[ help needed! ] my server is sending spam

[ help needed! ] my server is sending spam - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: Usage (/forum-34.html)
+--- Thread: [ help needed! ] my server is sending spam (/thread-10517.html)

[ help needed! ] my server is sending spam - Eminos - 04-24-2010 06:32 AM

Hi guys!

I'm having a major problem on my server (Debian Lenny, ispCP 1.0.3 default). I noticed that it was running really slow at times, and I checked the mail logs and found out a HUGE list of mails beeing sent.

I will try to show you some parts from the mail.log.

---

Code:

Apr 23 21:54:24 server1 postfix/smtp[9462]: connect to comcase.com[38.117.90.45]:25: Connection timed out

Apr 23 21:54:24 server1 postfix/smtp[9462]: 6C7BF1100802B: to=<rogeliopriojas@comcase.com>, relay=none, delay=246560, delays=246529/1/30/0, dsn=4.4.1, status=deferred (connect to comcase.com[38.117.90.45]:25: Connection timed out)

Apr 23 21:54:24 server1 postfix/smtp[9511]: connect to cerbernet.co.uk[216.8.179.23]:25: Connection timed out

Apr 23 21:54:24 server1 postfix/smtp[9511]: 67B613BA9AD2: to=<antony@cerbernet.co.uk>, relay=none, delay=197421, delays=197389/1.3/30/0, dsn=4.4.1, status=deferred (connect to cerbernet.co.uk[216.8.179.23]:25: Connection timed out)

Apr 23 21:54:24 server1 postfix/smtp[9451]: 65F951100846D: to=<gusandjoneitzel@dominionvalleycc.com>, relay=none, delay=139203, delays=139171/1.5/30/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=dominionvalleycc.com type=MX: Host not found, try again)

Apr 23 21:54:24 server1 postfix/smtp[9476]: connect to smtp.idmi.net[208.91.146.30]:25: Connection timed out

Apr 23 21:54:24 server1 postfix/smtp[9476]: 830D91100C9C4: to=<mfoleyjr@foleydistributing.com>, relay=none, delay=99131, delays=99100/0.15/32/0, dsn=4.4.1, status=deferred (connect to smtp.idmi.net[208.91.146.30]:25: Connection timed out)

Apr 23 21:54:24 server1 postfix/smtp[9517]: 1341411008010: to=<verna.linker@quinlanisd.net>, relay=none, delay=200576, delays=200544/7.5/24/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=quinlanisd.net type=MX: Host not found, try again)

Apr 23 21:54:30 server1 postfix/smtp[9471]: connect to sprintpcs.com[144.230.162.36]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9471]: 622C511008B50: to=<peter28@sprintpcs.com>, relay=none, delay=46369, delays=46332/7/30/0, dsn=4.4.1, status=deferred (connect to sprintpcs.com[144.230.162.36]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9508]: connect to example.com[192.0.32.10]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9436]: connect to btopenworld.co.uk[213.121.143.193]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9529]: connect to sprintpcs.com[144.230.162.36]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9508]: 69E171100AF3A: to=<deepak@example.com>, relay=none, delay=100763, delays=100726/7/30/0, dsn=4.4.1, status=deferred (connect to example.com[192.0.32.10]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9436]: 17F4F3BA94D6: to=<charliehardy@btopenworld.co.uk>, relay=none, delay=197480, delays=197443/7/30/0, dsn=4.4.1, status=deferred (connect to btopenworld.co.uk[213.121.143.193]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9529]: 103B011008A53: to=<wwilliams845@sprintpcs.com>, relay=none, delay=98477, delays=98440/7/30/0, dsn=4.4.1, status=deferred (connect to sprintpcs.com[144.230.162.36]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9467]: connect to arabia.com[82.98.86.178]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9467]: 1CE892D1103F: to=<gmela@arabia.com>, relay=none, delay=19271, delays=19234/7/30/0, dsn=4.4.1, status=deferred (connect to arabia.com[82.98.86.178]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9526]: connect to dmhosting.g.ysm.yahoo.com[72.30.190.101]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9526]: 6FBBE3BA88F3: to=<bobmary@dmhosting.g.ysm.yahoo.com>, relay=none, delay=139440, delays=139403/7/30/0, dsn=4.4.1, status=deferred (connect to dmhosting.g.ysm.yahoo.com[72.30.190.101]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9478]: connect to hpiug.org[82.98.86.172]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9478]: 6EF1811008918: to=<cmorrison@hpiug.org>, relay=none, delay=165499, delays=165462/7/30/0, dsn=4.4.1, status=deferred (connect to hpiug.org[82.98.86.172]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9458]: connect to millikenpub.com[64.56.101.184]:25: Connection timed out

Apr 23 21:54:30 server1 postfix/smtp[9458]: 1FA4511008479: to=<meaves@millikenpub.com>, relay=none, delay=46504, delays=46467/7/30/0, dsn=4.4.1, status=deferred (connect to millikenpub.com[64.56.101.184]:25: Connection timed out)

Apr 23 21:54:30 server1 postfix/smtp[9455]: connect to blsfund.com[65.51.243.21]:25: Connection timed out

Code:

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E25B611008ECC: to=<monbarry@yahoo.com>, relay=none, delay=137755, delays=137752/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E928E110093C6: to=<mentos217@yahoo.com>, relay=none, delay=135785, delays=135782/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E6FA211009704: to=<mia.blakey@yahoo.com>, relay=none, delay=133632, delays=133629/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: EF4E21100912E: to=<monicahrrck@yahoo.com>, relay=none, delay=137478, delays=137475/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E5D721100A9AB: to=<richard_williams20022002@yahoo.com>, relay=none, delay=45839, delays=45837/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: EEEC111008ECF: to=<monbooty_19@yahoo.com>, relay=none, delay=137755, delays=137752/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E3D3A110093F4: to=<mercedes_mercedesv@yahoo.com>, relay=none, delay=135776, delays=135773/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: ED03B11008513: to=<naomiannb@yahoo.com>, relay=none, delay=166211, delays=166208/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: EAC2511009574: to=<colebain@yahoo.com>, relay=none, delay=46009, delays=46006/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: EBBD311009D5D: to=<cmdyson07@yahoo.com>, relay=none, delay=133383, delays=133380/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: ED8EC11008E5C: to=<momto302@yahoo.com>, relay=none, delay=137779, delays=137776/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E7E861100990C: to=<michelegogas@yahoo.com>, relay=none, delay=133558, delays=133555/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E48FE110087D9: to=<darrianwalker@yahoo.com>, relay=none, delay=46374, delays=46371/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: EAFE01100A68E: to=<geraldpacesetter@yahoo.com>, relay=none, delay=103484, delays=103481/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Apr 23 21:53:56 server1 postfix/qmgr[9432]: E2BEE110099FF: to=<michellerainey@yahoo.com>, relay=none, delay=133516, delays=133513/2.9/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.169.33.81 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Code:

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A35BE1100976A: from=<webmaster@cust-domain.com>, size=1248, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A04A611009976: from=<webmaster@cust-domain.com>, size=1248, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: ABE7B11008E47: from=<webmaster@cust-domain.com>, size=1249, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A7304110098AC: from=<webmaster@cust-domain.com>, size=1249, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A46BC11009F2E: from=<webmaster@cust-domain.com>, size=1249, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A457B11009163: from=<webmaster@cust-domain.com>, size=1257, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A103F11009F4B: from=<webmaster@cust-domain.com>, size=1245, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: ABD7011008F21: from=<webmaster@cust-domain.com>, size=1252, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: ADFC211008D0A: from=<webmaster@cust-domain.com>, size=1249, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: AA6F511008658: from=<webmaster@cust-domain.com>, size=1246, nrcpt=1 (queue active)

Apr 23 21:53:54 server1 postfix/qmgr[9432]: A9832110093E1: from=<webmaster@cust-domain.com>, size=1244, nrcpt=1 (queue active)

I really don't know what is causing this.
Is it a hacked scripts?
Is it possible to send mail from my server without a smtp login/pass ?
HOW can I find what is causing this?
What domain-user / smtp-user ?

Very very grateful to who ever helps me and teaches me how to fix these kind of problems..

/E

RE: [ help needed! ] my server is sending spam - Eminos - 04-24-2010 10:21 AM

Anyone? Please Smile

As soon as I start postfix the mail logs start filling up with these lines.
I tried deleting all the mail accounts associated with the cust-domain.com, and also disabling the domain user in ispCP. It didn't help.

It would be great if I could find out WHAT login credentials it uses to connect to the smtp server, so I can disable that account. Is there any way to find out this? Or is it possible that it sends mail bypassing smtp?

/E

RE: [ help needed! ] my server is sending spam - Eminos - 04-24-2010 03:44 PM

Hi. I'm kinda answering my self right now as I find a "solution" for the problem.

I disabled the "mail" function in php.ini for my cust-domain.com. So it was a script sending all the spam. Would've been nice to know what script as well, but at least it's not hogging my server.

BUT, Now, suddenly, I have a problem with mail forwarding. I'll start a new thread.

/E

RE: [ help needed! ] my server is sending spam - foxb - 04-26-2010 08:09 AM

(04-24-2010 03:44 PM)Eminos Wrote: Hi. I'm kinda answering my self right now as I find a "solution" for the problem.

I disabled the "mail" function in php.ini for my cust-domain.com. So it was a script sending all the spam. Would've been nice to know what script as well, but at least it's not hogging my server.

BUT, Now, suddenly, I have a problem with mail forwarding. I'll start a new thread.

/E

Probably your IP is blacklisted...

To find the script just grep for php mail function...

RE: [ help needed! ] my server is sending spam - avispa987 - 04-26-2010 08:18 AM

You maybe need to set up some extra records. like SPF,or mx records.. you can do it here ..http://www.openspf.org/
by the way i recommend you to check if your IP its blacklisted, you run lucky that your email didn't directly falls into trash...

I hope i help in something

RE: [ help needed! ] my server is sending spam - c0urier - 04-26-2010 11:20 AM

Well I guess this is your IP: 83.169.33.81

It's blocked at BARRACUDA RBL.

Regarding Yahoo, it writes the reason for not accepting your mails -> To many user complaints, which I guess is related to the spam your customers script has send out.

Else check this side, looks like Barracude is the only place that has marked you as a poor mailhost.
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a83.169.33.81