[plug] Postfix Problems again (Spam Originating from my mail server)

Shannon Carver Shannon.Carver at P-S-T.COM.AU
Thu Dec 1 11:31:19 WST 2005


Hi Guys, 

 

I'm having the same problem as I was about 2 months ago when I posted on
here:

 

A couple of weeks ago I got an email from spamcop stating that I had a
large amoutn of spam email originating from one of our work servers. I
tightened up the postfix rules, and cleared the queue which appeared to
fix the problem.

 

Two weeks on, its started again, and I've just noticed that all messages
seem to be originating from www-data at domain which leads me to think it
must be some rogue process in apache which is causing the problem.

 

My problem is, that I don't have any idea of locating where the cause of
the problem is, I've checked all htdocs directories, and the only
scripts are php scripts which I've written, of which none contain the
use of phpmailer() or mail(). The only thing I can think of, is someone
is somehow spamming from www-data elsewhere.

 

Last time around, the emails were to random address's, this time, a
quick look through the logs:

 

Nov 28 18:44:33 intranet postfix/smtp[13969]: connect to
smtp.mx.homes.com [199.44.153.110]: read timeout (port 25)

 

Nov 28 18:44:40 intranet postfix/smtp[13990]: 3EBA2A010:
to=<jacobsh at lake.k12.fl.us>,-relay=mail.lake.k12.fl.us[169.139.112.4],
delay=136614, status=deferred (lost connection with
mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
may be sent more than once)

Nov 28 18:44:42 intranet postfix/smtp[14021]: 74DF9A94E:
to=<kinatc at lake.k12.fl.us>, -relay=mail.lake.k12.fl.us[169.139.112.4],
delay=136552, status=deferred (lost connection with
mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
may be sent more than once) 

 

It seems to be running through a list...

It was heaps of *.*.us, then *.time.com, then *.homes.com...

 

All messages originate with www-data@*.com.au in the from field. Yes
there is a user called www-data on the system, it runs apache.

 

Did a postfix stop ; postsuper -d ALL (yea yea, some mail may have gone
missing)... and the problem stopped for almost 24 hours, then started up
again, with (to my knowledge), no intrusion to the system.

 

I've had it suggested that I blow the box away and start again, but I'd
rather see if I can get around the problem first.  Can anybody suggest
anything that I may be missing?

 

I've been to abuse.net, the mail server is definitely not an open relay,
so in my understanding the messages are originating from my system.
I've got 6 boxes built in EXACTLY the same way at different sites, which
have been up and running for about 2 years without downtime or similar
issues.

 

Regards

 

Shannon Carver

 

P.S Sorry if the message was a big malformed, its basically a copy and
paste from a forum thread, in which the people were not terribly
helpful, blaming my setup and suggesting a rebuild without suggesting
anything.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20051201/ff0cf114/attachment.html>


More information about the plug mailing list