Apologies if this is the wrong section (May be better in serverfault?)
Recently in doing a check of the logs I've found our system was for the last several days constantly attempting to mail somebody. Below is a copy of the mail log excerpt
May 4 17:14:51 li240-237 sm-mta[22961]: p3UN9oiX011581: to=<REDACTED@REDACTED.com>, delay=3+18:05:01, xdelay=00:00:01, mailer=esmtp, pri=48812230, relay=mx3.REDACTED*.com. [REDACTED], dsn=4.0.0, stat=Deferred: Connection refused by mx3.REDACTED*.com.
Does anyone have any ideas why so many attempts have been made and if I can track where these attempts are coming from? We do have a php based form which sends out an email to people upon confirmation of the submission and utilizes swiftMailer. Could this be constantly attempting to send the email for some reason?
My account has not been compromised and is the only one on the server aside from the root. The only other thought is someone attempting to send emails via our servers port 25...
Any ideas?
Mail Transfer Agents (MTAs) typically retry sending mail if the recipient's mail-server is unavailable. Usually they keep trying for several days. So this can occur if a user or program on your LAN genuinely sent a single email to someone whose mail-server is unavailable.
If you have a web-page that allows people to send e-mail, these are typically attacked by spammers to use a relays for their spam. It is easier for them to get your computer to send out millions of spam messages than to buy their own computers, plus if your ISP disconnects you for spamming, the spammer has plenty of other victims whose computers they can use. So ensure your PHP scripts sanitize all input. It is best to use scripts that have been explicitly developed with security in mind.
Also check that your MTA is configured to block relaying.