Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Massive amount of emails sending from my email server

  1. #1
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default Massive amount of emails sending from my email server

    Hi all,

    From maillog / zimbra log, we found that many messages sending from our email servers with "from=<>", and I have checked our server is not a open relay server by MXtoolsError01.jpg. E02.jpg

    We didn't make any changes on email server recently except we have renew our cert (we do it every year)

    Our email version is Release 6.0.10_GA_2692.RHEL5_64_20101215170845 CentOS5_64 FOSS edition.


    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: 933BCA970E15: from=<>, size=7172, nrcpt=1 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[19409]: C60B09D70CFF: to=<muhasebe@bayras.com>, relay=mail.bayras.com[188.124.7.10]:25, delay=18415, delays=34/18376/3.1/1.3, dsn=2.0.0, status=sent (250 OK id=1UN8dn-0005fz-VA)
    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: DFF79A970E1A: from=<apuyol@live.com>, size=2836, nrcpt=50 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[24829]: 05CEFA170997: to=<samuelrs2009@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.141.26]:25, conn_use=2, delay=20412, delays=20/20187/0.17/204, dsn=5.2.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.141.26] said: 550 5.2.1 The email account that you tried to reach is disabled. yf1si3299079pbc.343 - gsmtp (in reply to RCPT TO command))
    Apr 3 05:23:31 ms1 postfix/smtp[13389]: C60B09D70CFF: to=<muharremy@otokoc.com.tr>, relay=mx2.aspmsg.net[81.8.6.50]:25, delay=18414, delays=34/18378/2.4/0, dsn=4.0.0, status=deferred (host mx2.aspmsg.net[81.8.6.50] refused to talk to me: 554-mx01.aspmsg.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
    Apr 3 05:23:31 ms1 postfix/smtp[10002]: C60B09D70CFF: to=<muhasabe@adanaorganize.org.tr>, relay=aspmx.l.google.com[74.125.25.26]:25, delay=18415, delays=34/18376/0.45/4.5, dsn=5.1.1, status=bounced (host aspmx.l.google.com[74.125.25.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 'This Gmail user does not exist...' - Gmail Help ih3si3385767pbc.112 - gsmtp (in reply to RCPT TO command))
    Apr 3 05:23:31 ms1 postfix/error[21449]: 3D08299813C9: to=<rkclaxton@yahoo.com>, relay=none, delay=82664, delays=82644/17/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta6.am0.yahoodns.net[98.138.112.38] refused to talk to me: 421 4.7.0 [TS01] Messages from 113.28.my_ip.my_ip temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr 3 05:23:31 ms1 postfix/smtp[6999]: C1AEE9992CEC: to=<slsmit04@syr.edu>, relay=mx3.syr.edu[128.230.18.71]:25, delay=62949, delays=44672/18276/1.7/0, dsn=4.0.0, status=deferred (host mx3.syr.edu[128.230.18.71] refused to talk to me: 554 mx3.syr.edu ESMTP not accepting messages)

  2. #2
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi,

    Quote Originally Posted by Solt View Post
    Hi all,

    From maillog / zimbra log, we found that many messages sending from our email servers with "from=<>", and I have checked our server is not a open relay server by MXtools

    We didn't make any changes on email server recently except we have renew our cert (we do it every year)

    Our email version is Release 6.0.10_GA_2692.RHEL5_64_20101215170845 CentOS5_64 FOSS edition.


    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: 933BCA970E15: from=<>, size=7172, nrcpt=1 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[19409]: C60B09D70CFF: to=<muhasebe@bayras.com>, relay=mail.bayras.com[188.124.7.10]:25, delay=18415, delays=34/18376/3.1/1.3, dsn=2.0.0, status=sent (250 OK id=1UN8dn-0005fz-VA)
    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: DFF79A970E1A: from=<apuyol@live.com>, size=2836, nrcpt=50 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[24829]: 05CEFA170997: to=<samuelrs2009@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.141.26]:25, conn_use=2, delay=20412, delays=20/20187/0.17/204, dsn=5.2.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.141.26] said: 550 5.2.1 The email account that you tried to reach is disabled. yf1si3299079pbc.343 - gsmtp (in reply to RCPT TO command))

    --
    Mail from <> means that it came as mailer daemon, and usually an indication of compromised account due to weak password combination. Search your log (or run the following command with root permission :
    Code:
    su - zimbra -c "mailq"
    ) to see which account send massive emails. After found it, simply locked or closed for temporary, change it's password to strong combination and then remove all spam queue.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  3. #3
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Thanks for replying, what does mailq do?

    Is there any command to check which mailID used in each email sent from the log? I remember there is but I just couldn't recall it.

  4. #4
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    When I do cat maillog | grep "Message ID"..

    It has multiple result in different time like it is retrying to send the same mail, is it any settings to block retry on failure??

  5. #5
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    Thanks for replying, what does mailq do?

    Is there any command to check which mailID used in each email sent from the log? I remember there is but I just couldn't recall it.
    mailq is Postfix command to check your mail queue. It will show sender, recipient, messages ID, etc that would be important to your investigation.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  6. #6
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    When I do cat maillog | grep "Message ID"..

    It has multiple result in different time like it is retrying to send the same mail, is it any settings to block retry on failure??
    Maybe, but in my experience, most of problem similar with yours came from what I've told you on the above reply. Check it out with mailq and see whether it's sender was also spoofed or not. If one sender send hundred/thousand, than this is suspected compromised account.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  7. #7
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Thanks, will do.

    I did (" cat maillog | grep "sasl_username" ")and found lots of them are sent by "test" account, which i have just blocked it and password changed, but unfortunately it doesn't help seems.

    when I do mailq, it shows alot of information (which i couldn't catch them, too fast flushing the screen)

  8. #8
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi,

    Quote Originally Posted by Solt View Post
    Thanks, will do.

    I did (" cat maillog | grep "sasl_username" ")and found lots of them are sent by "test" account, which i have just blocked it and password changed, but unfortunately it doesn't help seems.

    when I do mailq, it shows alot of information (which i couldn't catch them, too fast flushing the screen)
    1. How about :
      Code:
      su - zimbra
      mailq | more
    2. Change password and locked/closed account only prevent new spam message. It doesn't remove queue message
    3. Use the following script to remove spam message from queue :

      Code:
      #!/usr/bin/perl -w
      #
      # pfdel - deletes message containing specified address from
      # Postfix queue. Matches either sender or recipient address.
      #
      # Usage: pfdel <email_address>
      #
      
      use strict;
      
      # Change these paths if necessary.
      my $LISTQ = "/opt/zimbra/postfix/sbin/postqueue -p";
      my $POSTSUPER = "/opt/zimbra/postfix/sbin/postsuper";
      
      my $email_addr = "";
      my $qid = "";
      my $euid = $>;
      
      if ( @ARGV !=  1 ) {
          die "Usage: pfdel <email_address>\n";
      } else {
          $email_addr = $ARGV[0];
      }
      
      if ( $euid != 0 ) {
              die "You must be root to delete queue files.\n";
      }
      
      
      open(QUEUE, "$LISTQ |") ||
        die "Can't get pipe to $LISTQ: $!\n";
      
      my $entry = <QUEUE>;    # skip single header line
      $/ = "";        # Rest of queue entries print on
                  # multiple lines.
      while ( $entry = <QUEUE> ) {
          if ( $entry =~ / $email_addr$/m ) {
              ($qid) = split(/\s+/, $entry, 2);
              $qid =~ s/[\*\!]//;
              next unless ($qid);
      
              #
              # Execute postsuper -d with the queue id.
              # postsuper provides feedback when it deletes
              # messages. Let its output go through.
              #
              if ( system($POSTSUPER, "-d", $qid) != 0 ) {
                  # If postsuper has a problem, bail.
                  die "Error executing $POSTSUPER: error " .
                     "code " .  ($?/256) . "\n";
              }
          }
      }
      close(QUEUE);
      
      if (! $qid ) {
          die "No messages with the address <$email_addr> " .
            "found in queue.\n";
      }
      
      exit 0;
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  9. #9
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    This is what is shown on mailq | more.. however they are not under my domain, I found some settings to block incoming mail but not sending from our domain, really sad.

    Still checking how to apply the script....


    6B4359980B5C* 3503 Wed Apr 3 16:36:04 MAILER-DAEMON
    un-nation2@un.org

    60238A971BE8* 12938 Wed Apr 3 10:13:57 MAILER-DAEMON
    apuyol@live.com

    CB20EA971791* 11400 Wed Apr 3 07:44:36 MAILER-DAEMON
    apuyol@live.com

    1AD5CA97140E* 6079 Wed Apr 3 06:42:16 MAILER-DAEMON
    apuyol@live.com

    63A0AA971F0F* 9613 Wed Apr 3 10:29:02 MAILER-DAEMON
    apuyol@live.com

    131899980DC2* 4013 Wed Apr 3 16:37:25 MAILER-DAEMON
    un-nation2@un.org

    617C2B9705AC* 15301 Wed Apr 3 11:34:55 MAILER-DAEMON
    apuyol@live.com

    65527A97028F* 18443 Wed Apr 3 04:12:35 MAILER-DAEMON
    apuyol@live.com

    C0482A972557* 10564 Wed Apr 3 11:23:32 MAILER-DAEMON
    apuyol@live.com

    41D109980D38* 3115 Wed Apr 3 16:37:12 MAILER-DAEMON
    un-nation2@un.org

    CA8C8A971FD5* 5320 Wed Apr 3 10:33:00 MAILER-DAEMON
    apuyol@live.com

    10AC2A1711EE* 16582 Wed Apr 3 04:01:01 MAILER-DAEMON
    apuyol@live.com

    810A6998099B* 5188 Wed Apr 3 14:29:32 MAILER-DAEMON
    apuyol@live.com

    145C5A9710EE* 10599 Wed Apr 3 05:58:12 MAILER-DAEMON
    apuyol@live.com

  10. #10
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Remove the queue by using the following command (with root permission) :

    Code:
    pfdel MAILER-DAEMON
    If spammer spoofing sender, you would investigate sasl_username on /var/log/zimbra.log or /opt/zimbra/log/audit.log and /opt/zimbra/log/mailbox.log and see which account has logged on and sending much messages.

    You would also using postcat to see details of spam messages, ex :

    Code:
    find /opt/zimbra/data | grep 617C2B9705AC
    /opt/zimbra/postfix/sbin/postcat /opt/zimbra/data/postfix/spool/deferred/6/617C2B9705AC
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

Similar Threads

  1. Replies: 1
    Last Post: 11-28-2011, 11:43 AM
  2. [SOLVED] Massive email sending
    By feiticeir0 in forum Administrators
    Replies: 4
    Last Post: 05-09-2011, 03:59 AM
  3. Error sending massive emails
    By rhein_onizuka in forum Administrators
    Replies: 0
    Last Post: 04-18-2011, 11:01 PM
  4. Replies: 0
    Last Post: 12-28-2010, 08:43 AM
  5. Are we getting hit with massive amount of spam?
    By wdman in forum Administrators
    Replies: 11
    Last Post: 06-25-2010, 09:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •