LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-02-2013, 07:21 AM   #1
proNick
Member
 
Registered: Apr 2005
Posts: 104

Rep: Reputation: 15
[Postfix] Who sends large amount of emails?


hello,

for some reason my server is reported as a spam server.

i checked, and i think that it's not compromised, so i can guess that some other machine on my network is the one that sends large number of emails due to some virus infection or something...

if i'm right in all above, can you help me how to check logs to find which machine in my network sends all of those emails? can i grep mail logs to get some kind of statistics who sends so many emails?

thank you in advance!

Last edited by proNick; 11-04-2013 at 06:57 AM.
 
Old 11-02-2013, 09:41 AM   #2
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,195
Blog Entries: 10

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
http://www.catb.org/esr/faqs/smart-questions.html
http://www.linuxquestions.org/questi...erences-45261/
 
Old 11-04-2013, 05:31 AM   #3
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
i picked up more information about this incident...

regarding this link http://www.howtoforge.com/forums/arc...p/t-61738.html, i check my server, and by running postqueue -p, and after that, running postcat /var/spool/postfix/deferred/5/59099161136C command, i get results like following:

Code:
[root@XYZ deferred]# postcat /var/spool/postfix/deferred/5/59099161136C
*** ENVELOPE RECORDS /var/spool/postfix/deferred/5/59099161136C ***
message_size:            1993            4865              50               0
message_arrival_time: Fri Nov  1 20:56:29 2013
create_time: Fri Nov  1 20:56:29 2013
named_attribute: rewrite_context=local
sender: webmaster@nnpc.org
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=XYZ.com
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=XYZ.com
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;kenshin-0001@163.com
original_recipient: kenshin-0001@163.com
done_recipient: kenshin-0001@163.com
named_attribute: dsn_orig_rcpt=rfc822;kentone@amaranthcu.mb.com.au.au
original_recipient: kentone@amaranthcu.mb.com.au.au
done_recipient: kentone@amaranthcu.mb.com.au.au
named_attribute: dsn_orig_rcpt=rfc822;kens2337@aol.com
original_recipient: kens2337@aol.com
recipient: kens2337@aol.com
named_attribute: dsn_orig_rcpt=rfc822;kensams@aol.com

....... lots of simular lines here

original_recipient: kentrez_123@yahoo.com
recipient: kentrez_123@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;kentai9999@yahoo.com.au
original_recipient: kentai9999@yahoo.com.au
recipient: kentai9999@yahoo.com.au
named_attribute: dsn_orig_rcpt=rfc822;kent858@yahoo.com.cn
original_recipient: kent858@yahoo.com.cn
done_recipient: kent858@yahoo.com.cn
*** MESSAGE CONTENTS /var/spool/postfix/deferred/5/59099161136C ***
Received: from XYZ.com (localhost [127.0.0.1])
        by localhost (Postfix) with ESMTP id 59099161136C;
        Fri,  1 Nov 2013 20:56:29 +0100 (CET)
Received: from User (localhost [127.0.0.1])
        by XYZ.com (Postfix) with SMTP id EC919161134F;
        Fri,  1 Nov 2013 20:55:55 +0100 (CET)
Reply-To: <nnpc73@mail.ru>
From: "Nigerian National Petroleum Corporation (NNPC)"<webmaster@nnpc.org>
Subject: please call me on investment plan!!!
Date: Fri, 1 Nov 2013 19:56:35 +0100
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20131101195555.EC919161134F@XYZ.com>
To: undisclosed-recipients:;
X-Virus-Scanned: ClamAV using ClamSMTP

I am the Chief Audit/Account Executive officer, Nigerian National Petroleum Corporation (NNPC) attached to the Central Bank of Nigeria (CBN) Apex bank.

I write to inquire your interest in a business transaction which involves huge amount secured in our (NNPC) escrow account with the Central Bank of Nigeria (CBN). The fund was an over-invoiced contract award amount which was abandoned and undisclosed over the years due to the fact that the account was sealed/blocked with high security device Microchips by the predecessors (to prevent any intruder's accessibility) who were chased out of offices by this present Civilian Administration of President Goodluck Ebele Jonathan of Federal Republic of Nigeria.

I seek your interest for the purpose of establishing a joint venture on Real Estate and Tourist Centre oversea with the fund upon claimed.please if you are interested, kindly contact me immediately with your full name or direct telephone number and nature of Business.I shall unfold details on how we shall go about the claim upon your reply.

Best regards,

Musa Adebayo (Chief Audit/Account).
+2348026612263
*** HEADER EXTRACTED /var/spool/postfix/deferred/5/59099161136C ***
*** MESSAGE FILE END /var/spool/postfix/deferred/5/59099161136C ***

can you help me what will be the next step to identify who sent emails like this?
 
Old 11-04-2013, 08:36 AM   #4
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,133

Rep: Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273Reputation: 2273
probably you can try to check low level network traffic (smtp port) and look for keywords like "Adebayo" or "Niger"
 
Old 11-04-2013, 10:06 AM   #5
hpfeil
Member
 
Registered: Nov 2010
Location: Tucson, Arizona US
Distribution: Slackware Current, custom kernel, amd64, Beyond LinuxFromScratch
Posts: 130
Blog Entries: 1

Rep: Reputation: Disabled
I got bitten by this sort of thing Spring 2012. CERT told me they started seeing it in January 2012.

"US-CERT has been aware of this type of domain spoofing since January. This insidious form of spam generates twice the network
traffic because most of the target addresses do not exist, generating bounce messages like yours. This used to be someone benign,
but recently they started adding spam triggers to the Subject; now they are sending entire spam messages."

If you examine the MTA closely, you may notice that the first entry, the source, is not your IP address. The rest of the headers are forged to make the spam appear to come from your computer, particularly to stupid mail servers that look only at the "FROM:" field and not the beginning of the Message Transfer Authority trace. Typically, all you get is the bounce message from the target, but smarter SMTP servers will send a copy of the message that includes the full header. That's where you can look to confirm that the message did not originate in your domain.
Here's an example bounce message: [I have collected over 600 of them.]

<a7365e11@tessi.com.ar>: 421 4.4.0 [internal] no MXs for this domain could be reached at this time


--tiBWib3frLAtTAXIQbPtN5dl3r3w6Yr2hFDI/Q==
Content-Description: Delivery report
Content-Type: message/delivery-status

X-Symantec-Brightmail-Gateway-Queue-ID: 03/93-02934-B7BAA305
X-Symantec-Brightmail-Gateway-Sender: rfc822; 9111B64@[my domain]
Reporting-MTA: dns; diespam.netizen.com.ar
Arrival-Date: Tue, 28 Aug 2012 00:04:27 -0300

Final-Recipient: rfc822; a7365e11@tessi.com.ar
Status: 4.4.0
Action: delayed
Last-Attempt-Date: Tue, 28 Aug 2012 00:04:27 -0300
Diagnostic-Code: smtp; 421 4.4.0 [internal] no MXs for this domain could be reached at this time

--tiBWib3frLAtTAXIQbPtN5dl3r3w6Yr2hFDI/Q==
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers

X-AuditID: c83164b1-b7b8cae000000b76-3f-503aab79eb61
X-Invalid-Recipients:
Received: from [37.105.19.134] (Unknown_Domain [37.105.19.134]) <<<-- This is the originating ip address, which does not exist.
by diespam.netizen.com.ar (Symantec Brightmail Gateway) with SMTP id F2.93.02934.A7BAA305; Sun, 26 Aug 2012 20:04:27 -0300 (ART)
From: "Cheap-Vigara" <9111B64@[my domain]>
To: <a7365e11@tessi.com.ar>
Subject: Best prices in the market
 
Old 11-05-2013, 03:53 AM   #6
proNick
Member
 
Registered: Apr 2005
Posts: 104

Original Poster
Rep: Reputation: 15
This is part of log summaries i collected from server (MYDOMAIN referrers to domain which belongs to mail server):

Code:
Postfix log summaries for Nov  4

Grand Totals
------------
messages

    578   received
    641   delivered
      0   forwarded
  21050   deferred  (1245k deferrals)
    227   bounced
      9   rejected (1%)
      0   reject warnings
      0   held
      0   discarded (0%)

  78949k  bytes received
  82090k  bytes delivered
     78   senders
     41   sending hosts/domains
    114   recipients
     51   recipient hosts/domains


Per-Hour Traffic Summary
    time          received  delivered   deferred    bounced     rejected
    --------------------------------------------------------------------
    0000-0100           4         12      77148          7          0 
    0100-0200          16         16      98675          6          1 
    0200-0300           2          4      77222          9          0 
    0300-0400           4          4     116105          7          0 
    0400-0500           6          9      77221         14          0 
    0500-0600           3          4     107183         13          0 
    0600-0700           3          4      92671          8          0 
    0700-0800           4          8      73718         18          0 
    0800-0900          18         20     114489         10          1 
    0900-1000          84         83      65432          7          0 
    1000-1100         306        306     142694         92          0 
    1100-1200          36         42      95489         18          1 
    1200-1300          66         97      96436         16          5 
    1300-1400          26         32      40501          2          1
... etc. then:

Code:
Host/Domain Summary: Message Delivery 
 sent cnt  bytes   defers   avg dly max dly host/domain
 -------- -------  -------  ------- ------- -----------
    308    37164k       0     2.5 s    4.8 m  gmail.com
    218    34942k       0    11.6 s    8.2 m  MYDOMAIN.com
      6   428588   508131     0.3 s   69.0 h  yahoo.com
      5     9965       25    59.6 h   63.3 h  ontla.ola.org
      4      571k       2    10.1 m   20.2 m  tsv.fi
      4   293848        0    33.2 s    2.2 m  hum.au.dk
      4   293848        0    33.8 s    2.2 m  hum.ku.dk
      4     7972       28    50.0 h   62.9 h  nordnet.fr
      0        0        9     0.0 s   62.5 h  crcah.org.au
      0        0       20     0.0 s   67.7 h  sian.com.cn
      0        0       10     0.0 s   68.5 h  crosslink.net.au
      0        0        9     0.0 s   61.9 h  tnsofres.com
      0        0       10     0.0 s   64.2 h  das.com
      0        0        9     0.0 s   62.4 h  gtech.com.au
      0        0       37     0.0 s   63.8 h  netzero.com
      0        0       20     0.0 s   68.2 h  frontiernrt.net
      0        0       10     0.0 s   63.5 h  clarewin.com
      0        0       10     0.0 s   64.3 h  securitysoft.com
      0        0       20     0.0 s   64.9 h  urisp.net
      0        0       30     0.0 s   64.2 h  abss.com
      0        0       20     0.0 s   68.4 h  slutisms.com
      0        0       10     0.0 s   64.1 h  kendra.com.au
... etc.


Code:
Host/Domain Summary: Messages Received 
 msg cnt   bytes   host/domain
 -------- -------  -----------
    434    57509k  MYDOMAIN.com
     18     9491k  gmail.com
     10   206753   bounce.linkedin.com
      8   166128   facebookmail.com
      6      945k  laguna-noc.netlogic.rs
      6   340122   mlgn2eu.com
      6   134602   yahoo.com
... etc


In section Senders by message count, I do have info that 290 email are sent from one of accounts from my server, but I checked his machine, and it is clear.


Etc.

Can you give some ideas what can I do about it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A question about postfix and emails with large attachments... trist007 Linux - Newbie 1 03-30-2011 09:15 AM
[SOLVED] postfix does not send emails yovkoi Linux - Server 4 02-08-2011 06:13 AM
postfix can send but cannot receive emails rmihai Linux - Server 9 05-02-2009 10:12 AM
Postfix - send emails at a given time silviap Linux - Software 2 04-27-2009 07:55 AM
Postfix trying to send emails internally Swanny Linux - Software 8 11-21-2007 01:19 PM


All times are GMT -5. The time now is 05:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration