Unusual sm-msp-queue log in maillog

ridwan77 · 04-25-2010, 05:51 AM

Hello all,

I'm running sendmail in FC6. For the last 3/4 days I'm geeting the following unusual message in my maillog:

Code:

Apr 25 04:03:54 mail sendmail[20827]: o3OLq515020827: from=<info@efcc.com>, size=8084, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 25 04:03:54 mail sendmail[20827]: o3OLq516020827: ruleset=check_mail, arg1=<info@efcc.com>, relay=localhost.localdomain [127.0.0.1], reject=451 4.1.8 Domain of sender address info@efcc.co
m does not resolve
Apr 25 04:03:54 mail sm-msp-queue[20769]: o3N6XIQd029543: to=criley@shefskylaw.com,mdfpr5@cableonda.net,chiefsfan1111@atlanticbb.net,wear@winco.net,jtruesdale2000@yahoo.com,bitchy_120@yahoo.c
om,kbob@clearwire.net,austinsexybeast@gmail.com,jamm@ptsi.net,natasha0082@aol.com,anthcontini@icqmail.com,rpd.c769@gmail.com,wanda@brick.net,stein247@earthlink.net,david_moskowitz@sra.com,hot
mama-amy@peoplepc.com,nitramknarf@gm...surfglobal.net,amy10580@aol.c
om,wlobo@siac.com,neotcp@cableone.net,johnkiang@earthlink.net,buttonlady@gci.net,jldelac@yahoo.com,rdraughon@gavinhodges.com,rginach@peoplepc.com,beluekiki@aol.com,sylvester920@yahoo.com,gwen
dolynford@detroitpubliclibrary.com, [more], delay=1+15:30:36, xdelay=00:00:00, mailer=relay, pri=9517525, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address info@
efcc.com does not resolve
Apr 25 04:03:54 mail sm-msp-queue[20769]: o3N6XIQd029543: to=gawdless@gmail.com,mimartin@optonline.net,miller.james@wpstv.com,martinwill@earthlink.net,randy@dmprinters.com,dawnhaviland@hotmai
l.com,nlefebvre@sikorsky.com,michelleb@butlerhyundai.dealerspace.com,webejonzn@blomand.net,jim@celco.com,locommish@earthlink.net,moosilena@yahoo.com,mrodrigu@attglobal.net,god@lycos.com,morog
ers@ohliq.com,lfreds@peoplepc.com,se...kshouse@go.com,thevamp
iresangels@gmail.com,lisalawrence@ea...lisalt@aol.com,handy_33@hotmail
.com,ralley@tds.net,harwhe@lycos.com, [more], delay=1+15:30:36, xdelay=00:00:00, mailer=relay, pri=9517525, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address inf
o@efcc.com does not resolve
Apr 25 04:03:54 mail sm-msp-queue[20769]: o3N6XIQd029543: to=xsanthoula@aol.com,smurfette@tpbmail.net,agamitch@msn.com,jgreen@midwest-express.com,marilou_buan@countrywide.com,macshack99@aol.c
om,rhensley@psci.net,kathy@houstonsolution.com,pautrey@uab.edu,deadhead@sigecom.net,apanders@citynet.net,compass@compassclassicyachts.com,tykeda@critpath.org,beths@airportclub.com,naargabrigh
t@aep.com,myhomeisheaven@mail2heaven...vessey@gci.net,ans
hul.chetal@gmail.com,oakridge47@aol....4merle@aol.com, delay=
1+15:30:36, xdelay=00:00:00, mailer=relay, pri=9517525, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address info@efcc.com does not resolve
Apr 25 04:03:54 mail sendmail[20827]: o3OLq516020827: from=<info@efcc.com>, size=8116, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Apr 25 04:03:54 mail sendmail[20827]: o3OLq517020827: ruleset=check_mail, arg1=<info@efcc.com>, relay=localhost.localdomain [127.0.0.1], reject=451 4.1.8 Domain of sender address info@efcc.co
m does not resolve
Apr 25 04:03:54 mail sm-msp-queue[20769]: o3N6XIQd029543: to=gigi@gbso.net,cmigues108@citcom.net,jsaniuk@savagepalandri.com,szabogerry@yahoo.com,freight@vipexpress.com,gobee@bulloch.net,sylja
m@netcarrier.com,pegnchuck@mohaveaz....erat@gmail.com,ajm53@earthlink.n
et,alison_scott@hotmail.com,whitfarm@millertel.net,mlundberg@zettaworks.com,armyboy1985@military.com,curtis.marshall@infousa.com,heidigirl@shtc.net,tina@bnin.net,pattyblueeyes@aol.com,cpsmith
@adelphia.net,tedem@earthlink.net,collbritar@aol.com,valreyrib@netscape.net,psomas@sfsu.edu,bornmann@brevard.net,felecia.belton@palmettohealth.org,bob@greatbikegear.com,lovechick18@excite.com
,spatton@leviton.com,waverly94@earthlink.net, [more], delay=1+15:30:36, xdelay=00:00:00, mailer=relay, pri=9517525, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender add
ress info@efcc.com does not resolve
Apr 25 04:03:54 mail sm-msp-queue[20769]: o3N6XIQd029543: to=pat@rodrillinc.com,mattlawrence@youngthagard.com,judith.a.marker@boeing.com,datt@adelphia.net,gmmulder@ruraltel.net,matthewhuber@e
arthlink.net,jbaethge@fbg.net,bigshow@walla.co.il,t.berry@lyleind.com,chuck2717948@lycos.com,ron@broccolimedia.com,bretweb24@yahoo.com,ash4714@aol.com,hallfam@ktis.net,steve@kekepana.com,cara
melsmooth@iwon.com,vargas@tcsn.net,j...ockett7@aol.co
m,lorsma@machlink.com,jriggs@pisd.edu,rollercoaster4k@go.com,bisonhill@catranch.net,dopey@feinsilver.com,pawprint@redwing.net,maverick9@coolgoose.com,fburnett@tsclinic.com,mzgraz@earthlink.ne
t,steve@bythestream.com, [more], delay=1+15:30:36, xdelay=00:00:00, mailer=relay, pri=9517525, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.1.8 Domain of sender address info@efcc.com does not resolve

Although i have denied localhost (127.0.0.1) to relay in relay-domains file for sendmail i'm receiving the above error. Can anyone help me out from this situation?

bathory · 04-25-2010, 09:36 AM

Hi,

I guess your mail server was used to send out spam. You should grep your logs, to see who sent the message in question:

Code:

grep "o3N6XIQd029543: from" /var/log/maillog

and try to find out how he did it.
To stop sendmail trying to deliver the mail, you can remove it from the queue. Stop sendmail, run

Code:

rm /var/spool/mqueue/?qo3N6XIQd029543

and start sendmail again.

Regards

jayjwa · 04-26-2010, 07:13 PM

No, don't start it again. Not until you have it secured properly. The rest of us don't want to get blasted with spam in the meanwhile. The fact an intruder was able to submit mail into your mail queue to send suggests that the entire system is likely compromised, at least at some level.