LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-13-2010, 05:38 PM   #1
moimel
Member
 
Registered: May 2009
Posts: 30

Rep: Reputation: 15
Postfix logs flooded from excessive mails


Hello, I view my /var/log/maillog and see tons of lines like this:
Apr 14 01:35:16 ns1 postfix/qmgr[13307]: AB33922B89D8: to=<buttonsing@yahoo.com.tw>, relay=none, delay=147008, delays=146024/984/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: host mx1.mail.tw.yahoo.com[203.188.197.9] refused to talk to me: 421 4.7.0 [TS01] Messages from 212.152.155.32 temporarily deferred - 4.16.55.1; see http://postmaster.yahoo.com/errors/421-ts01.html)

I think those are some kind of SMTP attacks from this host by I tried to block hit with Iptables but it seemes to peace them off and they keep coming...!

please some kind of postfix-configuration solution?

thanks

Last edited by moimel; 04-13-2010 at 05:40 PM.
 
Old 04-13-2010, 05:44 PM   #2
Sky.Crawler
LQ Newbie
 
Registered: Apr 2010
Posts: 21

Rep: Reputation: 3
How long has your mail server been active? Did you just deploy it? Has this been happening for days?

It seems Yahoo believes you to be a spammer.
 
Old 04-13-2010, 05:53 PM   #3
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
am

Apr 14 01:49:59 ns1 postfix/qmgr[18884]: 86AC92110A48: from=<nkvhknwp@ms31.hinet.net>, size=4096, nrcpt=33 (queue active)


this too tons of those ms31 - ms100~ just keep flooding

actually this is a new ded server and I have installed the mail server today but the domain name i'm using for my host is old...but wtf? yahoo floods people? why would they. how to block it man? it stuck my mail server...
 
Old 04-13-2010, 07:01 PM   #4
Sky.Crawler
LQ Newbie
 
Registered: Apr 2010
Posts: 21

Rep: Reputation: 3
Can you set your firewall to block all outgoing connections?

We want to see if that stops the error messages. If it does, it confirms that the problem is with our server accidentally spamming them.
 
Old 04-14-2010, 02:11 AM   #5
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Hey man thanks for the help,

listen I block the output port first:
iptables -A OUTPUT -p tcp --dport 25 -j DROP

and it didn't work
than I blocked the input:
iptables -A INPUT -p tcp --dport 25 -j DROP

and it appears that the logs are keep coming, how is it even possible I blocked the smtp in and out and im it's still getting flooded? lol

now it looks like this:
Apr 14 10:08:50 ns1 postfix/qmgr[18012]: BB7B622B83F4: from=<apcrk@ms56.hinet.net>, size=7264, nrcpt=43 (queue active)

Last edited by moimel; 04-14-2010 at 02:12 AM.
 
Old 04-14-2010, 09:31 AM   #6
Sky.Crawler
LQ Newbie
 
Registered: Apr 2010
Posts: 21

Rep: Reputation: 3
1) What is the domain name of your server?

2) Make sure your server is not an "open relay."

Postfix shouldn't configure the server to be one by default, but we never know.

Google for an "open relay test", or use this:

http://www.abuse.net/relay.html

Consider increasing the verbosity of you logs for the time being:

http://www.postfix.org/DEBUG_README.html#verbose

Last edited by Sky.Crawler; 04-14-2010 at 09:43 AM. Reason: Additional Information
 
Old 04-18-2010, 05:48 AM   #7
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Look like a virus or ddos attack not sure

I have postfix with mysql in centos5 and i'm getting huge amount of attacks like this (from /var/log/maillog):

Code:
Apr 18 00:10:01 game3 postfix/qmgr[28284]: C249334A86B: to=<hogb@ms62.hinet.net>, relay=none, delay=55645, delays=53557/2089/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to ms62a.hinet.net[168.95.5.62]: Connection timed out)
Apr 18 00:10:17 game3 postfix/smtpd[31088]: connect from unknown[121.35.171.236]
Notice the connect from.

attacks from yahoo.com.tw or hinet.com or million other IPs

Anyway I have tried to ban them all by extracting the IPs from the maillog and ban them but it's seem to be useless it doesn't do anything, except maybe that some of them says connection timed out...

This attacks occur only when Postfix is active, and the attacks are reflected in 20%wa taken by the server and all the queue slots are taken by the attackers emails (postfix (qmgr) is overflowed, not giving authentic emails to be received) so I tried to block smtp port:

Code:
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p udp --dport 25 -j DROP (:D I got mad so I started to invent some commands)
Farther more, when looking in netstat after blocking smtp not smtp record found at all! yet the attacks keep coming!

And it's makes some changes, now the attacks seem to come from the inside (lol?) but the same side effects remains:

Code:
Apr 18 13:21:31 game postfix/smtp[4061]: BA8912100199: to=<lfzdkjnucjdl@ms28.hinet.net>, relay=none, delay=219, delays=142/47/30/0, dsn=4.4.1, status=deferr$
Apr 18 13:21:31 game postfix/smtp[4034]: connect to ms34a.hinet.net[168.95.5.34]: Connection timed out (port 25)
Notice after I blocked smtp it's like the smtp trying to connect to somthing ! and I cannot find in the whole log any connect from.

So is it somthing with the postfix? virus? ddos? how to block it? I'm working on this a week now and no one has solution nor find in the internet.

p.s. should I switch to exim insted postfix?

PLEASE HELP!

Last edited by moimel; 04-18-2010 at 08:55 AM.
 
Old 04-18-2010, 07:16 AM   #8
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
This looks like a spam. Is that really active? How many requests per second do you get?
Blocking all input/output to port 25 will not help at all, if you're using your own server, you'll be unable to use it further. And you don't need to block UDP port 25, it has nothing to do with your issue.
This usually is made by windows computers, infected with spam-viruses. What you need to do is to install spamfilters. These IPs you are being connected from are usually listed in spam blacklists so spamfilters will stop that data from reaching mail server.
Using exim instead of postfix is like trying to use one sword instead of another when fighting against firearms It won't have any effect at all, you will still have those connections. You need a spamfilter.
 
Old 04-18-2010, 07:59 AM   #9
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Thanks man, when you say spamfilter , is this some kind of program to install with postfix? have any recommendation to good one?
 
Old 04-18-2010, 08:30 AM   #10
Bratmon
Member
 
Registered: Jul 2009
Location: 75.126.162.205:80
Distribution: Arch / Mint 17
Posts: 297
Blog Entries: 3

Rep: Reputation: 50
Unrelated, could you please use [code] tags instead of [php] tags? It stretches the page. A lot.
 
Old 04-18-2010, 09:42 AM   #11
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
Hey , I have installed SpamAssassin and it doesn't seem to help (: I don't think that this is spam im getting about 50messages per second it somthing crazy anyway maybe you meant somthing else? other spam filter?
 
Old 04-18-2010, 11:49 AM   #12
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18
SpamAssassin should work nicely.

Are you sure the traffic is actually going thrugh Spam Assassin? And not just running on the side?

EDIT: Try to open your master.cf config file for Postfix and search for a line starting with "smtp inet ....." and verify it ends with "... -o content_filter=spamd".
spamd is just a defined entry and might be something else in your setup.
The spamd should then be defined somewhere else in the config file: "spamd unix - n ...."

Last edited by noden; 04-18-2010 at 12:22 PM.
 
Old 04-18-2010, 12:02 PM   #13
noden
LQ Newbie
 
Registered: Aug 2009
Location: Denmark
Distribution: Debian
Posts: 29

Rep: Reputation: 18
It looks like an outgoing message. Is the the same message or several? Maybe it is just a small amount that is being redelivered because of the connection timeout.
You might have been blocked at ms34a.hinet.net[168.95.5.34] because of the spam. Hope you dont end up on a blacklist because they should be pretty hard to get back off.

Try the "mailq" and "postcat" to see you mailqueue. You should be able to delete it with "postsuper".

I hope this is somewhat useful.
 
1 members found this post helpful.
Old 04-18-2010, 12:38 PM   #14
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Moved: This thread is more suitable in <Security> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 04-18-2010, 12:40 PM   #15
moimel
Member
 
Registered: May 2009
Posts: 30

Original Poster
Rep: Reputation: 15
hey man thank for the help just want to understand somthing,

why when I'm banning them all and even closing smtp port (25) they still coming? how is it possible? from where they coming in?

I installed the SpamA but I don't know how to check if it's working correctly, it is active and updated and master.cf is ok...maybe I should write rules or somthing? because it doesn't seem to effect the logs or the load of ther server.

Edit:
Code:
Apr 18 20:48:58 game3 spamd[6160]: spamd: identified spam (10.5/5.0) for spamfilter:598 in 7.0 seconds, 1057 bytes.
Apr 18 20:48:58 game3 spamd[6160]: spamd: result: Y 10 - FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,$
Apr 18 20:48:58 game3 postfix/smtpd[6335]: disconnect from unknown[121.35.166.220]
Apr 18 20:48:58 game3 spamd[6406]: spamd: identified spam (7.5/5.0) for spamfilter:598 in 2.0 seconds, 1057 bytes.
Apr 18 20:48:58 game3 spamd[6406]: spamd: result: Y 7 - DKIM_ADSP_NXDOMAIN,FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,NO_DNS_FOR_FROM,RCVD_IN_BRBL_LASTEXT,RCVD_IN_P$
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBBI
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBII
Apr 18 20:48:58 game3 spamd[6154]: prefork: adjust: 3 idle children more than 2 maximum idle children. Decreasing spamd children: 6407 killed.
Apr 18 20:48:58 game3 sendmail[6292]: o3IHmwsY006292: Authentication-Warning: : spamfilter set sender to fylefrbt@rnjti.com using -f
Apr 18 20:48:58 game3 spamd[6154]: spamd: handled cleanup of child pid [6407] due to SIGCHLD: interrupted, signal 2 (0002)
Apr 18 20:48:58 game3 spamd[6154]: prefork: child states: BIBI
surely SpamAssassin is working but it seems like he has been assassined by the spam lol.
I don't see any immediate improvement...

Last edited by moimel; 04-18-2010 at 12:55 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Flooded Logs (LDAP Error)? carlosinfl Red Hat 1 12-28-2007 05:55 AM
Excessive Shorewall Logs - Help! mac57 Mandriva 8 07-11-2005 06:36 PM
Excessive Shorewall Logs - Solved mac57 Mandriva 4 02-12-2005 12:34 PM
My logs are being flooded from pings from my router(i think)!!! rmanocha Linux - Networking 8 03-11-2004 01:42 PM
snort logs get flooded iceman47 Linux - Security 2 06-04-2003 04:36 PM


All times are GMT -5. The time now is 06:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration