Sendmail sending emails to unknown email id's - location of file containing different email id's
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sendmail sending emails to unknown email id's - location of file containing different email id's
Dear All,
I see the following email addresses in my /var/log/maillog directory. I am not able to find in which file these emails are configured. I see emails being sent frequently but the stat shows deferred.
I just need to know the location of the files where these email ids are, and I wish to know why my server is sending email to these email ids.
Moreover, I would like to know how I can configure my server to send me email in case of alert like high CPU usage, memory usage or in case of any issue.
Attaching the log below.
ps. This is a Red Hat server.
Quote:
Mar 26 08:09:05 hostname sendmail[8659]: x2P6lV6d009777: to=<xxxx@gmail.com>,<xxxx@gmail.com>,<xxxx@gmail.com>,<xxxxx@gmail.com>,<xxxxx@gmail.com>,<xxxxx@gma il.com>,<xxxxx@gmail.com>,<xxxxxxx@gmail.com>,<xxxxx@gmail.com>, delay=22:21:34, xdelay=00:05:01, mailer=esmtp, pri=2670464, relay=alt4.gmail-smtp-in.l.google.com. [x.x.x.x], dsn=4.0.0, stat=Deferred: Connection timed out with alt4.gmail-smtp-in.l.google.com.
Mar 26 09:11:04 hostname sendmail[10358]: x2P6lV6d009777: to=<dxxxx@hotmail.com>,<xxxxx@hotmail.com>,<xxxxx2011@hotmail.com>,<xxx@hotmail.com>,<xxxxx@hotmail. com>,<xxxx@hotmail.com>, delay=23:23:33, xdelay=00:02:00, mailer=esmtp, pri=2760464, relay=hotmail-com.olc.protection.outlook.com. [x.x.x.x], dsn=4.0.0, stat=Deferred: Connection timed out with hotmail-com.olc.protection.outlook.com.
That seems like the first string I'd grep for. Agreed, it doesn't look healthy. If it can get into sendmail logs it's got permission to send mail, which narrows the field on a server? maybe check users/groups?
I'd also run lsof periodically, page through it and look for anything odd.
If your mail server is sending mails that you can't identify then do the whole of the internet a favour and take it offline until you're able to work out why it's sending potential spam.
Definitely a record of outgoing spam attempts being blocked by gmail and hotmail, respectively.
You either have an open relay or someone has hacked your system.
Please take it off line and contact Red Hat asap.
Also find and disable/delete that user (x2P6lV6d009777).
The users are in /etc/passwd
Dear All,
I see the following email addresses in my /var/log/maillog directory. I am not able to find in which file these emails are configured. I see emails being sent frequently but the stat shows deferred. I just need to know the location of the files where these email ids are, and I wish to know why my server is sending email to these email ids.
Moreover, I would like to know how I can configure my server to send me email in case of alert like high CPU usage, memory usage or in case of any issue. Attaching the log below.
ps. This is a Red Hat server.
Chances are, your old and unsupported RHEL5 server has been compromised, and is being used to shovel out spam. As you were told previously, you need to UPGRADE your server. And if you're not planning on purchasing RHEL, then use CentOS 7.x instead. There is zero reason to run a production server with no support at all from RHEL, if you're using RHEL. If you want to support it yourself, then use CentOS.
You still haven't told us what 'application' runs on this, or given any details about your server past old RHEL5.
Definitely a record of outgoing spam attempts being blocked by gmail and hotmail, respectively.
You either have an open relay or someone has hacked your system.
Please take it off line and contact Red Hat asap.
Also find and disable/delete that user (x2P6lV6d009777).
The users are in /etc/passwd
I cannot find any such user in my /etc/passwd or /etc/group file.
That seems like the first string I'd grep for. Agreed, it doesn't look healthy. If it can get into sendmail logs it's got permission to send mail, which narrows the field on a server? maybe check users/groups?
I'd also run lsof periodically, page through it and look for anything odd.
I checked the /var/spool/mailqueue folder. And I found the following files in it.
When I open the last file, I see the email ids of domain hotmail, gmail in it that are appearing in the log file.
Any reason you just ignored what I posted??? Again, as you've been told before:
You're using a VERY old distro of RHEL
You aren't PAYING for that RHEL, so it is/was unpatched, unupdated, and **DID NOT** get the security fixes
Your server has been COMPROMISED, due to the (numerous) bugfixes and security updates you DID NOT GET
Ignoring what was said will not change your situation.
scasey told you
Quote:
Originally Posted by scasey
You either have an open relay or someone has hacked your system.
So have you actually CHECKED to see if you're running an open relay?? Are you? You've not answered about what version of RHEL this server is running, nor about how your mail system is configured. And if they hacked your server, that means they've also gone through whatever firewall you have/had in place. Have you checked THOSE things???
As you were told: take the server offline, since it has been compromised. Contact RHEL support for help, since the administrators at your site seem unable to track down the problem(s). Load a CURRENT OS, and apply the updates/patches before continuing.
Any reason you just ignored what I posted??? Again, as you've been told before:
You're using a VERY old distro of RHEL
You aren't PAYING for that RHEL, so it is/was unpatched, unupdated, and **DID NOT** get the security fixes
Your server has been COMPROMISED, due to the (numerous) bugfixes and security updates you DID NOT GET
Ignoring what was said will not change your situation.
scasey told you
So have you actually CHECKED to see if you're running an open relay?? Are you? You've not answered about what version of RHEL this server is running, nor about how your mail system is configured. And if they hacked your server, that means they've also gone through whatever firewall you have/had in place. Have you checked THOSE things???
As you were told: take the server offline, since it has been compromised. Contact RHEL support for help, since the administrators at your site seem unable to track down the problem(s). Load a CURRENT OS, and apply the updates/patches before continuing.
Yes I know I am using an old version of RHEL. I am still in discussion with my management to purchase a new REDHAT enterprise server with support.
This server was configured long back when I was not a part of this organization. This server is running as a production server with an application and web running on it, so it will not be possible to take it offline immediately. This server is running in a virtualized environment (VSphere 6.5).
Firewall will block any unauthorized access to our environment.
I am getting the following error when I am trying to connect via telnet to my server to check for open relays.
Quote:
421 Cannot connect to SMTP server x.x.x.x (x.x.x.x:25), connect error 10061
Anyways I really appreciate your response. Is there any way to deactivate this.. I am sure that the emails are not being delivered to the emails in logs because it shows stat=Deferred.
I checked the maillog and I find new user sending these emails today (x31AJ9lv005205). And the logs for all emails shows "stat=Deferred".
It is sending messages to many different emails. I was thinking if there is any file which contains all the email addresses??
I checked the maillog and I find new user sending these emails today (x31AJ9lv005205). And the logs for all emails shows "stat=Deferred".
It is sending messages to many different emails. I was thinking if there is any file which contains all the email addresses??
How can I disable this?
Who is this "new user"? Most likely he's sending spam.
You should take your box off the net and investigate further.
Yes I know I am using an old version of RHEL. I am still in discussion with my management to purchase a new REDHAT enterprise server with support.
This server was configured long back when I was not a part of this organization. This server is running as a production server with an application and web running on it, so it will not be possible to take it offline immediately. This server is running in a virtualized environment (VSphere 6.5).
Firewall will block any unauthorized access to our environment. I am getting the following error when I am trying to connect via telnet to my server to check for open relays.
Code:
421 Cannot connect to SMTP server x.x.x.x (x.x.x.x:25), connect error 10061
Anyways I really appreciate your response. Is there any way to deactivate this.. I am sure that the emails are not being delivered to the emails in logs because it shows stat=Deferred.
Again, are you not understanding what you're being told??? Your server **HAS BEEN COMPROMISED**, period. It was compromised because it is OLD, unpatched, and many, MANY versions out of date.
Saying "We are in discussion, but this is an IMPORTANT SERVER that we can't take down!!!" is plain stupid, because if it was important:
You'd have had support on it from day one.
You'd have kept it up to date, and had security patches applied
...which has NOT been done. If this server is important, you need to actually do the WORK necessary to keep it going. Since it's a VM server, it'll take you literally MINUTES to bring up another instance of RHEL 7 (or CentOS, since it's fairly clear you won't purchase support), and spend the days/nights needed to migrate your 'important' application over to it.
Your firewall is obviously NOT blocking access, since if it was, your server wouldn't have been compromised. Either that, or someone did something stupid and ran a trojan of some sort to establish a connection outside. Either way...your only path forward is to upgrade, and migrate. And I would view ALL the files/programs on your server as suspicious. Have you actually tried looking for rootkits, or any viruses?
Quote:
Originally Posted by fawaz25
I checked the maillog and I find new user sending these emails today (x31AJ9lv005205). And the logs for all emails shows "stat=Deferred".
It is sending messages to many different emails. I was thinking if there is any file which contains all the email addresses??How can I disable this?
If you are the administrator, should you not know how to check your mail system, and what it consists of??? Again, you've been posting about this very old RHEL 5 server for some time now, and CONSISTENTLY ignore the advice given about updating it. And you then seem surprised that you're having issues.
We don't know where/how your sendmail system is set up, if you've got aliases enabled to where, or how it was configured. The 'user name' you posted seems exactly like something a spambot would employ, unless you're assigning user names like that in your organization. Are you???
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.