I must mention that email hosting protocols are very foreign to me, so please bare with me if I don't really know what I'm talking about.

I am running an Amazon Web Services EC2 Instance for a dedicated web server among other services. I received an email about spam coming from my server and so I check my mail log. Sure enough, I am getting what appears to be SMTP relays from my server's "Private DNS" using my server's www account name with spoofed addresses from my domains that are pointed to this server. I turn off sendmail service and I'm still getting relay requests which are denied. See the current log messages below.

I'd really like to turn sendmail back on for the websites to be able to send email, but don't want this relaying to continue. What should I do to stop this? Can you help me understand what's going on here?

I've changed the IPs, domains and emails below.

For us to help you, it is always best to indicate what 'flavor' your EC2 instance is ( Centos, Ubuntu etc ) the verson number, and the contents of the config files for sendmail and whatever else you use for mail.

What are your webservers built on ? Apache ? and what do you use them for ?

What are the 'other services' you are using ?

The more RELEVANT info you can give, the better.

No guarantee of a reply, but your chances are better this way.

http://aws.amazon.com/amazon-linux-a...release-notes/

Apache 2 PHP 5
MySQL

The nature of the websites are CMS based sites and all outgoing mail logs for all published sites have no leaks. All CMS versions are up to date.

My other service is an HTTP based custom application that only communicates with one other server and ssh shell of course. I checked SSH logins, there's no logging in by any user but me.

Only ports 22 and 80 are open to all IPs on the AWS security group. (so I'm not sure how they're getting past no open port 25)

Running Services

What do these domains "server up"? CMS-type boards, Wordpress, Joomla, e107?

Is there an EIP attached to the instance?

Looked at he mail files under /var/spool/mail and both root and www accounts have large mail files. And the mail queues fill fast when I enable sendmail.

There is an EIP attached and all the domains are pointed to this, correct.

CMS wordpress and drupal websites. I did just find a bunch of odd files and users in one of my drupal installations that gave write permissions on the directory to the www. I took that site down and the queue seemed to stop growing. This might be it. I'll monitor the problem and report back if it continues.

How does giving write permission to the www user allow someone to add files?

I could just attach an SES account to all the sites, but this will create more headaches. I'd rather just stop this intrusion.

localhost has no such restriction.

1 members found this post helpful.

So the rogue files in my drupal installation are not the problem, maybe the point of entry, but removing them did not stop the attack. What should I be looking for?

Here's the mail log when it's running

is the Wordpress installation(s) up to date and are all the plugins up to date as well?
Is it just one Wordpress install or > 1?

IMHO this is the tip of the iceburg :
There is a problem with the hosts file ? ( /etc/hosts )
or the sendmail 'sender access' db.

All the wordpress and drupal sites are up to date.

I don't know about hosts and access, but it looks default to me.

I do want to continue to relay from localhost so my sites can email me or users, right?

Wordpress installs may be up to date.
What about the plugins they use?

The hosts file is the problem. There is plenty of documentation on how to set it up from Amazon.
Same with sender access.