, delay=255612, delays=255479/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: DEB8B3594ACE: from=<www-data@giganetwireless.net>, size=4771, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9782]: CD7551C8849E: to=<aducsal@bahianet.com.br>, relay=none, delay=326325, delays=326192/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9785]: C3DE93595C1C: to=<anselo@bahianet.com.br>, relay=none, delay=255060, delays=254927/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 0CDE535AE5DF: from=<www-data@giganetwireless.net>, size=4780, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D40A61C8992A: from=<www-data@giganetwireless.net>, size=4759, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9786]: C2D44359EA77: to=<aparicio@bahianet.com.br>, relay=none, delay=254711, delays=254578/132/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EE7E435AF7E4: from=<www-data@giganetwireless.net>, size=4772, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9784]: 3F07335CC025: to=<arcez@bahianet.com.br>, relay=none, delay=252848, delays=252715/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D363A35AC46A: from=<www-data@giganetwireless.net>, size=4770, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9796]: C6B0935CF9C1: to=<aras2@bahianet.com.br>, relay=none, delay=254361, delays=254228/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EF98E35949E2: from=<www-data@giganetwireless.net>, size=4758, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9815]: 2C309360D46C: to=<apalma@bahianet.com.br>, relay=none, delay=254711, delays=254579/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D2EED3595AD8: from=<www-data@giganetwireless.net>, size=4767, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9792]: 3C662360FD34: to=<aragao1@bahianet.com.br>, relay=none, delay=254367, delays=254234/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 65B8A35ADAA4: from=<www-data@giganetwireless.net>, size=4774, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/error[9794]: CDD463595022: to=<anizio@bahianet.com.br>, relay=none, delay=255378, delays=255245/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9817]: 3F61435CF302: to=<antoine@bahianet.com.br>, relay=none, delay=254982, delays=254849/132/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/error[9821]: 6355035AC951: to=<anjinho@bahianet.com.br>, relay=none, delay=255239, delays=255106/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: DF0951C8A8FE: from=<www-data@giganetwireless.net>, size=4764, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 0C36B35964A7: from=<www-data@giganetwireless.net>, size=4762, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D5839360F134: from=<www-data@giganetwireless.net>, size=4825, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 6F90D1C8A560: from=<www-data@giganetwireless.net>, size=4777, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D6CBF35AE7B2: from=<www-data@giganetwireless.net>, size=4770, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 6BE4935AEBB8: from=<www-data@giganetwireless.net>, size=4768, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/smtp[9746]: 6411E35974DE: host ardent.xo.com[207.155.252.132] said: 451 <DMEJLDGJBOGJHGHAMNHIOEIOCLAA.elisete@ns.cma.net>: Recipient address rejected: Not primary MX for parent [0EO3Q2GLCR00] (in reply to RCPT TO command)
Jan 29 09:33:14 giganetwireless postfix/smtp[9713]: connect to enred.com[216.40.33.31]: Connection timed out (port 25)
Jan 29 09:33:14 giganetwireless postfix/smtp[9713]: 30AEC35940E5: to=<mbcolec@enred.com>, relay=none, delay=339126, delays=338991/104/31/0, dsn=4.4.1, status=deferred (connect to enred.com[216.40.33.31]: Connection timed out)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 344DF359C8C4: from=<www-data@giganetwireless.net>, size=4770, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/smtp[9694]: connect to nis-portal.de[82.98.78.69]: Connection timed out (port 25)
Jan 29 09:33:14 giganetwireless postfix/smtp[9694]: 35983359EE90: to=<Donna@nis-portal.de>, relay=none, delay=335196, delays=335061/105/31/0, dsn=4.4.1, status=deferred (connect to nis-portal.de[82.98.78.69]: Connection timed out)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: E46D3359C370: from=<www-data@giganetwireless.net>, size=4769, nrcpt=1 (queue active)
Jan 29 09:33:14 giganetwireless postfix/smtp[9744]: 49A2035AE23E: to=<tiagoguimaraes@trafo.com.br>, relay=mail.trafo.com.br[200.248.51.132]:25, delay=273687, delays=273552/133/2/0, dsn=4.0.0, status=deferred (host mail.trafo.com.br[200.248.51.132] refused to talk to me: 421 mail.trafo.com.br has refused your connection as your mail server appears to be blacklisted)
Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 2B83735ACA05: from=<www-data@giganetwireless.net>, size=4776, nrcpt=1 (queue active)
Jan 29 09:33:15 giganetwireless postfix/smtp[9741]: B8E313597085: to=<ylsuar@yahoo.com.sg>, relay=mx1.mail.sg1.yahoo.com[124.108.116.72]:25, delay=307734, delays=307599/134/1.3/0, dsn=4.7.1, status=deferred (host mx1.mail.sg1.yahoo.com[124.108.116.72] refused to talk to me: 421 4.7.1 [TS03] All messages from 65.197.209.3 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html)
Jan 29 09:33:15 giganetwireless postfix/qmgr[9648]: 68493359CFE9: from=<www-data@giganetwireless.net>, size=4771, nrcpt=1 (queue active)
Jan 29 09:33:15 giganetwireless postfix/smtp[9711]: connect to sec.secrel.com.br[200.194.96.34]: Connection timed out (port 25)
Jan 29 09:33:15 giganetwireless postfix/smtp[9711]: 3B26E360C63C: to=<anselaborses@sec.secrel.com.br>, relay=none, delay=255052, delays=254916/104/31/0, dsn=4.4.1, status=deferred (connect to sec.secrel.com.br[200.194.96.34]: Connection timed out)
Jan 29 09:33:15 giganetwireless postfix/qmgr[9648]: 42F9E1C8BD83: from=<www-data@giganetwireless.net>, size=4760, nrcpt=1 (queue active)
Jan 29 09:33:15 giganetwireless postfix/smtp[9703]: connect to elsitio.com[200.41.8.96]: Connection timed out (port 25)
Jan 29 09:33:15 giganetwireless postfix/smtp[9703]: 3CE7C35951F7: to=<andeman@elsitio.com>, relay=none, delay=256193, delays=256057/105/31/0, dsn=4.4.1, status=deferred (connect to elsitio.com[200.41.8.96]: Connection timed out)

Jeez my IP is poison to so many servers right now.
Reply With Quote
  #7  
Old 29th January 2009, 19:08
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Doesn't look good. Are there any other web applications/contact forms/etc. on your server?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
giganet (29th January 2009)
  #8  
Old 29th January 2009, 19:29
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Exclamation

THank you Falko

Aside from Joomla there are no other direct communuication forms.

What exists on this server now is RoundCube, Cacti, & HelpCenter Live.

I just realized that HCL does have a PHP based contact form, hmm, I will have to look over the application to see if I can disable the PHP based contact application without impacting HCL??

I am open to any additional ideas Falko.

THank you for your time.

Best Regards
Reply With Quote
  #9  
Old 30th January 2009, 12:23
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

Quote:
Originally Posted by giganet View Post
I just realized that HCL does have a PHP based contact form
That could be the reason.

Or maybe a weak Roundcube login...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
giganet (2nd February 2009)
  #10  
Old 2nd February 2009, 09:06
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
 
Arrow

Thank you Falko

It appears that the vast majority of spam is appearing as though it has originated from 'www-data <at> giganetwireless <dot> net'.

I am wondering how would I best stop Email coming from that address at my server?

Also, would you feel that implimenting How To Fight Spam Using Your Postfix Configuration in addition to Killing That Spam With Postgrey And Postfix would help in controlling this situation maybe?

Thanking you in advance for your help and support..

Best Regards

Last edited by giganet; 2nd February 2009 at 09:09.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help relay smtp based on perfect server 5.1 c0l3s HOWTO-Related Questions 3 20th October 2008 13:13
FTP cannot open remote folder!?! andysm849 Server Operation 23 16th October 2008 23:34
subdomain and mail relay configuration aranthorn Installation/Configuration 24 3rd September 2007 22:53
Webmail Relay Error palkat General 17 23rd April 2006 18:12
POP3 SMTP FTP problem arsu Installation/Configuration 1 11th November 2005 09:32


All times are GMT +2. The time now is 23:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.