Help swampped

Discussion in 'Installation/Configuration' started by cougarmaster, Nov 23, 2009.

  1. cougarmaster

    cougarmaster New Member

    Please help I have no idea how to stop others from trying to use my mail server to spam. I have closed open relay so no problem there. But the /var/spool/postfix/active is getting flooded like there is no tomorrow and I try to delete them but they still keep coming!

    Please advice

    ispconfig 2.2.33
     
  2. martinfst

    martinfst ISPConfig Developer ISPConfig Developer

    1st check if there is a website on your server being abused to send emails. Any CMS installed? Your mail log files may give you an indication of where the spam flood is generated by on your server.

    It would help if you paste around 10-15 lines your mail.log file here.
     
  3. cougarmaster

    cougarmaster New Member

    Ok

    I have no websites only email. I will past the mail log here.

    Nov 23 20:38:43 ispconfig1 postfix/qmgr[2166]: 26B891AB6B8: from=<>, size=5194, nrcpt=1 (queue active)
    Nov 23 20:38:43 ispconfig1 postfix/smtp[9384]: 9408F1A2653: to=<[email protected]>, relay=none, delay=18200, delays=18194/5.5/0.02/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=yahoo.coom type=AAAA: Host not found)
    Nov 23 20:38:43 ispconfig1 postfix/smtp[9281]: 12DA2437875: host mailin-01.mx.aol.com[205.188.159.57] refused to talk to me: 554 (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html
    Nov 23 20:38:43 ispconfig1 postfix/qmgr[2166]: 269F2436771: from=<[email protected]>, size=1833, nrcpt=50 (queue active)
    Nov 23 20:38:43 ispconfig1 postfix/error[9239]: EAC754366BE: to=<[email protected]>, relay=none, delay=37287, delays=37285/0.04/0/2.2, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with b.mx.mail.yahoo.com[66.196.82.7] while receiving the initial server greeting)
    Nov 23 20:38:43 ispconfig1 postfix/error[9370]: 24AAD1A20CB: to=<[email protected]>, relay=none, delay=18864, delays=18863/0.1/0/0.46, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.222.197] refused to talk to me: 554 (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html)
    Nov 23 20:38:43 ispconfig1 postfix/error[9222]: 24C2B437A54: to=<[email protected]>, relay=none, delay=29775, delays=29775/0.21/0/0.27, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.222.197] refused to talk to me: 554 (RLY:B1) http://postmaster.info.aol.com/errors/554rlyb1.html)
    Nov 23 20:38:43 ispconfig1 postfix/error[9380]: 2ED154366D8: to=<[email protected]>, relay=none, delay=325, delays=325/0.05/0/0.02, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with b.mx.mail.yahoo.com[66.196.82.7] while receiving the initial server greeting)
    Nov 23 20:38:43 ispconfig1 postfix/qmgr[2166]: 2E170437815: from=<>, size=5325, nrcpt=1 (queue active)
     
  4. Hans

    Hans Moderator ISPConfig Developer

    If you use suphp, You can also execute te command "top".
    Then you have an indication, from which infected website spam is sent.
    If you use php as a module, the infected website is more difficult to find.

    Do you have a mailuser name "ispconfig1" created?
    Probably the website of that user is infected, because of a vulnerable script.
     
    Last edited: Nov 23, 2009
  5. cougarmaster

    cougarmaster New Member

    No website

    I have no website atm only email. Also this is what I see in the log what does it mean?

    Nov 23 20:45:34 ispconfig1 postfix/smtpd[9169]: lost connection after AUTH from dhcp1862.myzipnet.com[41.202.18.62]
    Nov 23 20:45:34 ispconfig1 postfix/smtpd[9169]: disconnect from dhcp1862.myzipnet.com[41.202.18.62]
    Nov 23 20:45:51 ispconfig1 postfix/smtpd[9155]: warning: 200.80.187.186: hostname 186.187.80.200.dynamic.telmex.net.ar verification failed: Name or service not known
    Nov 23 20:45:51 ispconfig1 postfix/smtpd[9155]: connect from unknown[200.80.187.186]
    Nov 23 20:45:53 ispconfig1 postfix/smtpd[9155]: NOQUEUE: reject: RCPT from unknown[200.80.187.186]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<186.187.80.200.dynamic.telmex.net.ar>
    Nov 23 20:45:53 ispconfig1 postfix/smtpd[9155]: disconnect from unknown[200.80.187.186]
    Nov 23 20:45:56 ispconfig1 postfix/smtpd[9169]: connect from unknown[89.123.58.252]
    Nov 23 20:45:59 ispconfig1 postfix/smtpd[9155]: connect from dhcp1862.myzipnet.com[41.202.18.62]
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Is your server hosted in a datacenetr or do you host it at home on a dsl or calbe line?
     
  7. cougarmaster

    cougarmaster New Member

    The company

    I host in the company with a 4mb/4mb dsl line. Using Pfsense as the firewall. I only vpn in to the network to access the web config pages or ssh.
     

Share This Page