Home / server / Questions / 501881
In Process
Ehsan Khodarahmi
Asked: 2013-04-24 05:05:08 +0800 CST

Postfix server begins send spam immediately after starting

  • 772

I've installed a postfix server on a debian OS & also I've installed apache 2.0 with PHP on same machine.

Several days ago my server begun to send a lot of spam messages via postfix. I understood the problem causes by a bad joomla patch & removed it (I totally removed installed joomla scripts). I also changed some configurations of postfix to make it more restrictive.

Now, after several days, when I start postfix, it still begins to send spams immediately & slows down server very badly. Seems that source of this spam sending is local (an infected process) & I strongly guess apache process is sending these spams (apache process itself & not a PHP script), because when I start postfix, a lot of apache processes begin to create & I really don't know how I should find & fix infected process.

Can anybody help me to solve this annoying problem?

This is some part of postfix log output:

Apr 23 15:19:28 vs1419 postfix/qmgr[28017]: E061251F3F8: from=<[email protected]>, size=1514, nrcpt=1 (queue active)
Apr 23 15:19:28 vs1419 postfix/qmgr[28017]: A41D05F6749: from=<>, size=2803, nrcpt=1 (queue active)
Apr 23 15:19:28 vs1419 postfix/cleanup[29464]: 84C845F6736: message-id=<[email protected]>
Apr 23 15:19:28 vs1419 postfix/bounce[738]: E98C751E252: sender non-delivery notification: D6B205F6327
Apr 23 15:19:28 vs1419 postfix/qmgr[28017]: EECD3536B5D: from=<[email protected]>, size=697, nrcpt=1 (queue active)
Apr 23 15:19:28 vs1419 postfix/qmgr[28017]: E98C751E252: removed
Apr 23 15:19:28 vs1419 postfix/qmgr[28017]: 3C3D05F6381: from=<>, size=2458, nrcpt=1 (queue active)
Apr 23 15:19:28 vs1419 postfix/smtp[28318]: E458551E8ED: host mta6.am0.yahoodns.net[66.196.118.34] said: 451 Message temporarily deferred - [70] (in reply to end of DATA command)
Apr 23 15:19:29 vs1419 postfix/smtp[28400]: EA82F5FF024: host mx-apac.mail.gm0.yahoodns.net[106.10.166.54] said: 451 Message temporarily deferred - [140] (in reply to end of DATA command)
Apr 23 15:19:29 vs1419 postfix/smtp[29940]: EC039604A3C: host mta7.am0.yahoodns.net[66.196.118.35] said: 451 Message temporarily deferred - [140] (in reply to end of DATA command)
Apr 23 15:19:29 vs1419 postfix/smtp[28631]: E0C7461798B: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, conn_use=3, delay=2667975, delays=2667974/0.05/0.67/0.82, dsn=2.0.0, status=sent (250 ok dirdel)
Apr 23 15:19:29 vs1419 postfix/smtp[28940]: E061251F3F8: host mta5.am0.yahoodns.net[66.196.118.240] said: 451 Message temporarily deferred - [160] (in reply to end of DATA command)
Apr 23 15:19:29 vs1419 postfix/smtp[29144]: EECD3536B5D: to=<[email protected]>, relay=mta6.am0.yahoodns.net[98.138.112.32]:25, conn_use=5, delay=2765684, delays=2765683/0.02/0.18/0.67, dsn=2.0.0, status=sent (250 ok dirdel)
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: E183C557933: from=<[email protected]>, size=1554, nrcpt=1 (queue active)
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: E0C7461798B: removed
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: EECD3536B5D: removed
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: D6B205F6327: from=<>, size=2582, nrcpt=1 (queue active)
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: BE7065F6708: removed
Apr 23 15:19:29 vs1419 postfix/qmgr[28017]: E4DA351AAE7: from=<[email protected]>, size=737, nrcpt=1 (queue active)
Apr 23 15:19:30 vs1419 postfix/bounce[29215]: E784951BE8E: sender non-delivery notification: 842BD5F63BF
Apr 23 15:19:30 vs1419 postfix/bounce[28641]: EE8C2603D05: sender non-delivery notification: 84C845F6736
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: 841F45F63BE: from=<>, size=2532, nrcpt=1 (queue active)
Apr 23 15:19:30 vs1419 postfix/bounce[28700]: E6A775FEBD9: sender non-delivery notification: 841F45F63BE
Apr 23 15:19:30 vs1419 postfix/smtp[28430]: EA7095374CF: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.35]:25, conn_use=4, delay=2726125, delays=2726124/0.65/0.14/0.42, dsn=5.0.0, status=bounced (host mta6.am0.yahoodns.net[66.196.118.35] said: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta1340.mail.bf1.yahoo.com (in reply to end of DATA command))
Apr 23 15:19:30 vs1419 postfix/smtp[28526]: ED56161741B: to=<[email protected]>, relay=mta7.am0.yahoodns.net[98.138.112.33]:25, conn_use=4, delay=2672213, delays=2672211/0.23/0.9/0.54, dsn=5.0.0, status=bounced (host mta7.am0.yahoodns.net[98.138.112.33] said: 554 delivery error: dd This user doesn't have a yahoo.com account ([email protected]) [0] - mta1110.mail.ne1.yahoo.com (in reply to end of DATA command))
Apr 23 15:19:30 vs1419 postfix/smtp[28381]: AA9075F6367: to=<[email protected]>, relay=mail.mysite1.example.net[79.175.164.237]:25, delay=5.4, delays=1.1/0.36/1.6/2.3, dsn=5.0.0, status=bounced (host mail.mysite1.example.net[79.175.164.237] said: 550 "Unknown User" (in reply to RCPT TO command))
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: E784951BE8E: removed
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: E6A775FEBD9: removed
Apr 23 15:19:30 vs1419 postfix/smtp[30003]: connect to hotmeil.com[64.4.6.100]:25: Connection timed out
Apr 23 15:19:30 vs1419 postfix/cleanup[30287]: 1867A5F6708: message-id=<[email protected]>
Apr 23 15:19:30 vs1419 postfix/smtp[28707]: E183C557933: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, conn_use=4, delay=2706876, delays=2706875/0.81/0.14/0.91, dsn=2.0.0, status=sent (250 ok dirdel)
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: E906C53687E: from=<[email protected]>, size=727, nrcpt=1 (queue active)
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: EE8C2603D05: removed
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: E183C557933: removed
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: 84C845F6736: from=<>, size=2922, nrcpt=1 (queue active)
Apr 23 15:19:30 vs1419 postfix/qmgr[28017]: AA9075F6367: removed
Apr 23 15:19:30 vs1419 postfix/smtp[29940]: EC039604A3C: to=<[email protected]>, relay=mta7.am0.yahoodns.net[66.196.118.35]:25, conn_use=8, delay=2505679, delays=2505678/0.02/0.69/0.41, dsn=4.0.0, status=deferred (host mta7.am0.yahoodns.net[66.196.118.35] said: 451 Message temporarily deferred - [140] (in reply to end of DATA command))
Apr 23 15:19:30 vs1419 postfix/smtp[28615]: 3C4325F6703: to=<[email protected]>, relay=mail.mysite1.example.net[79.175.164.237]:25, conn_use=2, delay=3.6, delays=1.3/0.17/0.31/1.8, dsn=5.0.0, status=bounced (host mail.mysite1.example.net[79.175.164.237] said: 550 "Unknown User" (in reply to RCPT TO command))
Apr 23 15:19:30 vs1419 postfix/smtp[28318]: E458551E8ED: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, conn_use=4, delay=2750102, delays=2750100/0.49/0.72/0.43, dsn=4.0.0, status=deferred (host mta6.am0.yahoodns.net[66.196.118.34] said: 451 Message temporarily deferred - [70] (in reply to end of DATA command))
Apr 23 15:19:30 vs1419 postfix/smtp[30164]: A41D05F6749: to=<[email protected]>, relay=mail.mysite1.example.net[79.175.164.237]:25, conn_use=2, delay=3.2, delays=1/0.03/0.31/1.8, dsn=5.0.0, status=bounced (host mail.mysite1.example.net[79.175.164.237] said: 550 "Unknown User" (in reply to RCPT TO command))
Apr 23 15:19:30 vs1419 postfix/smtp[30125]: EF587606F67: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.37]:25, delay=2453187, delays=2453182/0.14/2/3.4, dsn=4.0.0, status=deferred (host mta6.am0.yahoodns.net[66.196.118.37] said: 451 Message temporarily deferred - [140] (in reply to end of DATA command))
Apr 23 15:19:30 vs1419 postfix/smtp[28940]: E061251F3F8: to=<[email protected]>, relay=mta7.am0.yahoodns.net[98.138.112.35]:25, delay=2801108, delays=2801105/0.15/1.3/0.88, dsn=2.0.0, status=sent (250 ok dirdel)
Apr 23 15:19:31 vs1419 postfix/cleanup[29322]: C02C95F6706: message-id=<[email protected]>
Apr 23 15:19:31 vs1419 postfix/qmgr[28017]: E6680601A96: from=<[email protected]>, size=689, nrcpt=1 (queue active)
Apr 23 15:19:31 vs1419 postfix/qmgr[28017]: EC039604A3C: from=<[email protected]>, status=expired, returned to sender
Apr 23 15:19:31 vs1419 postfix/qmgr[28017]: E458551E8ED: from=<[email protected]>, status=expired, returned to sender
Apr 23 15:19:31 vs1419 postfix/qmgr[28017]: EF587606F67: from=<[email protected]>, status=expired, returned to sender
Apr 23 15:19:31 vs1419 postfix/qmgr[28017]: E061251F3F8: removed
linux

1 Answers

  1. < bot > Summarize suggestion in comment to CW < /bot >

    Credits to: Gryphius, Jan Marek, MKzero, mgabriel and of course Wietse Venema for his wonderful piece of code (and documentation).

    You should check that postfix queue was empty from spam...

    When outbreak happen (joomla go wildly), your postfix probably has received tons of spam. Postfix will queue as amount of email was huge. In case the remote server refused with code 4XX, postfix will still store the spam in deferred queue. Here the log line that tell us yahoo email refuse to receive our email.

    Apr 23 15:19:30 vs1419 postfix/smtp[28318]: E458551E8ED: to=<[email protected]>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, conn_use=4, delay=2750102, delays=2750100/0.49/0.72/0.43, dsn=4.0.0, status=deferred (host mta6.am0.yahoodns.net[66.196.118.34] said: 451 Message temporarily deferred - [70] (in reply to end of DATA command))

    You can view postfix queue with command 

    postqueue -p

    If you want to delete all email in deferred queue (your spam likely sit in here), execute the command

    postsuper -d ALL deferred

    or 

    postsuper -d ALL

    to delete ALL email in ALL queues. Handle with care, if there might me other, non-spam messages in your queue too.

    Both commands was shipped with postfix. You can view the documentations: man postsuper and man postqueue.

    • 1