postfix large number of unknown log

nelsone · 03-05-2012, 08:40 PM

Mar 6 10:39:13 mail postfix/qmgr[29704]: 1EF843E23B1: to=<jerry089@yahoo.com.tw>, relay=none, delay=290640, delays=290640/0.09/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/cleanup[31123]: 8D8CA13D763F: message-id=<20120306023913.8D8CA13D763F@mail.csolution.com.hk>
Mar 6 10:39:13 mail postfix/qmgr[29704]: 1EF843E23B1: to=<jess198586@yahoo.com.tw>, relay=none, delay=290640, delays=290640/0.12/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 1EF843E23B1: to=<jessica_chaing@yahoo.com.tw>, relay=none, delay=290640, delays=290640/0.12/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 1EF843E23B1: to=<karen600202@yahoo.com.tw>, relay=none, delay=290640, delays=290640/0.13/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: B793613D75D9: from=<info@zeasonweddings.com>, size=2538, nrcpt=8 (queue active)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: from=<info@zeasonweddings.com>, size=2494, nrcpt=6 (queue active)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a0930366623@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.06/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a155882@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.06/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a3699260@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.07/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a604352004@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.07/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a607669@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<am123en@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 72FB113D7600: from=<info@zeasonweddings.com>, size=2497, nrcpt=8 (queue active)
Mar 6 10:39:14 mail postfix/qmgr[29704]: 191D54D5834: from=<info@zeasonweddings.com>, size=2489, nrcpt=9 (queue active)
Mar 6 10:39:14 mail postfix/qmgr[29704]: 191D54D5834: to=<ross_112770@yahoo.com.tw>, relay=none, delay=157076, delays=157076/0.07/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:14 mail postfix/qmgr[29704]: 191D54D5834: to=<s2559818@yahoo.com.tw>, relay=none, delay=157076, delays=157076/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:14 mail postfix/qmgr[29704]: 191D54D5834: to=<sam830910@yahoo.com.tw>, relay=none, delay=157076, delays=157076/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:14 mail postfix/qmgr[29704]: 191D54D5834: to=<sayiu1314@yahoo.com.tw>, relay=none, delay=157076, delays=157076/0.11/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

Please tell me what causes
Thanks in advance
Nelsone

elfenlied · 03-05-2012, 10:59 PM

Serious question : Are you an email spammer?

It looks like the yahoo mail servers are just dropping your connections, the email addresses your server is trying to send to and failing are all on the yahoo.tw domain and they do look a bit suspect. Especially since they are all around the same time as well.

nelsone · 03-05-2012, 11:16 PM

User info@zeasonweddings.com somehow have been spam, but I changed the password, but it could have been issued.

elfenlied · 03-05-2012, 11:36 PM

Well it looks like your connection is being dropped by the yahoo.tw server check and see if your mail server IP address is on some kind of blacklist. http://www.mxtoolbox.com/blacklists.aspx

leslie_jones · 03-06-2012, 01:26 AM

I'm not 100% that yahoo.tw is dropping this. I do see this kind of rubbish from time to time (hinet being another target) and from those log lines it's just showing the transport to be broken. If Yahoo.tw were refusing mail I would expect 5xx SMTP messages rather than Queue manager just baulking at it. This suggests that the transport is broke before it gets as far as SMTP, but with that incomplete log excerpt it is hard to say for sure.

To quote the author of Postfix when this comes up (and it does, rather regularly):

Quote:

Don't look at THE END of the error log, look at THE START.
The cause of the problem is logged BEFORE "unknown mail transport error".
Wietse

Effectively go further back in the logs looking for fatal errors and warnings before the transport error is logged by queue manager. It may just be that Yahoo has firewalled you off and that is causing the SMTP transport to fail - but somewhere there is a log entry for that before all that rubbish starts.

I'd also suggest you take a look and see how many messages are in the outbound queue. When I see this kind of carnage it is typically thousands and I just mercilessly wipe the whole queue, and identify the account responsible.

elfenlied · 03-06-2012, 02:14 AM

A firewall isn't going to allow you to connect, send some data and then disconnect you without explanation.

After a better look at it, I'd say you have an open relay or login details for info@zeasonweddings.com as you say were being used maliciously.

Code:

Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: from=<info@zeasonweddings.com>, size=2494, nrcpt=6 (queue active)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a0930366623@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.06/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a155882@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.06/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a3699260@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.07/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a604352004@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.07/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<a607669@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 6 10:39:13 mail postfix/qmgr[29704]: 141777D2416: to=<am123en@yahoo.com.tw>, relay=none, delay=117610, delays=117610/0.08/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

The email came from your server and it was trying to send to those yahoo addresses (again I'd check the blacklists). Look at the corresponding CONNECT: line in your log which should be further up, then see if that same IP address has been sending the same sorts of emails.

leslie_jones · 03-06-2012, 06:01 AM

Quote:

Originally Posted by elfenlied

A firewall isn't going to allow you to connect, send some data and then disconnect you without explanation.

Did I say that it would? What I was trying to get across is if the recipient domain is dropping connections, there is a chance it will break the smtp transport - however, with just 'unknown mail transport error' and not the rest of the logs showing the preceding error, typically 'fatal' nobody really knows.

Quote:

Originally Posted by elfenlied

After a better look at it, I'd say you have an open relay or login details for info@zeasonweddings.com as you say were being used maliciously.

I took that as a given, considering the target recipient domain (I've seen hundreds of these attacks in the past, typically .tw (hinet/yahoo etc).

Like I say, I'd examine the logs a bit more closely (to the start of the transport errors - looking for fatal errors) and dump the queue. The OP suggests he has now secured the offending, compromised account:

Quote:

"User info@zeasonweddings.com somehow have been spam, but I changed the password, but it could have been issued."

So hopefully only post mortem and tidying up to do.

nelsone · 03-06-2012, 09:37 PM

Thank you all for answering,
Deleted / var / spool / postfix folder, restart the postfix. service normal