On Wed, Jul 27, 2011 at 02:45:26PM +0200, Salvatore wrote: > "Ansgar Wiechers" wrote: > > > - output of "postconf -n" > > - log excerpt showing an entire mail transaction from the point where > > the spam mail enters Postfix to the point where Postfix attempts the > > delivery > > > [root@mail scripts]# postconf -n [snip] > readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES > relay_domains = $mydestination > sample_directory = /usr/share/doc/postfix-2.2.8/samples
If this is really Postfix 2.2.8, you have a seriously old system there. Has it been kept up with all security patches? OpenSSH and Apache httpd have had dozens of exploits in that period. Do you use either of those? [snip, nothing else noteworthy in postconf] > in log file I have this: > > Jul 27 13:45:50 mail postfix/qmgr[3472]: 65C4326ADB5: > from=<aw...@winner.com>, size=601090, nrcpt=50 (queue active) > Jul 27 13:45:50 mail postfix/qmgr[3472]: 1AE0A26ADB0: > from=<aw...@winner.com>, size=601090, nrcpt=50 (queue active) > Jul 27 13:45:50 mail postfix/qmgr[3472]: 12DDE26ADAB: > from=<aw...@winner.com>, size=601090, nrcpt=50 (queue active) > Jul 27 13:45:50 mail postfix/qmgr[3472]: 90DF326ADB1: > from=<aw...@winner.com>, size=601090, nrcpt=50 (queue active) > Jul 27 13:45:50 mail postfix/qmgr[3472]: 23A9E2D401C: > from=<aw...@winner.com>, size=601792, nrcpt=50 (queue active) 50 recipients each. This sure looks like what I thought originally, that you are being used as a platform for spamming. > Jul 27 13:45:51 mail postfix/smtp[18874]: 23A9E2D401C: host > mailin-01.mx.aol.com[205.188.159.42] refused to talk to me: 421 4.7.1 : > (RLY:B3) > http://postmaster.info.aol.com/errors/421rlyb3.html > Jul 27 13:45:51 mail postfix/smtp[18877]: 23A9E2D401C: host > mailin-03.mx.aol.com[205.188.190.2] refused to talk to me: 421 4.7.1 : > (RLY:B3) > http://postmaster.info.aol.com/errors/421rlyb3.html > Jul 27 13:45:51 mail postfix/smtp[18872]: 12DDE26ADAB: host > mailin-04.mx.aol.com[64.12.90.34] refused to talk to me: 421 > mtain-mh06.r1000.mx.aol.com Service unavailable - try again later > Jul 27 13:45:51 mail postfix/smtp[18871]: 1AE0A26ADB0: host > mailin-04.mx.aol.com[64.12.90.66] refused to talk to me: 421 > mtain-mb06.r1000.mx.aol.com Service unavailable -try again later > > I hope this information will help. No, because for the third time now: you must show us the ORIGIN of these spam suspects. Take for example, queue ID 1AE0A26ADB0: we know the size and that it has 50 recipients. We need to see how it got into your queue. And that means ORIGIN ... we have no interest in seeing it reinjected from the content_filter, except insofar as reinjection gives us the original queue ID. Most mail enters either through smtpd(8) or through sendmail(1). The former is logged by "postfix/smtpd"; the latter, typically the first log entry you would see is from "postfix/pickup". My guess is that you've been compromised, and that these spams came through local sendmail submission. Hope not, because it will be a mess to clean up! One thing you should consider doing NOW is to stop Postfix, because the more spam you relay, the more damage is done to your reputation and deliverability. (Not to mention the antisocial aspects of being accessory to a crime.) -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
