Something fishy going on

Discussion in 'General' started by friday, Jan 24, 2008.

  1. friday

    friday Member

    Using mailgraph, I noticed a huge amount of outbound emails leaving a client's server, and an even larger number of emails being bounced. Many of these outgoing emails leave a log of:

    Jan 24 00:40:49 mail postfix/qmgr[19462]: E56095D173A: from=<>, size=17458, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: EA3D15D1BF7: from=<>, size=6695, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: E1CE45D1CAD: from=<>, size=6699, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: EB1095D1C74: from=<>, size=6937, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: EFF5B5D14C4: from=<>, size=16613, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: E86C25D1CA8: from=<>, size=6937, nrcpt=1 (queue active)
    Jan 24 00:40:49 mail postfix/qmgr[19462]: EAE665D1697: from=<>, size=6641, nrcpt=1 (queue active)

    There are hundreds of logs like this. I've got this funny feeling this isn't a good thing. Any ideas?

    Edit: I ran a postsuper command to clear out a queue, and some 2300 odd messages were deleted. I have a feeling that a simple account may have been compromised, such as creating a user named abuse. There was also an info account, and I've changed the password.

    I noticed most of the above outbound emails happened at 1AM, and lasted until 2AM.
     
    Last edited: Jan 24, 2008
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    These are bounce messages.

    The behaviour that you describe might be caused by a compromised account or another possibility is that its a spam attack. Someone is sending spam emails from another server (not yours) but uses a sender email address of a domain that is hosted on your server. All undeliverable messages are going now to your server and if one of the addresses does not exist on your server, it sends a bounce message back.
     
  3. friday

    friday Member

    Thanks Till, your is reply is always appreciated.

    Well, the simple, easy-to-figure-out accounts have been either deleted or modified, and with the queue cleared out, the problem seems to have been solved. Judging by last night's logs, I we only sent out and handful, and not the thousands we were doing previously.
     

Share This Page