Hello Group... As of December 28, 2008 the server I am going to ask questions about was configured to utilize Postfix mail server with SMTP-AUTH and TLS. My question is what else would I do to stop spammers from utilizing my Email server? I am not sure if my server is being impersonated or what?? My bandwidth provider Verizon Business abuse team has sent me an Email abuse report stating that my server 65.197.209.3 giganetwireless.net is being used to transmit spam. Below is the output after running 'tail -f /var/log/mail.log' (I have no Email address [email protected] uid=33): Code: Jan 26 10:47:35 giganetwireless postfix/cleanup[31813]: C276535CDFB0: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: C3E4D35CE0FF: uid=33 from=<www-data> Jan 26 10:47:35 giganetwireless postfix/cleanup[31812]: C3E4D35CE0FF: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: C4FC335CE100: uid=33 from=<www-data> Jan 26 10:47:35 giganetwireless postfix/cleanup[31811]: C4FC335CE100: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:35 giganetwireless postfix/smtp[8847]: certificate verification failed for suprilinx.com.br: num=18:self signed certificate Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: CEEF835CE101: uid=33 from=<www-data> Jan 26 10:47:35 giganetwireless postfix/cleanup[31815]: CEEF835CE101: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:35 giganetwireless postfix/pickup[19050]: D29C135CE102: uid=33 from=<www-data> Jan 26 10:47:35 giganetwireless postfix/cleanup[30245]: D29C135CE102: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:35 giganetwireless postfix/smtp[32106]: certificate verification failed for mail.stillnet.com.br: num=18:self signed certificate Jan 26 10:47:36 giganetwireless postfix/smtp[19151]: certificate verification failed for abelisauro.starbks.com.br: num=18:self signed certificate Jan 26 10:47:36 giganetwireless postfix/smtp[25751]: D200B3595D0D: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=mx.br.inter.net[200.142.77.19]:25, conn_use=3, delay=1142, delays=0.03/1125/6.3/10, dsn=5.1.1, status=bounced (host mx.br.inter.net[200.142.77.19] said: 550 5.1.1 <[EMAIL="[email protected]"][email protected][/EMAIL]>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) Jan 26 10:47:36 giganetwireless postfix/smtp[32033]: ED207359DCB3: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=mail3.netpar.com.br[200.103.225.17]:25, delay=1143, delays=0.03/1124/3.2/16, dsn=2.0.0, status=sent (250 Ok: queued as C3CC13C0062) Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: ED207359DCB3: removed Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 2D40D359572C: from=<>, size=6755, nrcpt=1 (queue active) Jan 26 10:47:36 giganetwireless postfix/local[536]: 2D40D359572C: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=local, delay=169, delays=169/0/0/0.03, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION") Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 2D40D359572C: removed Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: D7F1C359583E: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4834, nrcpt=1 (queue active) Jan 26 10:47:36 giganetwireless postfix/smtpd[5454]: 2A4E2359572C: client=slbnat3.br.inter.net[200.142.77.7] Jan 26 10:47:36 giganetwireless postfix/smtp[17153]: 29EBD359DE02: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=1139, delays=0.06/1138/0.97/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=sysnetway.com.br type=AAAA: Host found but no data record of requested type) Jan 26 10:47:36 giganetwireless postfix/cleanup[30257]: 69B3F35CE104: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:36 giganetwireless postfix/bounce[25445]: 29EBD359DE02: sender non-delivery notification: 69B3F35CE104 Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 29EBD359DE02: removed Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 0F6FB35CDD3A: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4827, nrcpt=1 (queue active) Jan 26 10:47:36 giganetwireless postfix/cleanup[31810]: 2A4E2359572C: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:36 giganetwireless postfix/smtp[15411]: 4722B359DE07: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=1139, delays=0.15/1138/1/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=starmedia.c type=AAAA: Host not found) Jan 26 10:47:36 giganetwireless postfix/cleanup[30284]: 805A1359DE02: message-id=<[EMAIL="[email protected]"][email protected][/EMAIL]> Jan 26 10:47:36 giganetwireless postfix/bounce[25445]: 4722B359DE07: sender non-delivery notification: 805A1359DE02 Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 4722B359DE07: removed Jan 26 10:47:36 giganetwireless postfix/qmgr[2527]: 83D21359DDC5: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4824, nrcpt=1 (queue active) Jan 26 10:47:36 giganetwireless postfix/smtpd[1499]: connect from zeus.solar.com.br[200.199.212.49] I have just created an Email account [email protected] and in came nearly 1000's Undelivered Mail Returned to Sender messages! What does this mean when somone can utilize my server using www-data as the user name to send Spam? What would can I do to stop or at least control this from happening? I just don't understand how a Email server that uses SMTP-AUTH can be used as a spammer network which tends to operate from South America?? Description of incident: Code: -From : From [email protected] Mon Jan 26 06:32:21 2009 Received : from omzesmtp03a.verizonbusiness.com (omzesmtp03a.verizonbusiness.com [199.249.25.201]) by pdcetmsdrs03.mcilink.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0Q6WL912442 for <[email protected]>; Mon, 26 Jan 2009 06:32:21 GMT Received : from omzesmtp03a.verizonbusiness.com ([127.0.0.1]) by firewall.verizonbusiness.com (Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007; 32bit)) with ESMTP id <[email protected]> for [email protected]; Mon, 26 Jan 2009 06:32:21 +0000 (GMT) Received : from sc-smtp1-bulkmx.soma.ironport.com ([204.15.82.123]) by firewall.verizonbusiness.com (Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007; 32bit)) with ESMTP id <[email protected]> for [email protected]; Mon, 26 Jan 2009 06:32:21 +0000 (GMT) Received : from sc-app9.spamcop.net ([204.15.82.88]) by sc-smtp-vip.soma.ironport.com with SMTP; Sun, 25 Jan 2009 22:32:20 -0800 Received : from [200.161.138.186] by spamcop.net with HTTP; Mon, 26 Jan 2009 06:32:20 +0000 (GMT) >From : ITM NETWORKS - Abuse <[email protected]> To : [email protected] Subject : [SpamCop (65.197.209.3) id:3816469853] Precedence : list Message-id : <[email protected]> Date : Sun, 25 Jan 2009 18:12:32 -0300 X-SpamCop-sourceip : 65.197.209.3 X-Mailer : http://www.spamcop.net/ v2 The Header of the offencive Email Code: Return-Path: <[email protected]> Received: from mail.giganetwireless.net [65.197.209.3] by winmail1mx.winserversecure.com with SMTP; Sun, 25 Jan 2009 18:12:32 -0300 Received: by giganetwireless.net (Postfix, from userid 33) id 8D03C359673E; Sun, 25 Jan 2009 10:16:12 -0800 (PST) Date: Sun Jan 25 09:59:40 PST 2009 From: Caixa Economica Federal <[email protected]> To: x X-SmarterMail-Spam: SPF_None, Custom Header [user in Received:5;] X-SmarterMail-TotalSpamWeight: 15 Thanking you in advance for your suggestions and time. Best Regards
www-data is the user that your Apache web server runs under, so I guess you have a vulnerable contact form or web application that spammers abuse to send their spam.
Thank you Falko Later yesterday i did find the referrence to www-data in httpd.conf. I don't have many applications on this domain so I will go through all of them uintil I find the problem.
I have scoured this domain for applications or form based communications that spammers could be using. This domain giganetwireless.net has no web-site, it's index redirects to my .com address. Joomla was installed and I have removed it thinking it's contact form was being exploited. I just can't seem to put my finger on the what spammers are using to funnel spam through my server Can anyone help me get to the bottom of this?? Thanking you in advance for your help... Best Regads
Thank you Falko After removing Joomla things changed somewhat, but I feel we are still being abused. When I run 'netstat -tap' this is the average results: Code: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:mysql *:* LISTEN 3684/mysqld tcp 0 0 *:www *:* LISTEN 8961/apache2 tcp 0 0 *:54000 *:* LISTEN 1192/sshd tcp 0 0 *:81 *:* LISTEN 18008/ispconfig_htt tcp 0 0 *:ftp *:* LISTEN 6827/proftpd: (acce tcp 0 0 65.197.209.15:domain *:* LISTEN 22183/named tcp 0 0 65.197.209.11:domain *:* LISTEN 22183/named tcp 0 0 65.197.209.9:domain *:* LISTEN 22183/named tcp 0 0 65.197.209.8:domain *:* LISTEN 22183/named tcp 0 0 65.197.209.7:domain *:* LISTEN 22183/named tcp 0 0 mail.webmail.gig:domain *:* LISTEN 22183/named tcp 0 0 giganetwireless.:domain *:* LISTEN 22183/named tcp 0 0 localhost.locald:domain *:* LISTEN 22183/named tcp 0 0 mail.giganetwire:domain *:* LISTEN 29463/named tcp 0 0 65.197.209.20:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.19:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.18:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.17:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.16:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.14:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.13:domain *:* LISTEN 12001/named tcp 0 0 65.197.209.12:domain *:* LISTEN 12001/named tcp 0 0 *:smtp *:* LISTEN 9644/master tcp 0 0 localhost.localdoma:953 *:* LISTEN 22183/named tcp 0 0 *:https *:* LISTEN 8961/apache2 tcp 0 1 giganetwireless.n:46919 serverbr7.com:smtp SYN_SENT 9718/smtp tcp 0 1 giganetwireless.n:43865 horus5.uol.com.br:smtp SYN_SENT 9715/smtp tcp 0 1 giganetwireless.n:40587 chih30122037-01.ps:smtp SYN_SENT 9704/smtp tcp 0 1 giganetwireless.n:35289 69.64.159.1:smtp SYN_SENT 9714/smtp tcp 0 1 giganetwireless.n:48613 www173.sedoparking:smtp SYN_SENT 9739/smtp tcp 0 1 giganetwireless.n:35720 oecbr01i-mx.idc.br:smtp SYN_SENT 9702/smtp tcp 0 0 giganetwireless.n:58059 ardent.xo.com:smtp ESTABLISHED9671/smtp tcp 0 1 giganetwireless.n:47379 radius.memlane.com:smtp SYN_SENT 9736/smtp tcp 0 1 giganetwireless.n:59436 [URL="http://www.millenniumbcp.:smtp"]www.millenniumbcp.:smtp[/URL] SYN_SENT 9735/smtp tcp 0 1 giganetwireless.n:33829 64.20.60.99:smtp SYN_SENT 9712/smtp tcp 0 1 giganetwireless.n:59509 [URL="http://www.millenniumbcp.:smtp"]www.millenniumbcp.:smtp[/URL] SYN_SENT 9681/smtp tcp 0 1 giganetwireless.n:39152 195.210.91.40:smtp SYN_SENT 9687/smtp tcp 0 1 giganetwireless.n:45026 mta-v10.mail.vip.m:smtp SYN_SENT - tcp 0 1 giganetwireless.n:48598 www173.sedoparking:smtp SYN_SENT 9677/smtp tcp 0 1 giganetwireless.n:38818 rootdc.ukzn.ac.za:smtp SYN_SENT 9696/smtp tcp 0 1 giganetwireless.n:52718 69.25.47.166:smtp SYN_SENT 9684/smtp tcp 0 0 giganetwireless.n:58052 ardent.xo.com:smtp ESTABLISHED9678/smtp tcp 0 1 giganetwireless.n:46819 smtp.astron.net.au:smtp SYN_SENT 9670/smtp tcp 0 1 giganetwireless.n:48595 www173.sedoparking:smtp SYN_SENT 9662/smtp tcp 0 0 giganetwireless.n:48806 correio.redeintegr:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:34340 www163.sedoparking:smtp SYN_SENT 9752/smtp tcp 0 1 giganetwireless.n:50147 62-127-98-49.telen:smtp SYN_SENT 9724/smtp tcp 0 1 giganetwireless.n:56061 ptr-216-8-179-26.p:smtp SYN_SENT - tcp 0 1 giganetwireless.n:50147 62-127-98-49.telen:smtp SYN_SENT 9724/smtp tcp 0 1 giganetwireless.n:34339 webmail.infraero.c:smtp SYN_SENT 9750/smtp tcp 0 1 giganetwireless.n:34147 209.10.134.188:smtp SYN_SENT 9722/smtp tcp 0 0 giganetwireless.n:57412 mta-v14.mail.vip.r:smtp ESTABLISHED9656/smtp tcp 0 1 giganetwireless.n:53541 mail.vivo.net.br:smtp SYN_SENT 9751/smtp tcp 0 1 giganetwireless.n:35537 [URL="http://www.rdzarana.com:smtp"]www.rdzarana.com:smtp[/URL] SYN_SENT 9698/smtp tcp 0 1 giganetwireless.n:59892 amazonas.uol.com.b:smtp SYN_SENT 9710/smtp tcp 0 1 giganetwireless.n:57950 mail.pmgi.com:smtp SYN_SENT 9734/smtp tcp 0 1 giganetwireless.n:40600 mx3.2send-svt.net:smtp SYN_SENT 9723/smtp tcp 0 1 giganetwireless.n:55895 ptr-216-8-179-26.p:smtp SYN_SENT 9693/smtp tcp 0 1 giganetwireless.n:59128 localhost:smtp SYN_SENT - tcp 0 1 giganetwireless.n:56207 exch-temp.perth.le:smtp SYN_SENT 9741/smtp tcp 0 0 giganetwireless.n:50486 indefatigable.xo.c:smtp ESTABLISHED- tcp 0 1 giganetwireless.n:38147 64.69.82.202:smtp SYN_SENT 9679/smtp tcp 0 1 giganetwireless.n:36536 www161.sedoparking:smtp SYN_SENT 9694/smtp tcp 0 1 giganetwireless.n:41230 ca.af.3845.static.:smtp SYN_SENT 9666/smtp tcp 0 0 giganetwireless.n:33105 mail.turboseg.com.:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:58762 64.20.35.155:smtp SYN_SENT 9697/smtp tcp 0 1 giganetwireless.n:51179 vip-vr20.tuk.traff:smtp SYN_SENT 9746/smtp tcp 0 0 giganetwireless.n:38695 terra.grupoequipav:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:59513 207.46.31.61:smtp SYN_SENT - tcp 0 0 giganetwireless.n:38695 terra.grupoequipav:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:60237 69-46-228-35.parke:smtp SYN_SENT 9688/smtp tcp 0 1 giganetwireless.n:59445 207.46.31.61:smtp SYN_SENT 9664/smtp tcp 0 1 giganetwireless.n:59117 mta-v15.mail.vip.r:smtp SYN_SENT 9745/smtp tcp 0 1 giganetwireless.n:40068 mailserver01.mailu:smtp SYN_SENT 9728/smtp tcp 0 1 giganetwireless.n:35333 208.45.133.107:smtp SYN_SENT 9703/smtp tcp 0 1 giganetwireless.n:53227 66.150.161.44:smtp SYN_SENT 9729/smtp tcp 0 1 giganetwireless.n:57411 216.66.64.29:smtp SYN_SENT 9743/smtp tcp 0 0 giganetwireless.n:45229 lagosnet.com.br:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:45034 69-46-228-57.parke:smtp SYN_SENT 9682/smtp tcp 0 1 giganetwireless.n:40084 66.246.235.42:smtp SYN_SENT 9706/smtp tcp 0 0 giganetwireless.n:42909 ns2.comnt.com.br:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:47543 www167.sedoparking:smtp SYN_SENT 9658/smtp tcp 0 1 giganetwireless.n:54715 www175.sedoparking:smtp SYN_SENT 9747/smtp tcp 0 1 giganetwireless.n:35300 69.64.159.1:smtp SYN_SENT 9742/smtp tcp 0 0 giganetwireless.n:57425 mta-v14.mail.vip.r:smtp ESTABLISHED- tcp 0 1 giganetwireless.n:56217 89.104.215.152:smtp SYN_SENT 9674/smtp tcp 0 1 giganetwireless.n:41165 gaivota.ipen.br:smtp SYN_SENT 9680/smtp tcp 0 1 giganetwireless.n:47771 69.64.147.249:smtp SYN_SENT 9683/smtp tcp 0 1 giganetwireless.n:47771 69.64.147.249:smtp SYN_SENT 9683/smtp tcp 0 0 giganetwireless.n:50492 indefatigable.xo.c:smtp ESTABLISHED- tcp 0 1 giganetwireless.n:51024 ns.nesteoil.com:smtp SYN_SENT 9726/smtp tcp 0 1 giganetwireless.n:59172 200.185.134.56:smtp SYN_SENT 9733/smtp tcp 0 1 giganetwireless.n:37017 uranio.alanet.com.:smtp SYN_SENT 9708/smtp tcp 0 1 giganetwireless.n:49835 200-196-243-166.ti:smtp SYN_SENT 9673/smtp tcp 0 1 giganetwireless.n:59485 207.46.31.61:smtp SYN_SENT - tcp 0 1 giganetwireless.n:47836 campinas.unimedcam:smtp SYN_SENT 9740/smtp tcp 0 1 giganetwireless.n:46124 windows5.digiweb.c:smtp SYN_SENT 9730/smtp tcp 0 1 giganetwireless.n:59068 mta-v15.mail.vip.r:smtp SYN_SENT 9665/smtp tcp 0 1 giganetwireless.n:50987 67.215.165.31:smtp SYN_SENT 9709/smtp tcp 0 1 giganetwireless.n:47827 63.240.17.163:smtp SYN_SENT 9713/smtp tcp 0 1 giganetwireless.n:47592 www167.sedoparking:smtp SYN_SENT 9676/smtp tcp 0 1 giganetwireless.n:34410 148.240.4.32:smtp SYN_SENT 9721/smtp tcp 0 1 giganetwireless.n:56082 200.87.136.211:smtp SYN_SENT - tcp 0 0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT - tcp 0 1 giganetwireless.n:53390 66.150.161.44:smtp SYN_SENT - tcp 0 1 giganetwireless.n:36649 www161.sedoparking:smtp SYN_SENT 9659/smtp tcp 0 1 giganetwireless.n:44262 mx1.2send-svt.net:smtp SYN_SENT - tcp 0 1 giganetwireless.n:43023 wf.networksolution:smtp SYN_SENT - tcp 0 0 giganetwireless.n:45500 lagosnet.com.br:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:39788 smtp.mtmcampos.com:smtp SYN_SENT - tcp 0 1 giganetwireless.n:41906 horus6.uol.com.br:smtp SYN_SENT - tcp 0 0 giganetwireless.n:57506 mail.redelago.com.:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:48800 mx1.fmzmidiadigita:smtp TIME_WAIT - tcp 0 148 giganetwireless.n:54000 65.197.209.10:63695 ESTABLISHED7545/sshd: bender [ tcp 0 0 giganetwireless.n:48514 mta-v12.mail.vip.r:smtp ESTABLISHED9657/smtp tcp 0 148 giganetwireless.n:54000 65.197.209.10:63695 ESTABLISHED7545/sshd: bender [ tcp 0 0 giganetwireless.n:48514 mta-v12.mail.vip.r:smtp ESTABLISHED9657/smtp tcp 0 1 giganetwireless.n:59688 207.46.31.61:smtp SYN_SENT - tcp 0 1 giganetwireless.n:59658 207.46.31.61:smtp SYN_SENT - tcp 0 0 giganetwireless.n:53510 triumph.bcentralho:smtp ESTABLISHED- tcp 0 1 giganetwireless.n:39789 mx01.mail.bellsout:smtp SYN_SENT - tcp 0 1 giganetwireless.n:59665 207.46.31.61:smtp SYN_SENT - tcp 0 1 giganetwireless.n:43001 [URL="http://www.sbc.com:smtp"]www.sbc.com:smtp[/URL] SYN_SENT - tcp 0 1 giganetwireless.n:51783 200-102-210-81.pae:smtp SYN_SENT - tcp 0 1 giganetwireless.n:51394 ws10170.us.odebrec:smtp SYN_SENT - tcp 0 1 giganetwireless.n:44273 andromeda.frontier:smtp SYN_SENT - tcp 0 1 giganetwireless.n:43824 maxmail2.websitedy:smtp SYN_SENT - tcp 0 1 giganetwireless.n:54877 www175.sedoparking:smtp SYN_SENT - tcp 0 1 giganetwireless.n:51394 ws10170.us.odebrec:smtp SYN_SENT - tcp 0 1 giganetwireless.n:44273 andromeda.frontier:smtp SYN_SENT - tcp 0 1 giganetwireless.n:43824 maxmail2.websitedy:smtp SYN_SENT - tcp 0 1 giganetwireless.n:54877 www175.sedoparking:smtp SYN_SENT - tcp 0 0 giganetwireless.n:51196 faplan.razaoinfo.c:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:59701 207.46.31.61:smtp SYN_SENT - tcp 0 0 giganetwireless.n:56355 mx1.bcmg.com.br:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:59701 207.46.31.61:smtp SYN_SENT - tcp 0 0 giganetwireless.n:56355 mx1.bcmg.com.br:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:45596 lagosnet.com.br:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:36663 icis.pcz.pl:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:34245 linux.acia.com.br:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT - tcp 0 0 giganetwireless.n:60051 pinatubo.incor.usp:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:39856 201-016-217-007.st:smtp SYN_SENT - tcp 0 1 giganetwireless.n:53390 66.150.161.44:smtp SYN_SENT - tcp 0 0 giganetwireless.n:58193 ardent.xo.com:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:45593 lagosnet.com.br:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:51263 faplan.razaoinfo.c:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:44262 mx1.2send-svt.net:smtp SYN_SENT - tcp 0 1 giganetwireless.n:43023 wf.networksolution:smtp SYN_SENT - tcp 0 1 giganetwireless.n:38516 rrcs-67-52-107-24.:smtp SYN_SENT - tcp 0 12 giganetwireless.n:42162 200.101.14.100:smtp ESTABLISHED- tcp 0 0 giganetwireless.n:35073 itans.servpro.com.:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:32945 64.20.60.106:smtp SYN_SENT - tcp 0 0 giganetwireless.n:49653 hermes.digi.com.br:smtp TIME_WAIT - tcp 0 0 giganetwireless.n:35073 itans.servpro.com.:smtp TIME_WAIT - tcp 0 1 giganetwireless.n:32945 64.20.60.106:smtp SYN_SENT - tcp 0 0 giganetwireless.n:49653 hermes.digi.com.br:smtp TIME_WAIT - tcp6 0 0 *:imaps *:* LISTEN 12060/couriertcpd tcp6 0 0 *:pop3s *:* LISTEN 12103/couriertcpd tcp6 0 0 *:32998 *:* LISTEN 3900/sshd tcp6 0 0 *:pop3 *:* LISTEN 9303/couriertcpd tcp6 0 0 *:imap2 *:* LISTEN 11985/couriertcpd tcp6 0 0 *:smtp *:* LISTEN 9644/master tcp6 0 0 ip6-localhost:953 *:* LISTEN 22183/named Likewise when I run 'tail -f /var/log/mail.log' on the mail.log I receive these results: Code: Jan 29 09:33:14 giganetwireless postfix/error[9814]: CF6A71C88A51: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=256266, delays=256133/133/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9797]: CD936359EE02: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=326292, delays=326160/132/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9790]: CEB6235AF190: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255612, delays=255479/133/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EC913359F395: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4771, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9789]: EF3CC1C88D5F: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=256256, delays=256256/0/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9783]: C666735AF18F: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255612, delays=255479/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: DEB8B3594ACE: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4771, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9782]: CD7551C8849E: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=326325, delays=326192/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9785]: C3DE93595C1C: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255060, delays=254927/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 0CDE535AE5DF: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4780, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D40A61C8992A: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4759, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9786]: C2D44359EA77: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=254711, delays=254578/132/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EE7E435AF7E4: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4772, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9784]: 3F07335CC025: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=252848, delays=252715/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D363A35AC46A: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4770, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9796]: C6B0935CF9C1: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=254361, delays=254228/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: EF98E35949E2: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4758, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9815]: 2C309360D46C: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=254711, delays=254579/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D2EED3595AD8: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4767, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9792]: 3C662360FD34: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=254367, delays=254234/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 65B8A35ADAA4: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4774, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/error[9794]: CDD463595022: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255378, delays=255245/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9817]: 3F61435CF302: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=254982, delays=254849/132/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/error[9821]: 6355035AC951: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255239, delays=255106/133/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to bahianet.com.br[204.16.2.40]: Connection refused) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: DF0951C8A8FE: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4764, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 0C36B35964A7: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4762, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D5839360F134: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4825, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 6F90D1C8A560: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4777, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: D6CBF35AE7B2: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4770, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 6BE4935AEBB8: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4768, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/smtp[9746]: 6411E35974DE: host ardent.xo.com[207.155.252.132] said: 451 <[EMAIL="[email protected]"][email protected][/EMAIL]>: Recipient address rejected: Not primary MX for parent [0EO3Q2GLCR00] (in reply to RCPT TO command) Jan 29 09:33:14 giganetwireless postfix/smtp[9713]: connect to enred.com[216.40.33.31]: Connection timed out (port 25) Jan 29 09:33:14 giganetwireless postfix/smtp[9713]: 30AEC35940E5: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=339126, delays=338991/104/31/0, dsn=4.4.1, status=deferred (connect to enred.com[216.40.33.31]: Connection timed out) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 344DF359C8C4: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4770, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/smtp[9694]: connect to nis-portal.de[82.98.78.69]: Connection timed out (port 25) Jan 29 09:33:14 giganetwireless postfix/smtp[9694]: 35983359EE90: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=335196, delays=335061/105/31/0, dsn=4.4.1, status=deferred (connect to nis-portal.de[82.98.78.69]: Connection timed out) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: E46D3359C370: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4769, nrcpt=1 (queue active) Jan 29 09:33:14 giganetwireless postfix/smtp[9744]: 49A2035AE23E: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=mail.trafo.com.br[200.248.51.132]:25, delay=273687, delays=273552/133/2/0, dsn=4.0.0, status=deferred (host mail.trafo.com.br[200.248.51.132] refused to talk to me: 421 mail.trafo.com.br has refused your connection as your mail server appears to be blacklisted) Jan 29 09:33:14 giganetwireless postfix/qmgr[9648]: 2B83735ACA05: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4776, nrcpt=1 (queue active) Jan 29 09:33:15 giganetwireless postfix/smtp[9741]: B8E313597085: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=mx1.mail.sg1.yahoo.com[124.108.116.72]:25, delay=307734, delays=307599/134/1.3/0, dsn=4.7.1, status=deferred (host mx1.mail.sg1.yahoo.com[124.108.116.72] refused to talk to me: 421 4.7.1 [TS03] All messages from 65.197.209.3 will be permanently deferred; Retrying will NOT succeed. See [URL]http://postmaster.yahoo.com/421-ts03.html[/URL]) Jan 29 09:33:15 giganetwireless postfix/qmgr[9648]: 68493359CFE9: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4771, nrcpt=1 (queue active) Jan 29 09:33:15 giganetwireless postfix/smtp[9711]: connect to sec.secrel.com.br[200.194.96.34]: Connection timed out (port 25) Jan 29 09:33:15 giganetwireless postfix/smtp[9711]: 3B26E360C63C: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=255052, delays=254916/104/31/0, dsn=4.4.1, status=deferred (connect to sec.secrel.com.br[200.194.96.34]: Connection timed out) Jan 29 09:33:15 giganetwireless postfix/qmgr[9648]: 42F9E1C8BD83: from=<[EMAIL="[email protected]"][email protected][/EMAIL]>, size=4760, nrcpt=1 (queue active) Jan 29 09:33:15 giganetwireless postfix/smtp[9703]: connect to elsitio.com[200.41.8.96]: Connection timed out (port 25) Jan 29 09:33:15 giganetwireless postfix/smtp[9703]: 3CE7C35951F7: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=256193, delays=256057/105/31/0, dsn=4.4.1, status=deferred (connect to elsitio.com[200.41.8.96]: Connection timed out) Jeez my IP is poison to so many servers right now.
THank you Falko Aside from Joomla there are no other direct communuication forms. What exists on this server now is RoundCube, Cacti, & HelpCenter Live. I just realized that HCL does have a PHP based contact form, hmm, I will have to look over the application to see if I can disable the PHP based contact application without impacting HCL?? I am open to any additional ideas Falko. THank you for your time. Best Regards
Thank you Falko It appears that the vast majority of spam is appearing as though it has originated from 'www-data <at> giganetwireless <dot> net'. I am wondering how would I best stop Email coming from that address at my server? Also, would you feel that implimenting How To Fight Spam Using Your Postfix Configuration in addition to Killing That Spam With Postgrey And Postfix would help in controlling this situation maybe? Thanking you in advance for your help and support.. Best Regards
