postfix empty sender or www-data

Discussion in 'Installation/Configuration' started by dimitar, May 7, 2007.

  1. dimitar

    dimitar New Member

    Hi All,

    I have a problem on one of my servers running Debian sarge and ISPconfig 2.2.11. In the mail.log appears the following:

    May 7 06:32:58 serverhostname postfix/qmgr[17941]: 6F81D7804D3: from=<[email protected]>, size=1750, nrcpt=330 (queue active)
    May 7 06:32:58 serverhostname postfix/qmgr[17941]: 6F81D7804D3: to=<emailaddress>, relay=none, del
    ay=58840, status=deferred (delivery temporarily suspended: connect to remotemailserver[xxx.xxx.xxx.xxx]: Connection
    timed out)

    and after that the "to=<emailaddress>, relay=none, del
    ay=58840, status=deferred (delivery temporarily suspended: connect to mailserver[xxx.xxx.xxx.xxx]: Connection
    timed out)
    "
    repeats at least 100 times with different recipients emailaddresses...

    Sometimes the from=<[email protected]> appears as from=<> followed also by at least 100 of "to=<emailaddress>".

    The mailqueue gets a value of about 10000 emails for 24h...

    I understand that the IP is already blacklisted, but thats not the problem now, first i want to stop this spam attack.

    Any ideas?

    Regards
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This spam is send trough one of your contact forms. You will have to check the form and see if it is vulnerable to send spam.

    To block A IP address on the server to send spam or contact your server in any way, execute this command:

    route add -host 123.123.123.123 reject

    ( dont forget to replace the IP in the command!).
     
  3. dimitar

    dimitar New Member

    Thanks for the quick replay,

    is there a way i can check through which form exactly is that spam being send?

    Regards
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try to figure that out by viewing the contnt of the emails with the postcat command.
     
  5. dimitar

    dimitar New Member

    OK thanks,

    i have "catched" the 2 sites which were sending spams and deleted the sites and the corresponding users.
    But i think this will not be the last such case, because on the server there are many sites. I think that it will be better idea if i can somehow restrict the amount of sended emails per user and time, for example: user www-data can send 10 mails for 10 minutes or something like that and if the limit is reached then notification is sended to the admin... any ideas how can be this done?

    Regards
     
  6. dimitar

    dimitar New Member

    Hi

    i have found what i need - policyd (http://policyd.sourceforge.net/). It can do the desired thing for me: Sender Throttling (and many other things).

    The question is if it can be setuped to work with ispconfig...
    Ill give it a try...

    Regards
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I think it should work with ISPConfig, but I've not tested it.
     

Share This Page