[plug] Postfix Problems again (Spam Originating from my mail server)

Ryan King ryank at globaldial.com
Thu Dec 1 11:43:17 WST 2005 

>From first glance, it would appear you have a web script of some sort
that is being exploited to send spam email.  eg: dodgy formail?

Check your apache logs to see if there are a large amount of hits on a
particular script and check on that.

If that doesn't help, you might want to install some process accounting
tools to see what else is being run by www-data.


On Thu, 2005-12-01 at 11:31 +0800, Shannon Carver wrote:
> Hi Guys, 
> 
>  
> 
> I’m having the same problem as I was about 2 months ago when I posted
> on here:
> 
>  
> 
> A couple of weeks ago I got an email from spamcop stating that I had a
> large amoutn of spam email originating from one of our work servers. I
> tightened up the postfix rules, and cleared the queue which appeared
> to fix the problem.
> 
>  
> 
> Two weeks on, its started again, and I've just noticed that all
> messages seem to be originating from www-data at domain which leads me to
> think it must be some rogue process in apache which is causing the
> problem.
> 
>  
> 
> My problem is, that I don't have any idea of locating where the cause
> of the problem is, I've checked all htdocs directories, and the only
> scripts are php scripts which I've written, of which none contain the
> use of phpmailer() or mail(). The only thing I can think of, is
> someone is somehow spamming from www-data elsewhere.
> 
>  
> 
> Last time around, the emails were to random address's, this time, a
> quick look through the logs:
> 
>  
> 
> Nov 28 18:44:33 intranet postfix/smtp[13969]: connect to
> smtp.mx.homes.com [199.44.153.110]: read timeout (port 25)
> 
>  
> 
> Nov 28 18:44:40 intranet postfix/smtp[13990]: 3EBA2A010:
> to=<jacobsh at lake.k12.fl.us>,­relay=mail.lake.k12.fl.us[169.139.112.4],
> delay=136614, status=deferred (lost connection with
> mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
> may be sent more than once)
> 
> Nov 28 18:44:42 intranet postfix/smtp[14021]: 74DF9A94E:
> to=<kinatc at lake.k12.fl.us>, ­relay=mail.lake.k12.fl.us[169.139.112.4],
> delay=136552, status=deferred (lost connection with
> mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
> may be sent more than once) 
> 
>  
> 
> It seems to be running through a list...
> 
> It was heaps of *.*.us, then *.time.com, then *.homes.com...
> 
>  
> 
> All messages originate with www-data@*.com.au in the from field. Yes
> there is a user called www-data on the system, it runs apache.
> 
>  
> 
> Did a postfix stop ; postsuper -d ALL (yea yea, some mail may have
> gone missing)... and the problem stopped for almost 24 hours, then
> started up again, with (to my knowledge), no intrusion to the system.
> 
>  
> 
> I’ve had it suggested that I blow the box away and start again, but
> I’d rather see if I can get around the problem first.  Can anybody
> suggest anything that I may be missing?
> 
>  
> 
> I’ve been to abuse.net, the mail server is definitely not an open
> relay, so in my understanding the messages are originating from my
> system.  I’ve got 6 boxes built in EXACTLY the same way at different
> sites, which have been up and running for about 2 years without
> downtime or similar issues.
> 
>  
> 
> Regards
> 
>  
> 
> Shannon Carver
> 
>  
> 
> P.S Sorry if the message was a big malformed, its basically a copy and
> paste from a forum thread, in which the people were not terribly
> helpful, blaming my setup and suggesting a rebuild without suggesting
> anything.
> 
> 
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list