Postfix sending thousands of emails

I have recently came into an issue with one of my servers that is running virtualmin. I had an issue about a month back where I was getting many failed logins from different ip addresses for my root user. Now recently I have been getting emails stating that I have been reported for high spam count emails from multiple sources. After some looking into the issue I have found that postfix has sent more than 800,000 emails over the past 3 days and none of my sites emails are currently able to send outgoing mail.

After inspecting the /var/log/mail.log I am seeing this:

Dec 2 12:03:48 kodyhusky postfix/error[9899]: EBA351C039BA: to=customers@network.com, relay=none, delay=23069, delays=23069/0.31/0/0.14, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to network.com[160.34.1.130]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9873]: 4AAED1C03B1D: to=cust@team.com, relay=none, delay=23054, delays=23053/0.3/0/0.16, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx3.expertcity.com[216.219.126.8]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9871]: 4D0B61C03BB2: to=review@network.com, relay=none, delay=14673, delays=14672/0.3/0/0.16, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to network.com[160.34.1.130]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9866]: 8CA8F1C03BBE: to=intl2@network.com, relay=none, delay=14646, delays=14645/0.31/0/0.14, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to network.com[160.34.1.130]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9919]: 211411C03B1C: to=guard@team.com, relay=none, delay=23049, delays=23049/0.3/0/0.15, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx3.expertcity.com[216.219.126.8]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9888]: 8BE421C03B9C: to=clients@network.com, relay=none, delay=14679, delays=14678/0.31/0/0.14, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to network.com[160.34.1.130]:25: Connection timed out)
Dec 2 12:03:48 kodyhusky postfix/error[9927]: 82D0B1C03AC8: to=guard@team.com, relay=none, delay=6270, delays=6269/0.31/0/0.17, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx3.expertcity.com[216.219.126.8]:25: Connection timed out)

I have had to shut down all of my personal websites as this issue appears to be a high security risk and I am trying to find a way to fix this issue. Would anyone be willing to give any advice on how to solve this issue?

The machine I have is currently running Ubuntu 14.04.3 LTS and the latest version of virtualmin with all updates installed.

Howdy,

You may want to look at some of the emails in your queue, in order to determine where they are coming from.

It’s likely either an email account that’s been compromised, or a website that has been compromised.

Reviewing the emails in question should give you an idea of where they are coming from – in particular, the email headers can show that.

You can view the mail queue by going into Webmin -> Servers -> Postfix -> Mail Queue.

There, check out the email headers of a few of the messages in there, and see if you can determine a common account for the messages.

If you’re having trouble figuring that out, feel free to post the email headers from one of the spam messages here.

-Eric

Hey Eric,

Thank you very much for the quick response! I have attached an image of one of the headers from the messages. It appears as though all of the messages are coming from the MAILER-DAEMON(a^t)kodyhusky.com account although i’m not sure how to go about stopping the messages as it is not a user account that I previously added to the server.

  • Kody

Anything from the mailer-daemon is probably a bounce from the initial email that went out.

If all of them are from the same domain though, that is interesting.

It would help to be able to see the headers though – could you click the “View all Headers” button, and paste in the headers that you see when doing that?

After getting those headers, you may want to try deleting all the messages from the queue that are from the mailer-daemon, and just see what’s in there after that.

You can do that by performing a search on the word “mailer-daemon” in the Mail Queue section of Webmin, which will then allow you to delete the resulting messages.

Once you do that, it may be a little easier to figure out what’s going on there.

-Eric

Hey Eric,

Here is the expanded version of the headers:


Received: by kodyhusky.com (Postfix) id 00B2B1C03B5F; Wed, 2 Dec 2015 10:19:26 -0500 (EST)

Date: Wed, 2 Dec 2015 10:19:26 -0500 (EST)

From: MAILER-DAEMON(a^t)kodyhusky.com (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To: customers@team.com

Auto-Submitted: auto-replied

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status; boundary=“9B8D71C04E61.1449069566/kodyhusky.com”

Message-Id: <20151202151926.00B2B1C03B5F(a^t)kodyhusky.com>


After removing the mailer-daemon messages I now have around 100 messages left that have this heading:


Received: from XXX.XXX.XXX.XXX (unknown [190.116.12.67]) by kodyhusky.com (Postfix) with ESMTP id 061FD1C0555E; Fri, 27 Nov 2015 12:01:42 -0500 (EST)

Message-ID: 4d7506c6f7f2642fdd83d43abc2b94dd@verified.com

From: PayPal Services review@verified.com

Subject: Account Verification

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary=“5c7e98f7af161031cbebdc58dbbc89a9”


I replaced my IP address with the XXX.XXX.XXX.XXX above. on the full mail queue list all of these messages show different from addresses that look as though they are the same addresses that was shown before like account@team.com. also all of these messages include .html file attachments it appears.

  • Koda

After removing those messages, has the mail queue grown again? Or is it still at around 100-ish messages?

-Eric

I would enable all your websites but disable PHP mail function and then monitor your logs. If the situation is clear that means some of your websites got hacked and you know where to start looking.

Fail2ban is good solution to keep bruteforce attacks away but now you first need to deal with your current problem. Another problem it could be weak password or postfix for some reason is set to work as open relay.

Well, I regretfully say that I am unsure if it grew back or not. The host I was working with also got reports of high spam count from the IP before I got everything shutdown and has disabled the server as in violation of their terms. Thank you so much for your help though!

Any decent host will give you the chance to sort your problem but if you didnt react immediately then i’m sorry to say but he (host) have full right for such action.