Hi
My server acts a little strange, if I reboot it, Postfix takes very long to start. Also lots of strange emailadresses show in the mailq. Then after a while devocot shuts down. I have a feeling the server gets used by spammers.
- How can I find out, if the server is abused?
- What information do you need / logs?
- If someone uses the mail server, what can I do to stop them getting access?
Any help is appreciated.
Thanks
Nick
Here the last maillogs:
Feb 5 15:59:07 gvp-lin-230-026 postfix/smtpd[10790]: disconnect from unknown[202.4.105.114]
Feb 5 15:59:07 gvp-lin-230-026 postfix/smtpd[10786]: disconnect from unknown[202.4.105.114]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: connect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: lost connection after CONNECT from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:13 gvp-lin-230-026 postfix/smtpd[10788]: disconnect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: connect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: lost connection after CONNECT from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Feb 5 15:59:17 gvp-lin-230-026 postfix/smtpd[10790]: disconnect from pool-71-171-1-121.ronkva.east.verizon.net[71.171.1.121]
Here is a real user of the system… (changed name with ****)
Feb 5 15:59:35 gvp-lin-230-026 dovecot: pop3-login: Login: user=<***.here is a real user of the system *>, method=PLAIN, rip=::ffff:83.76.132.68, lip=::ffff:82.195.230.26
Feb 5 15:59:35 gvp-lin-230-026 dovecot: POP3(.here is a real user of the system ****): Disconnected: Logged out top=0/0, retr=0/0, del=0/9, size=7092377
Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max connection rate 20/60s for (smtp:71.171.1.121) at Feb 5 15:58:08
Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max connection count 4 for (smtp:91.168.34.114) at Feb 5 15:51:59
Feb 5 16:00:28 gvp-lin-230-026 postfix/anvil[8341]: statistics: max cache size 4 at Feb 5 15:52:00
Feb 5 16:00:32 gvp-lin-230-026 postfix/smtpd[10786]: connect from leased-line-87-252-254-91.telecom.by[87.252.254.91]
Feb 5 16:00:32 gvp-lin-230-026 postfix/smtpd[10786]: B2E5A26000C: client=leased-line-87-252-254-91.telecom.by[87.252.254.91]
Feb 5 16:00:33 gvp-lin-230-026 postfix/cleanup[10795]: B2E5A26000C: message-id=<000f01c987bb$a89ff860$0539af34@Shop>
Feb 5 16:00:33 gvp-lin-230-026 postfix/qmgr[1791]: B2E5A26000C: from=<btconfirmation@jerlevnet.dk>, size=1726, nrcpt=1 (queue active)
Feb 5 16:00:33 gvp-lin-230-026 postfix/local[10797]: B2E5A26000C: to=<reject@gvp-lin-230-026.as16215.net>, orig_to=<blair@soundgallery.com>, relay=local, delay=1, delays=0.99/0/0/0.05, dsn=5.1.1, status=bounced (unknown user: "reject")
Feb 5 16:00:33 gvp-lin-230-026 postfix/cleanup[10794]: 8CD372600C7: message-id=<20090205150033.8CD372600C7@gvp-lin-230-026.as16215.net>
Feb 5 16:00:33 gvp-lin-230-026 postfix/bounce[10802]: B2E5A26000C: sender