My server appears to be trying to send out email with which I am not familiar

14 posts / 0 new
Last post
#1 Thu, 12/30/2010 - 04:26
jmunjr

My server appears to be trying to send out email with which I am not familiar

When looking at /var/log/maillog I notice there are frequent attempts by postfix to send email to addresses I don't know.

e.g.

Dec 30 04:10:28 www2 postfix/smtp[11125]: 8699C172025B: to=censor39115512isochronous@soccerway.com, relay=aspmx.l.google.com[74.125.157.27]:25, delay=0.2,delays=0/0/0.16/0.04, dsn=5.1.1, status=bounced (host aspmx.l.google.com[74.125.157.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 t19si30706368yhi.62 (in reply to RCPT TO command))

I have never heard of censor39115512isochronous@soccerway.com and it looks like a spam address of some sort. My logs show all sorts of these usually with a different address each time.

I am not a Linux expert so I am a little unsure of how to proceed.

How can I find out from where that message originated? How do I find out if it is a bounce? Was it sent from an application? From another user? Which account? What should I do to address this?

Any help is appreciated.

FYI I run a mailman mailing list and Yahoo has suddenly started deferring messages because they say I am sending unsolicited email which is what got me investigating. Also my server is blacklisted by one organization for backscatter. I did make a modification to mailman's email aliases so users can no longer manage their subscriptions via email for what that is worth.

Thank you in advance.

Thu, 12/30/2010 - 06:07
Locutus

The first thing I'd check is if the email address in question appears elsewhere in your mail logs. Postfix surely has a "reason" to try and send mail there, so that reason should occur somewhere in the logs.

Thu, 12/30/2010 - 08:28
andreychek

Are there any messages sitting in your mail queue now? If you run the command "mailq | tail -1", what output do you receive?

-Eric

Thu, 12/30/2010 - 13:39
jmunjr

Locutus further inspection reveals that yes multiple attempts are being made to send that email, but I looked at two examples and in both the very first instance of the addresses are emails that were received. Is this a bounce issue?

Here is some info: Dec 27 23:28:59 www2 postfix/qmgr[9237]: 3A32417201F9: from=discussantbW3701@dvb-brasil.org, size=5787, nrcpt=2 (queue active) Dec 27 23:29:54 www2 postfix/qmgr[9237]: 7D65D17202BD: to=discussantbW3701@dvb-brasil.org, relay=none, delay=0.01, delays=0/0.01/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to dvb-brasil.org[62.233.121.75]$ Dec 27 23:50:35 www2 postfix/qmgr[9237]: 7D65D17202BD: to=discussantbW3701@dvb-brasil.org, relay=none, delay=1241, delays=1210/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to dvb-brasil.org[62.233.121.75$ Dec 28 00:23:54 www2 postfix/smtp[18214]: 7D65D17202BD: to=discussantbW3701@dvb-brasil.org, relay=none, delay=3240, delays=3210/0.17/30/0, dsn=4.4.1, status=deferred (connect to dvb-brasil.org[62.233.121.75]: Connection timed out)

and it keeps going...

If this is a bounce issue how do I address it? If not what do you think it is? AFAIK my server is not sending bounces. If I try to email a non-existent account on my server the SMTP server gets an instant error message: "An error occurred while sending mail. The mail server responded: 5.1.1 blahblah@domain.com: Recipient address rejected: User unknown in virtual alias table. Please check the message recipient blahblah@domain.com and try again."

Is this configured properly?

Anyway, thanks for your help.

Thu, 12/30/2010 - 13:40
jmunjr

andreychek,

mailq | tail -1

yields:

-- 1827 Kbytes in 260 Requests.

Thu, 12/30/2010 - 13:50
andreychek

Okay, so that's saying there's 260 messages in your outgoing email queue.

Unless that's from a mailing list on your server -- it's a bit unusual to have that many messages in the queue... 20-30 messages might be a bit more typical.

The next step is to figure out what in the world those are, as well as what is generating them :-)

You can view the messages by logging into Virtualmin, and clicking Webmin -> Servers -> Postfix -> Mail Queue. Then, look at a few of the messages... do they look legitimate, or do they look like spam of some sort?

-Eric

Thu, 12/30/2010 - 13:59
jmunjr

The majority look like spam... a good handful are bounces from yahoo from my mailing lists, and some are bounces from the sbcglobal.net mail server for some email that is forwarded from an alias on one of my domains to an sbcglobal address.

But yeah by far mostly spam. Are these bounces?

Thanks again!

Thu, 12/30/2010 - 14:03
andreychek

Well, a common cause of what you're seeing can occur if there's a web app on your server that contains a security vulnerability, and a spam bot takes advantage of that vulnerability to send out spam.

You can get a rough idea from the headers of the emails in your mail queue where the emails are coming from.

However, it would also be a good idea to review all the web apps on your server, and make certain they're all at the latest revision.

-Eric

Thu, 12/30/2010 - 14:08
jmunjr

I considered that several weeks ago and tried to think of any and all that might be the cause but honestly there is no way I could possibly cover everything on my server, and even if I could how would I know if it is a problem?

You mention "rough idea". Can you elaborate?

Surely there is a way to identify what is sending mail on my server?

Thanks

Thu, 12/30/2010 - 14:13
andreychek

When you go into a given message in the Mail Queue screen, you can click the "View All Headers" link on the top-right. After you do that, look for the "Received" header. It should tell you what userid generated the email. That would at least limit your search down to a specific user.

-Eric

Thu, 12/30/2010 - 14:20
jmunjr

Hmmm, actually most of these are bounces I think. As I mentioned in the logs the unknown email addresses I see apparently all begin with a received email and then multiple attempts to send to that email address. This leads me to believe these are bounces.

Looking at the mail queue most of these unknown addresses are in the To field but the from is MAILER-DAEMON.

Thu, 12/30/2010 - 19:22
Locutus

That would match your statement that your server was blacklisted for producing backscatter (NDRs for spam).

The rather odd thing is: Postfix should reply to delivery attempts to unknown local recipients with a 550 error immediately, and not generate an NDR. You might want to pick one specific such email and "follow its trail", as in see what incoming mail starts it, and then follow the messages why Postfix would generate an NDR mail.

To do so, it might be useful to clear the queue and move away the current logs, as to "start fresh" and not be confused by old entries.

It might also help to increase Postfix' log verbosity by adding the IP address of your server to "Webmin -> Servers -> Postfix Mail Server -> Debugging features : List of domains/networks..." and setting the "Verbose logging level" to 2 or 3.

Sun, 01/16/2011 - 23:38
jmunjr

Ok this is the problem:

Jan 16 04:02:48 www2 postfix/local[29945]: A44FA17201C0: to=blah-domain2.com@domain.com, orig_to=blah@domain.com, relay=local, delay=57, delays=1.1/0/0/56, dsn=5.2.0, status=bounced (can't create user output file)

The disk quota has been reached. How do I prevent bounces back to the sender when this happens?

Thx

Mon, 01/17/2011 - 11:12
andreychek

Howdy,

I'm unfortunately not aware of a way to do that.

Postfix (by default at least), will generate a bounce if the program it tried to give the email to returned an error message.

The key would be to monitor for users who are at their quota. Virtualmin Pro offers an option to be emailed regularly with a quota report. You could accomplish something similar in Virtualmin GPL by running "repquota -a"... that's something you could put into a cron job.

-Eric

Topic locked