I noticed that lot of of messages are showing in one of the website like: HTML: 69D053027F2 4597 Tue Mar 4 08:28:21 [email protected] (delivery temporarily suspended: host mx2.comcast.net[76.96.40.147] refused to talk to me: 554 imta01.emeryville.ca.mail.comcast.net comcast 117.247.67.131 found on one or more DNSBLs, see http://postmaster.comcast.net/smtp-error-codes.php#BL000010) [email protected] 69E54302A77 4627 Thu Mar 6 04:36:25 [email protected] (connect to nullmx.domainmanager.com[199.231.85.98]:25: Connection timed out) [email protected] 6270D303199 4604 Wed Mar 5 07:52:42 [email protected] (connect to fc.metronews.com[74.85.6.110]:25: Connection timed out) [email protected] 624463027FC 4606 Tue Mar 4 08:32:29 [email protected] (connect to mx1.comcast.net[2001:558:fe14:70::22]:25: Network is unreachable) [email protected] 651FD303AB5 4610 Fri Mar 7 13:35:40 [email protected] (host ib1.charter.net[216.33.127.20] refused to talk to me: 554 imp06 charter.net ?? IP: 117.247.67.131, You are not allowed to send mail. Please see http://csi.cloudmark.com/reset-request/ if you feel this is in error. E1310) [email protected] 6406E3025F3 4588 Tue Mar 4 01:20:17 [email protected] (host cdptpa-pub-iedge-vip.email.rr.com[107.14.166.70] refused to talk to me: 554 ERROR: Mail Refused - See http://csi.cloudmark.com/reset-request/?ip=117.247.67.131) [email protected] 6C6A6302D1C 4595 Wed Mar 5 09:39:05 [email protected] (delivery temporarily suspended: connect to mx1.comcast.net[2001:558:fe14:70::22]:25: Network is unreachable) [email protected] on web21 there is a joomla installation with smtp authentication enable with 587 is submission port. The contact form on the website is also enabled with spam check. Can't make out what these errors indicate. how can I prevent this? OS - Ubuntu - 12.04 64bit, Server - Apache 2.2, Php 5.3, ispconfig - 3.0.5.3
Most likely someone was able to send spam trough website 21, it might be that it had been hacked. you can check the content of the pending messages with: postcat /var/spool/postfix/deferred/6/624463027FC if the mesage is spam, then you should consider to remove all messages that are still in the queue from web21, this can be done with this command: Code: mailq | tail -n +2 | awk 'BEGIN { RS = "" } # $7=sender, $8=recipient1, $9=recipient2 { if ($7 == "[email protected]") print $1 } ' | tr -d '*!' | postsuper -d - this is one command, copy all lines in one piece to the shell of your server and hit return.
Thanks Till, I have removed the queue with the command, what other precaution like changing password can I take for web21 to prevent further misuse Thanks once again.
It is unlikely that the issue occurred trugh a hacked account, so changing the password will not help. I guess that the cms system in that site got hacked. You should update the cms and all its plugons to close the security hole, then you can use maldet to try to find the hacked files: http://www.howtoforge.com/forums/showpost.php?p=286287&postcount=9 I expect that the maldet install script will work for ubuntu 12.04 as well.
