Results 1 to 10 of 20

Thread: Massive amount of emails sending from my email server

Hybrid View

  1. #1
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default Massive amount of emails sending from my email server

    Hi all,

    From maillog / zimbra log, we found that many messages sending from our email servers with "from=<>", and I have checked our server is not a open relay server by MXtoolsError01.jpg. E02.jpg

    We didn't make any changes on email server recently except we have renew our cert (we do it every year)

    Our email version is Release 6.0.10_GA_2692.RHEL5_64_20101215170845 CentOS5_64 FOSS edition.


    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: 933BCA970E15: from=<>, size=7172, nrcpt=1 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[19409]: C60B09D70CFF: to=<muhasebe@bayras.com>, relay=mail.bayras.com[188.124.7.10]:25, delay=18415, delays=34/18376/3.1/1.3, dsn=2.0.0, status=sent (250 OK id=1UN8dn-0005fz-VA)
    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: DFF79A970E1A: from=<apuyol@live.com>, size=2836, nrcpt=50 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[24829]: 05CEFA170997: to=<samuelrs2009@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.141.26]:25, conn_use=2, delay=20412, delays=20/20187/0.17/204, dsn=5.2.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.141.26] said: 550 5.2.1 The email account that you tried to reach is disabled. yf1si3299079pbc.343 - gsmtp (in reply to RCPT TO command))
    Apr 3 05:23:31 ms1 postfix/smtp[13389]: C60B09D70CFF: to=<muharremy@otokoc.com.tr>, relay=mx2.aspmsg.net[81.8.6.50]:25, delay=18414, delays=34/18378/2.4/0, dsn=4.0.0, status=deferred (host mx2.aspmsg.net[81.8.6.50] refused to talk to me: 554-mx01.aspmsg.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
    Apr 3 05:23:31 ms1 postfix/smtp[10002]: C60B09D70CFF: to=<muhasabe@adanaorganize.org.tr>, relay=aspmx.l.google.com[74.125.25.26]:25, delay=18415, delays=34/18376/0.45/4.5, dsn=5.1.1, status=bounced (host aspmx.l.google.com[74.125.25.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 'This Gmail user does not exist...' - Gmail Help ih3si3385767pbc.112 - gsmtp (in reply to RCPT TO command))
    Apr 3 05:23:31 ms1 postfix/error[21449]: 3D08299813C9: to=<rkclaxton@yahoo.com>, relay=none, delay=82664, delays=82644/17/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mta6.am0.yahoodns.net[98.138.112.38] refused to talk to me: 421 4.7.0 [TS01] Messages from 113.28.my_ip.my_ip temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr 3 05:23:31 ms1 postfix/smtp[6999]: C1AEE9992CEC: to=<slsmit04@syr.edu>, relay=mx3.syr.edu[128.230.18.71]:25, delay=62949, delays=44672/18276/1.7/0, dsn=4.0.0, status=deferred (host mx3.syr.edu[128.230.18.71] refused to talk to me: 554 mx3.syr.edu ESMTP not accepting messages)

  2. #2
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi,

    Quote Originally Posted by Solt View Post
    Hi all,

    From maillog / zimbra log, we found that many messages sending from our email servers with "from=<>", and I have checked our server is not a open relay server by MXtools

    We didn't make any changes on email server recently except we have renew our cert (we do it every year)

    Our email version is Release 6.0.10_GA_2692.RHEL5_64_20101215170845 CentOS5_64 FOSS edition.


    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: 933BCA970E15: from=<>, size=7172, nrcpt=1 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[19409]: C60B09D70CFF: to=<muhasebe@bayras.com>, relay=mail.bayras.com[188.124.7.10]:25, delay=18415, delays=34/18376/3.1/1.3, dsn=2.0.0, status=sent (250 OK id=1UN8dn-0005fz-VA)
    Apr 3 05:23:31 ms1 postfix/qmgr[27061]: DFF79A970E1A: from=<apuyol@live.com>, size=2836, nrcpt=50 (queue active)
    Apr 3 05:23:31 ms1 postfix/smtp[24829]: 05CEFA170997: to=<samuelrs2009@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.141.26]:25, conn_use=2, delay=20412, delays=20/20187/0.17/204, dsn=5.2.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.141.26] said: 550 5.2.1 The email account that you tried to reach is disabled. yf1si3299079pbc.343 - gsmtp (in reply to RCPT TO command))

    --
    Mail from <> means that it came as mailer daemon, and usually an indication of compromised account due to weak password combination. Search your log (or run the following command with root permission :
    Code:
    su - zimbra -c "mailq"
    ) to see which account send massive emails. After found it, simply locked or closed for temporary, change it's password to strong combination and then remove all spam queue.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  3. #3
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Thanks for replying, what does mailq do?

    Is there any command to check which mailID used in each email sent from the log? I remember there is but I just couldn't recall it.

  4. #4
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    When I do cat maillog | grep "Message ID"..

    It has multiple result in different time like it is retrying to send the same mail, is it any settings to block retry on failure??

  5. #5
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    When I do cat maillog | grep "Message ID"..

    It has multiple result in different time like it is retrying to send the same mail, is it any settings to block retry on failure??
    Maybe, but in my experience, most of problem similar with yours came from what I've told you on the above reply. Check it out with mailq and see whether it's sender was also spoofed or not. If one sender send hundred/thousand, than this is suspected compromised account.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  6. #6
    Join Date
    Jun 2011
    Posts
    32
    Rep Power
    4

    Default

    Thanks, will do.

    I did (" cat maillog | grep "sasl_username" ")and found lots of them are sent by "test" account, which i have just blocked it and password changed, but unfortunately it doesn't help seems.

    when I do mailq, it shows alot of information (which i couldn't catch them, too fast flushing the screen)

  7. #7
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Quote Originally Posted by Solt View Post
    Thanks for replying, what does mailq do?

    Is there any command to check which mailID used in each email sent from the log? I remember there is but I just couldn't recall it.
    mailq is Postfix command to check your mail queue. It will show sender, recipient, messages ID, etc that would be important to your investigation.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

  8. #8
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    Hi,

    You may want to look back at your mailbox.log for connections to this account from IP in the ranges:

    74.115.0.0 - 74.115.7.255 (proxy/anon site that attacks start from - anchorfree.com)
    41.71.128.0 - 41.71.255.255 (Nigerian IPs that spam is sent from)
    41.138.184.0 - 41.138.191.255 " "

    If this is anything like our experience in the last few days, they are using direct SOAP calls to place the spam message in account signatures, then sending massive amounts of spam as a blank message using a script.

    Our solution was to identify all accounts affected & reset passwords, but also block all of the IP ranges at our firewall. I have not had any reply to my abuse reports to owners of the address blocks...
    Release 7.1.4_GA_2555.UBUNTU8_64 UBUNTU8_64 NETWORK edition, Patch 7.1.4_P1

  9. #9
    Join Date
    May 2007
    Location
    Indonesia
    Posts
    149
    Rep Power
    8

    Default

    Hi swrightsls,
    Quote Originally Posted by swrightsls View Post
    Hi,

    You may want to look back at your mailbox.log for connections to this account from IP in the ranges:

    74.115.0.0 - 74.115.7.255 (proxy/anon site that attacks start from - anchorfree.com)
    41.71.128.0 - 41.71.255.255 (Nigerian IPs that spam is sent from)
    41.138.184.0 - 41.138.191.255 " "

    If this is anything like our experience in the last few days, they are using direct SOAP calls to place the spam message in account signatures, then sending massive amounts of spam as a blank message using a script.

    Our solution was to identify all accounts affected & reset passwords, but also block all of the IP ranges at our firewall. I have not had any reply to my abuse reports to owners of the address blocks...
    Thank you for your tips. Noted, in case dealing with similar issue.
    Best Regards
    ---
    Masim "Vavai" Sugianto
    Zimbra Tutorial
    Personal Blog [ID]

    Release 8.0.6_GA_5922.SLES11_64_20131203103702 SLES11_64 FOSS edition.

Similar Threads

  1. Replies: 1
    Last Post: 11-28-2011, 11:43 AM
  2. [SOLVED] Massive email sending
    By feiticeir0 in forum Administrators
    Replies: 4
    Last Post: 05-09-2011, 03:59 AM
  3. Error sending massive emails
    By rhein_onizuka in forum Administrators
    Replies: 0
    Last Post: 04-18-2011, 11:01 PM
  4. Replies: 0
    Last Post: 12-28-2010, 08:43 AM
  5. Are we getting hit with massive amount of spam?
    By wdman in forum Administrators
    Replies: 11
    Last Post: 06-25-2010, 09:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •