Errors, errors everywhere

Hi all,
I am having a whole tonne of email related problems and my google-fu is letting me down - thus I turn to you all for help.
I am seeing the following in various logfiles:

Mail Log

Code:

Oct 20 13:14:51 hades postfix/smtp[18321]: 2BFEA596698: to=<[email protected]>, relay=none, delay=331542, delays=331538/0.58/4/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=gmail.gr type=MX: Host not found, try again)
Oct 20 13:14:51 hades postfix/smtp[18325]: 28FEC5966B5: host mail.saint-gobain.com[192.109.148.16] refused to talk to me: 554-mail.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
Oct 20 13:14:51 hades postfix/smtp[18216]: 8B5B5256A1: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
Oct 20 13:14:52 hades postfix/smtp[18257]: 5B78F59693B: host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
Oct 20 13:14:52 hades postfix/smtp[18325]: 28FEC5966B5: to=<[email protected]>, relay=mail9.saint-gobain.com[192.109.148.15]:25, delay=331457, delays=331452/0.58/4.7/0, dsn=4.0.0, status=deferred (host mail9.saint-gobain.com[192.109.148.15] refused to talk to me: 554-mail9.saint-gobain.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Oct 20 13:14:52 hades postfix/smtp[18200]: E463025096: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
Oct 20 13:14:52 hades postfix/smtp[18320]: E370D5968FE: host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102]
Oct 20 13:14:56 hades postfix/smtp[18287]: certificate verification failed for smtp-in.sfr.fr[93.17.128.165]:25: untrusted issuer /C=FR/O=Certplus/CN=Class 2 Primary CA
Oct 20 13:14:56 hades postfix/smtp[18216]: 8B5B5256A1: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=323774, delays=323764/0.15/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
Oct 20 13:14:57 hades postfix/smtp[18257]: 5B78F59693B: to=<[email protected]>, relay=smtp-in.orange.fr[80.12.242.9]:25, delay=327867, delays=327856/0.38/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
Oct 20 13:14:57 hades postfix/smtp[18320]: E370D5968FE: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=327991, delays=327980/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
Oct 20 13:14:57 hades postfix/smtp[18200]: E463025096: to=<[email protected]>, relay=smtp-in.orange.fr[193.252.22.65]:25, delay=432889, delays=432878/0.58/10/0, dsn=4.0.0, status=deferred (host smtp-in.orange.fr[193.252.22.65] refused to talk to me: 550 mwinf5c10 ME Adresse IP source bloquee pour incident de spam. Client host blocked for spamming issues. OFR006_102 Ref http://csi.cloudmark.com/reset-request/?ip=178.79.181.243 [102])
Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: from=<[email protected]>, status=expired, returned to sender
Oct 20 13:14:57 hades postfix/cleanup[18128]: 8B884237D3: message-id=<[email protected]>
Oct 20 13:14:57 hades postfix/bounce[18233]: E463025096: sender non-delivery notification: 8B884237D3
Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: from=<>, size=3758, nrcpt=1 (queue active)
Oct 20 13:14:57 hades postfix/qmgr[3545]: E463025096: removed
Oct 20 13:14:57 hades postfix/smtp[18294]: 8B884237D3: to=<[email protected]>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for emmacheyne.com loops back to myself)
Oct 20 13:14:57 hades postfix/qmgr[3545]: 8B884237D3: removed
Oct 20 13:14:58 hades postfix/smtp[18274]: certificate verification failed for cluster1a.uk.messagelabs.com[85.158.139.103]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Oct 20 13:14:58 hades postfix/smtp[18274]: C6244595F8D: to=<[email protected]>, relay=cluster1a.uk.messagelabs.com[85.158.139.103]:25, delay=353679, delays=353667/0.49/12/0.03, dsn=4.0.0, status=deferred (host cluster1a.uk.messagelabs.com[85.158.139.103] said: 421 Service Temporarily Unavailable (in reply to RCPT TO command))
Oct 20 13:15:01 hades postfix/smtp[18231]: 0BB605961BC: host etb-1.mail.tiscali.it[213.205.33.63] refused to talk to me: 554 imp-1.mail.tiscali.it XQF11r01i5FVNl601 IP: 178.79.181.243, You are not allowed to send mail. Please see http://www.spamhaus.org/query/ip/178.79.181.243 You are listed in Spamhaus ZEN
Oct 20 13:15:01 hades postfix/smtpd[18108]: connect from localhost.localdomain[127.0.0.1]
Oct 20 13:15:01 hades postfix/smtpd[18108]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Oct 20 13:15:01 hades postfix/smtpd[18108]: disconnect from localhost.localdomain[127.0.0.1]
Oct 20 13:15:01 hades pop3d: Connection, ip=[::ffff:127.0.0.1]
Oct 20 13:15:01 hades pop3d: Disconnected, ip=[::ffff:127.0.0.1]

Mail Warn-Log:

Code:

Oct 20 13:11:55 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
Oct 20 13:11:57 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed
Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: SASL authentication failure: Password verification failed
Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
Oct 20 13:12:03 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
Oct 20 13:12:03 hades postfix/smtpd[18108]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: SASL authentication failure: Password verification failed
Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL PLAIN authentication failed: authentication failure
Oct 20 13:12:09 hades postfix/smtpd[16973]: warning: unknown[109.98.160.227]: SASL LOGIN authentication failed: authentication failure
Oct 20 13:12:29 hades postfix/smtpd[18108]: warning: unknown[222.236.44.34]: SASL LOGIN authentication failed: authentication failure
Oct 20 13:24:19 hades postfix/smtpd[18960]: warning: 69.12.86.131: address not listed for hostname 69.12.86.131.static.quadranet.com

I *think* I have two problems:
* First, something somewhere is compromised, and sending out loads of spam emails. I've disabled the clients/mailboxes/etc associated with the domain popping up in the logs (emmacheyne.com), but that doesn't seem to be stopping them.
* Second, I think there may be an SSL/email configuration issue, as I'm getting authentication failures from accounts which should be able to log in.

EDIT: I'm using ISP Config 3 on Ubuntu 10.04.4 LTS


Any help and suggestions for resolutions would be greatly appreciated!

Thanks,
Ben

 

(Logs are much-shortened to fit within the forum's max character limit)

 

The test script gives me the following:

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
IP-address(es) (as per ifconfig): ***.***.***.***
[INFO] ISPConfig is installed.
[WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing.

##### VERSION CHECK #####

[INFO] php (cli) version is 5.3.2-1ubuntu4.30

##### PORT CHECK #####


##### MAIL SERVER CHECK #####

[WARN] I found no "submission" entry in your postfix master.cf
[INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.

##### RUNNING SERVER PROCESSES #####

[WARN] I could not determine which web server is running.
[WARN] I could not determine which mail server is running.
[WARN] I could not determine which pop3 server is running.
[WARN] I could not determine which imap server is running.
[WARN] I could not determine which ftp server is running.

##### LISTENING PORTS #####
(only  ()
Local  (Address)
[localhost]:10024  (-)
[localhost]:10025  (-)
[anywhere]:3306  (-)
[localhost]:783  (-)
[anywhere]:8080  (-)
[anywhere]:80  (-)
[anywhere]:8081  (-)
[anywhere]:465  (-)
[anywhere]:21  (-)
***.***.***.***:53  (-)
[localhost]:53  (-)
[anywhere]:22  (-)
[anywhere]:25  (-)
[localhost]:953  (-)
[anywhere]:443  (-)
*:*:*:*::*:993  (-)
*:*:*:*::*:995  (-)
[localhost]10  (-)
[localhost]43  (-)
*:*:*:*::*:465  (-)
*:*:*:*::*:21  (-)
*:*:*:*::*:53  (-)
*:*:*:*::*:22  (-)
*:*:*:*::*:25  (-)
*:*:*:*::*:953  (-)

 

ISPConfig itself seems to be working fine, it's just that mail clients can't authenticate. I saw that error, but can't seem to force a reconfiguration as I'm already on the latest version, and have no idea how to go about manually resolving that missing file.

I think so too, but I'm not sure how to identify which account is compromised. I have disabled all accounts associated with the domain email is being sent from, but it doesn't appear to have stopped it.

 

Great, the test script now shows no errors:

Code:

##### SERVER #####
IP-address (as per hostname): ***.***.***.***
IP-address(es) (as per ifconfig): ***.***.***.***
[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.0.5.4p8


##### VERSION CHECK #####

[INFO] php (cli) version is 5.3.2-1ubuntu4.30

##### PORT CHECK #####


##### MAIL SERVER CHECK #####

[WARN] I found no "submission" entry in your postfix master.cf
[INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.

##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
  Apache 2 (PID 27107)
[INFO] I found the following mail server(s):
  Postfix (PID 25705)
[INFO] I found the following pop3 server(s):
  Courier Mailserver (PID 27048)
[INFO] I found the following imap server(s):
  Courier Mailserver (PID 27008)
[INFO] I found the following ftp server(s):
  PureFTP (PID 27132)

##### LISTENING PORTS #####
(only  ()
Local  (Address)
[localhost]:10024  (25941/amavisd)
[localhost]:10025  (25705/master)
[anywhere]:3306  (25549/mysqld)
[localhost]:783  (2766/spamd.pid)
[anywhere]:8080  (27107/apache2)
[anywhere]:80  (27107/apache2)
[anywhere]:8081  (27107/apache2)
[anywhere]:465  (25705/master)
[anywhere]:21  (27132/pure-ftpd)
***.***.***.***:53  (2603/named)
[localhost]:53  (2603/named)
[anywhere]:22  (2748/sshd)
[anywhere]:25  (25705/master)
[localhost]:953  (2603/named)
[anywhere]:443  (27107/apache2)
*:*:*:*::*:993  (27031/couriertcpd)
*:*:*:*::*:995  (27071/couriertcpd)
[localhost]10  (27048/couriertcpd)
[localhost]43  (27008/couriertcpd)
*:*:*:*::*:465  (25705/master)
*:*:*:*::*:21  (27132/pure-ftpd)
*:*:*:*::*:53  (2603/named)
*:*:*:*::*:22  (2748/sshd)
*:*:*:*::*:25  (25705/master)
*:*:*:*::*:953  (2603/named)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target  prot opt source  destination
fail2ban-ssh  tcp  --  [anywhere]/0  [anywhere]/0  multiport dports 22

Chain FORWARD (policy ACCEPT)
target  prot opt source  destination

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination

Chain fail2ban-ssh (1 references)
target  prot opt source  destination
RETURN  all  --  [anywhere]/0  [anywhere]/0

I've figured out that it's a PHP script sending the spam, within the web files of the client account I've already deactivated. Is there a simple way to disable that user account, to stop everything under that user running, until I can patch things up? Or should I just delete the user (and therefore everything associated with them) and set them up again from scratch?

Thanks,
Ben