Mailserver abused? How can I find out

Help! (Home for newbies)
1

Hi

My server acts a little strange, if I reboot it, Postfix takes very long to start. Also lots of strange emailadresses show in the mailq. Then after a while devocot shuts down. I have a feeling the server gets used by spammers.

  1. How can I find out, if the server is abused?
  2. What information do you need / logs?
  3. If someone uses the mail server, what can I do to stop them getting access?

Any help is appreciated.

Thanks
Nick

Here the last maillogs:
Feb 5 15:59:07 gvp-lin-230-026 postfix/smtpd[10790]: disconnect from unknown[202.4.105.114]
Feb 5 15:59:07 gvp-lin-230-026 postfix/smtpd[10786]: disconnect from unknown[202.4.105.114]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: connect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: lost connection after CONNECT from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: disconnect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: connect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: lost connection after CONNECT from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: disconnect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]

Here is a real user of the system… (changed name with ****)

Feb 5 15:59:35 gvp-lin-230-026 dovecot: pop3-login: Login: user=<***.here is a real user of the system *>, method=PLAIN, rip=::ffff:83.76.132.68, lip=::ffff:82.195.230.26
Feb 5 15:59:35 gvp-lin-230-026 dovecot: POP3(.here is a real user of the system ****): Disconnected: Logged out top=0/0, retr=0/0, del=0/9, size=7092377

Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max connection rate 20/60s for (smtp:71.171.1.121) at Feb 5 15:58:08
Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max connection count 4 for (smtp:91.168.34.114) at Feb 5 15:51:59
Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max cache size 4 at Feb 5 15:52:00
Feb 5 16:00:32 gvp-lin-230-026 postfix/smtpd[10786]: connect from leased-line-87-252-254-91.telecom.by[87.252.254.91]
Feb 5 16:00:32 gvp-lin-230-026 postfix/smtpd[10786]: B2E5A26000C: client=leased-line-87-252-254-91.telecom.by[87.252.254.91]
Feb 5 16:00:33 gvp-lin-230-026 postfix/cleanup[10795]: B2E5A26000C: message-id=<000f01c987bb$a89ff860$0539af34@Shop>
Feb 5 16:00:33 gvp-lin-230-026 postfix/qmgr[1791]: B2E5A26000C: from=<btconfirmation@jerlevnet.dk>, size=1726, nrcpt=1 (queue active)
Feb 5 16:00:33 gvp-lin-230-026 postfix/local[10797]: B2E5A26000C: to=<reject@gvp-lin-230-026.as16215.net>, orig_to=<blair@soundgallery.com>, relay=local, delay=1, delays=0.99/0/0/0.05, dsn=5.1.1, status=bounced (unknown user: "reject")
Feb 5 16:00:33 gvp-lin-230-026 postfix/cleanup[10794]: 8CD372600C7: message-id=<20090205150033.8CD372600C7@gvp-lin-230-026.as16215.net>
Feb 5 16:00:33 gvp-lin-230-026 postfix/bounce[10802]: B2E5A26000C: sender

2

Hi Nick,

Well, I’m not really sure why Dovecot would shut down, that’s not something I’d expect, even if your system were being used by spammers.

I did an open relay test on the “soundgallery.com” domain mentioned in the logs above, and it’s not being listed as an open relay. So that

If there is a problem, my guess is that it’s from one of 3 sources:

  1. A user on your system sending out lots of emails

  2. The server isn’t fully up to date on all of it’s updates/patches, and there’s a security problem some spammer is taking advantage of

  3. The web apps running on your server aren’t up to date, and someone may be taking advantage of one or more of them

To see what the emails are, and more about who is sending them, you can log into Virtualmin, and click Webmin -> Servers -> Postfix -> Mail Queue.

How many messages does it say are in the queue?
-Eric

3

same thing here, waiting for usefull comments

4

So what problem(s) are you having specifically?

Do you see any problems in the mail log around the time it occurs?

-Eric

5
  1. I have a Mail Queue of 25567 messages
  2. Lot of Spam arriving from one address owned by me but with fake names like qazwsxedc@myhostname.com, qwerty@myhostname.com, aaaazz1@myhostname.com etc …
  3. Spamassassin score is set now to 6 (was 10)
  4. I have noticed that there is a autowhitelist full of address ! (more then 30k !!!) I think someone was able to use a bug to introduce all those address inside my server cause I am the only admin of this server !
  5. I am trying to remove all whitelist but It’s more then an hour virtualmin is working … with still no answer …
6

Well, the email you’re seeing… is that mail coming in, or mail waiting to go out?

That is, in most cases where some sort of abuse is taking place in that kind of quantity, it’s occurring on your server… I mentioned all these in my post above, but one of them is likely to be your issue:

1. A user on your system sending out lots of emails 2. The server isn't fully up to date on all of it's updates/patches, and there's a security problem some spammer is taking advantage of 3. The web apps running on your server aren't up to date, and someone may be taking advantage of one or more of them

What I’d recommend doing is review all the processes running on your server, and make sure you don’t see any that don’t belong.

A frequent issue these days is for a spammer to take advantage of a hole in a web app, and to upload a script that sends out spams – then to execute that script via the web.

So take a peek around, and see if you can find any processes running that shouldn’t be… and if so, be sure to take notice of what user owns the process, so afterwards it’s easier to tell what all you need to correct :slight_smile:

-Eric