Giant Postfix queue

5 posts / 0 new
Last post
#1 Tue, 09/11/2012 - 13:10
airshock

Giant Postfix queue

Hi all,

I've been noticing over the past few minutes that the CPU load averages on my server have been increasing rapidly, and upon investigation of the issue I observed that my Postfix queue contained 16,882 messages, all of which spam from different e-mail addresses. These messages are trying to be sent out from my server to external accounts, but they get deferred because external mail servers think my IP addresses are abusive (which I guess in a way they are if the queue is full of spam).

Anyway, my question to all the Virtualmin users out there is, what's the cause of this giant queue of messages? My server is not set up as an open relay, and I have SASL SMTP authentication turned on and have even made the configuration file changes needed to allow the @ format usernames in Virtualmin.

Yet the mail queue keeps filling up with all these spam messages, and it's really bogging down my server. I'm running CentOS 6.3 64-bit with Virtualmin 3.94 GPL and Postfix 2.9.3, with SMTP authentication fully enabled but TLS disabled.

What can I do to prevent my server being used to send spam / set things up so that the queue doesn't accept these messages?

Thanks for any assistance provided. -Logan

Tue, 09/11/2012 - 14:09
andreychek

Howdy,

Chances are you're seeing one of two things.

One of your users may have gotten a virus on their home PC, and it may be using their Outlook settings to send email via your server. That's the least likely of the two things here, but it does happen.

Two, and the more likely culprit -- it's possible that a spammer broke into one of the web apps on your system, and is using that to send out spam from your server.

To figure out the cause of all this -- you'd need to look at the email headers, and look for any details in them that show where the email is originating from.

You should be able to determine from them what account is generating the email, for example. If it's because of a web app -- you would be able to determine the account, but maybe not the specific web app that they broke into. You may need to review the various files in that account, and figure out if one is a trojan or otherwise is malicious.

You can access your mail queue by going into Webmin -> Servers -> Postfix -> Mail Queue.

-Eric

Tue, 09/11/2012 - 14:46 (Reply to #2)
airshock

Hi Eric,

I've looked at the mail headers for several of the messages in the queue, but unfortunately none of them specify a script path or user name/ID normally found on messages sent from a script on one of my virtual servers. The headers simply state that my mail server received a message from, for example, host.domain.tld (1.2.3.4), which was received by my.mail.server (5.6.7.8) and then delivered to user@example.com (though delivery doesn't happen because the messages get bounced back or held in the queue).

Just about everyone of these messages are spam, because any legitimate messages are usually delivered in a few seconds and removed from the queue.

It would appear at first glance that the machine is an open relay, because people are able to send mail from another machine through my server and out to the Internet, but all tests that I've done show the machine as a closed relay, and even Postfix is not configured to allow for message relaying.

I have seen in a few of the message headers that the mailer of the message is Microsoft Outlook Express, but this is not the case for all mail. Unfortunately, though, I don't know what percentage of mail in the queue was sent through Outlook, because I don't have the time or resources to go through all 16,882 messages.

Based on all this, how do you think I should proceed?

Thanks.

Tue, 09/11/2012 - 22:43
andreychek

I'd be surprised if your system was an open relay.

And a lot of spammers will set the mailer to Outlook Express, just to make it look a little less like spam.

If may help to look for email in the queue that is destined to a remote user, and currently deferred; you should at that point be able to look in the received headers, and determine it's origin.

If it's being generated locally, it should tell you what userid is generating the email.

You're welcome to paste in the email headers if you aren't quite sure.

-Eric

Thu, 09/13/2012 - 16:57
airshock

I'm pleased to report that I've solved the issue of constantly having a large mail queue and constantly receiving spam on the server. I took the following steps to resolve the problem:

  • I turned on Virtualmin's DKIM features for all new and existing virtual servers, which I didn't know existed until I came across an article about it in the Virtualmin online documentation.
  • I re-configured Postfix to enforce better restrrictions when it comes to mail that it handles, including many more SMTP recipient restrictions and other such settings.
  • Finally, I added RBL support to Postfix by adding a list of RBLs for it to check.

After having done all that, my mail queue has been pleasantly empty now for over 24 hours.

Hopefully laying out the steps I've taken will help other people who are experiencing high volumes of spam, before your servers get blacklisted (unfortunately mine already were when I began this process).

Thanks, -Logan

Topic locked