Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Feb 18 07:09:34 server postfix/qmgr[4795]: C996CBBE335: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: C609DBBE3E1: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: CFAFDBBE52B: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: C8A93BBE56C: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 3A449BBE334: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 33DB4BBE5D4: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 579BBBBE3A8: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 552B3BBE5BB: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 5A08EBBE30D: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 57B33BBE5FD: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: AFDECBBE57E: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A0C9FBBE3A6: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A722FBBE39F: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: ABA88BBE2E9: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: A764ABBE3EF: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 66C35BBE323: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: 89D90BBE42F: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/qmgr[4795]: DBB7FBBE3A2: from=<ucyu@plm.com>, size=80163, nrcpt=50 (queue active)
Feb 18 07:09:34 server postfix/error[1768]: 26CD6BBE3D4: to=<chi.chang@longandfoster.com>, relay=none, delay=102333, delays=102333/0.01/0/0.08, dsn=4.0.0, s$
Feb 18 07:09:34 server postfix/smtp[1789]: connect to monarda.com[208.87.35.103]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1789]: 75598BBE5FB: to=<info@monarda.com>, relay=none, delay=96862, delays=96862/0.06/0.24/0, dsn=4.4.1, status=deferred$
Feb 18 07:09:34 server postfix/smtp[1853]: connect to schwartzcooper.com[69.73.172.201]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1854]: connect to mail.triton.net[209.172.0.15]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1821]: 90699BBE5E6: host mx.fakemx.net[176.9.24.81] said: 451 Try again later (in reply to RCPT TO command)
Feb 18 07:09:34 server postfix/smtp[1812]: connect to ggpelawfirm.inbound10.symantecmail.com[208.65.144.22]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1853]: 4A1AEBBE420: to=<dainger@schwartzcooper.com>, relay=none, delay=101131, delays=101131/0.16/0.15/0, dsn=4.4.1, sta$
Feb 18 07:09:34 server postfix/smtp[1775]: 74D1FBBE433: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-ip-addr blocked by ldap:$
Feb 18 07:09:34 server postfix/smtp[1794]: ECE56BBE571: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1796]: connect to lvestates.com[208.87.35.103]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1849]: 4A1AEBBE420: host mailin-03.mx.aol.com[64.12.90.33] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster$
Feb 18 07:09:34 server postfix/smtp[1803]: connect to lamiera.com[174.137.125.49]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1825]: 92B09BBE398: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1779]: 74D1FBBE433: host mx1.comcast.net[76.96.62.116] refused to talk to me: 554 imta18.westchester.pa.mail.comcast.net$
Feb 18 07:09:34 server postfix/smtp[1864]: connect to jamesmhellerdmd.com[74.54.88.180]:25: Connection refused
Feb 18 07:09:34 server postfix/smtp[1796]: ECE56BBE571: to=<dusty@lvestates.com>, relay=none, delay=99089, delays=99088/0.07/0.41/0, dsn=4.4.1, status=defer$
Feb 18 07:09:34 server postfix/smtp[1836]: F257BBBE336: host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-ip-addr blocked by ldap$
Feb 18 07:09:34 server postfix/smtp[1837]: 4EAC3BBE45E: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-ip-addr blocked by ldap:$
Feb 18 07:09:34 server postfix/smtp[1843]: connect to aceofhearts.com[208.87.35.103]:25: Connection refused
And the messaged being send
Code:
CO 80163 5100 50 0 80163T^Q1329440425
169399A^Vcreate_time=1329440425A^Urewrite_context=localS^Lucyu@plm.comA
encoding=7bitA^Ylog_client_name=localhostA^\log_client_address=127.0.0.1A^$
from localhost (localhost [127.0.0.1])N= by server.domain.com
(Postfix) with ESMTP id 296DCBBE419;N& Fri, 17 Feb 2012 03:00:25
+0200 (EET)N1Received: from server.domain.com ([127.0.0.1])NJ by
localhost (server.domain.com [127.0.0.1]) (amavisd-new, port
10024)NB with ESMTP id WEH+49fXMD9K; Fri, 17 Feb 2012 03:00:25
+0200 (EET)N;Received: from User (mail.guildschool.org
[64.122.205.227])N+ (Authenticated sender: mail@domain.com)N> by
server.domain.com (Postfix) with ESMTPA id 326FEBBE41E;N& Fri,
17 Feb 2012 03:00:09 +0200 (EET)N^[From:
"kjojo"<ucyu@plm.com>N%Subject: Dear valued PayPal Customer,N%Date:
Thu, 16 Feb 2012 17:13:34 -0800N^QMIME-Version: 1.0N^^Content-Type:
multipart/mixed;N5
boundary="----=_NextPart_000_009F_01C2A9A6.47E75E62"N X-Priority:
3N^YX-MSMail-Priority: NormalN2X-Mailer: Microsoft Outlook Express
6.00.2600.0000N8X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2600.0000N=Message-Id:
<20120217010010.326FEBBE41E@server.domain.com>N^\To:
undisclosed-recipients:;N^@N,This is a multi-part message in MIME
format.N^@N+------=_NextPart_000_009F_01C2A9A6.47E75E62N^YContent-Type:
text/plain;N^P charset="utf-8"N^_Content-Transfer-Encoding:
7bitN^@N^\
MAIL TEXT REMOVED
quickN^@N^@N+------=_NextPart_000_009F_01C2A9A6.47E75E62N'Content-Type:
application/octet-stream;N* name="Personal Profile Form -
PayPal.htm"N!Content-Transfer-Encoding: base64N
Content-Disposition: attachment;N. filename="Personal Profile Form
-
PayPal.htm"N^@N<PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMD$
The only thing i figured out is that mailbox mail@domain.com got hacked at the time the spam started. Now it's removed but in the mails there's still
Code:
(Authenticated sender: mail@domain.com)
In mail.log there is not logs about mail@domain.com logging in anymore.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.