need some urgent help

So, my server seems to be sending a ton of spam:

Apr 21 22:28:07 wiggins postfix/smtp[26636]: BFF6CF2401: to=<tgonzalez@nefflorida.com>, relay=mail2.metbp.com[216.163.240.103]:25, delay=88504, delays=88473/0.33/31/0, dsn=4.0.0, status=deferred (host mail2.metbp.com[216.163.240.103] refused to talk to me: 450 Requested action not taken - The client IP was present in the following DNSBL: bl.spamcop.net)

Apr 21 22:28:07 wiggins postfix/smtp[26667]: connect to mindspring.net[209.86.62.44]:25: Connection timed out

Apr 21 22:28:07 wiggins postfix/smtp[26667]: 83C6CF263B: to=<terriphotography@mindspring.net>, relay=none, delay=47244, delays=47213/0.88/30/0, dsn=4.4.1, status=deferred (connect to mindspring.net[209.86.62.44]:25: Connection timed out)

Apr 21 22:28:08 wiggins postfix/smtp[26679]: connect to mail.homelite.com[64.213.55.3]:25: Connection timed out

Apr 21 22:28:08 wiggins postfix/smtp[26679]: 4A150F263F: to=<ennett@homelite.com>, relay=none, delay=47238, delays=47207/0.4/31/0, dsn=4.4.1, status=deferred (connect to mail.homelite.com[64.213.55.3]:25: Connection timed out)

Apr 21 22:28:08 wiggins postfix/smtp[26678]: connect to forgreer.com[82.98.86.167]:25: Connection timed out

Apr 21 22:28:08 wiggins postfix/smtp[26678]: D7732F2828: to=<ichriskof81@forgreer.com>, relay=none, delay=38436, delays=38404/1.3/30/0, dsn=4.4.1, status=deferred (connect to forgreer.com[82.98.86.167]:25: Connection timed out)

Apr 21 22:28:08 wiggins postfix/smtp[26290]: connect to netants.net[70.39.99.88]:25: No route to host

Apr 21 22:28:08 wiggins postfix/smtp[26290]: 88274F281D: to=<john@netants.net>, relay=none, delay=38458, delays=38427/1.2/30/0, dsn=4.4.1, status=deferred (connect to netants.net[70.39.99.88]:25: No route to host)

Apr 21 22:28:08 wiggins postfix/smtp[26694]: connect to mx3.pt.lu[195.46.255.249]:25: Connection timed out

Apr 21 22:28:08 wiggins postfix/smtp[26694]: 87C1FF2431: to=<steve77@pt.lu>, relay=none, delay=84754, delays=84722/1.2/31/0, dsn=4.4.1, status=deferred (connect to mx3.pt.lu[195.46.255.249]:25: Connection timed out)

Apr 21 22:28:09 wiggins postfix/smtp[26652]: connect to postoffice03.mail-hub.dodo.com.au[202.136.40.236]:25: Connection timed out

I have no idea how to stop this. Is anyone willing to help me out if I pay you?

I'm sure it's a simple config thing, but I don't know enough to be able to sort it out. As you can see, my linode is getting blacklisted by everyone.

10 Replies

Post the contents of your /etc/postfix/main.cf and your ip address

wiggins:/srv/www/wagorn.com/logs# cat /etc/postfix/main.cf

See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

myorigin = /etc/mailname

smtpdbanner = $myhostname ESMTP $mailname (Debian/GNU)

biff = no

appending .domain is the MUA's job.

appenddotmydomain = no

Uncomment the next line to generate "delayed mail" warnings

delaywarningtime = 4h

readme_directory = /usr/share/doc/postfix

TLS parameters

smtpdtlscert_file = /etc/postfix/smtpd.cert

smtpdtlskey_file = /etc/postfix/smtpd.key

smtpdusetls = yes

smtpdtlssessioncachedatabase = btree:${datadirectory}/smtpdscache

smtptlssessioncachedatabase = btree:${datadirectory}/smtpscache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

myhostname = synthgear.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = synthgear.com, localhost, localhost.localdomain

relayhost =

mynetworks = 127.0.0.0/8

mailboxsizelimit = 0

recipient_delimiter = +

inet_interfaces = all

html_directory = /usr/share/doc/postfix/html

messagesizelimit = 30720000

virtualaliasdomains =

virtualaliasmaps = proxy:mysql:/etc/postfix/mysql-virtualforwardings.cf, mysql:/etc/postfix/mysql-virtualemail2email.cf

virtualmailboxdomains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf

virtualmailboxmaps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf

virtualmailboxbase = /home/vmail

virtualuidmaps = static:5000

virtualgidmaps = static:5000

smtpdsaslauth_enable = yes

brokensaslauth_clients = yes

smtpdsaslauthenticated_header = yes

smtpdrecipientrestrictions = permitmynetworks, permitsaslauthenticated, rejectunauth_destination

virtualcreatemaildirsize = yes

virtualmaildirextended = yes

proxyreadmaps = $localrecipientmaps $mydestination $virtualaliasmaps $virtualaliasdomains $virtualmailboxmaps $virtualmailboxdomains $relayrecipientmaps $relaydomains $canonicalmaps $sendercanonicalmaps $recipientcanonicalmaps $relocatedmaps $transportmaps $mynetworks $virtualmailboxlimit_maps

IP address is : 173.230.149.162

By the way, I watched my apache logs for some time, and don't really see anything that stuck out as me as possible web script exploits. Also changed the password for the user (me) that seemed to be sending the email

You don't have an open relay which is good, your postfix conf looks fine, run this grep sasl /var/log/mail.log and post the output (if any) that will see if these are being sent remotely or locally, they look local from what you've posted so far.

Many thanks. Here's what it looks like, a whole ton of this (email obfuscated):

Apr 22 07:06:38 wiggins postfix/smtpd[9975]: E219BD2BC: client=unknown[92.47.76.39], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxxx

Apr 22 07:06:48 wiggins postfix/smtpd[9952]: 5CD25D2BE: client=unknown[151.16.147.99], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxx

Apr 22 07:06:51 wiggins postfix/smtpd[9966]: C9FE8D2BF: client=m90-131-123-167.cust.tele2.se[90.131.123.167], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxx

Apr 22 07:06:55 wiggins postfix/smtpd[10287]: 1C1DED2C0: client=unknown[112.134.219.100], saslmethod=LOGIN, saslusername=paul@xxxxxxxxxxxxxx

Since you have a host of different ip addresses connecting with the account paul@xxxx looks like that accounts been compromised.

So do this

1) Reset the password for the user paul

2) Purge your mail que (this will delete anything pending) using sudo postsuper -d ALL

3) See if it stops

4) Find out how they got the password for the account.

thanks - your help is very appreciated.

This is what I tried yesterday - I use postfix/mysql, so i did this:

update users set password=encrypt("xxxxxxxx") where email="paul@xxxxxxxxxx";

then deleted the queue

it didn't seem to help. I just tried it again, perhaps I did something wrong last time.

well, so far, so good. I will watch it carefully.

So, as far as how this password was compromised, there really aren't too many ways this can happen, are there?

It seems unlikely that this particular password could have been brute-forced, and I've never actually logged in with this account (it automatically forwards to another email address), so I cannot imagine how someone would have found the password out, as it never gets typed in.

Does this leave a compromised vps? yuk.

If you've never logged in with that account then that eliminates password sniffing.

That leaves you with things such as:

Brute force

Software bug in postfix/sasl (unlikely especially if your software's up to date)

Compromised database someone reset the password

Compromised vps (worse case)

You don't allow any web scripts on your server to connect to mysql as root do you? That would be a great way to get in.

I'm guessing you're using mysql to serve virtual domains?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct