Good evening everyone, I'm having trouble tracking down some weird spam happening on my server. here is an example of what i find in mail queue: 61D081E01B39 7596 Sun Jan 12 18:26:56 [email protected] (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.1xx.1xx&c=poli) [email protected] the domain or email of [email protected] doesnt belong to my server Running Postcat on this specific deffered message shows the below result: *** ENVELOPE RECORDS /var/spool/postfix/deferred/6/61D081E01B39 *** message_size: 7596 642 1 0 7596 0 message_arrival_time: Sun Jan 12 22:26:56 2020 create_time: Sun Jan 12 22:26:56 2020 named_attribute: log_ident=61D081E01B39 named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=48106 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=48106 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS /var/spool/postfix/deferred/6/61D081E01B39 *** Received: from localhost (localhost [127.0.0.1]) by mhd101.myhostingdeal.com (Postfix) with ESMTP id 61D081E01B39 for <[email protected]>; Sun, 12 Jan 2020 22:26:56 +0400 (+04) X-Virus-Scanned: Debian amavisd-new at mhd101.mylocalserver.com Received: from mhd101.mylocalserver.com ([127.0.0.1]) by localhost (mhd101.mylocalserver.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id R77hj_jHJKIt for <[email protected]>; Sun, 12 Jan 2020 22:26:56 +0400 (+04) Received: from mhd101.mylocalserver.com (localhost [127.0.0.1]) by mhd101.mylocalserver.com (Postfix) with ESMTP id 9D2B41E01805 for <[email protected]>; Sun, 12 Jan 2020 22:26:55 +0400 (+04) Date: Sun, 12 Jan 2020 22:26:55 -0600 (CST) To: [email protected] From: USPS <[email protected]> Decrementing-Excitingly-Confides: 1254 Unconventional-Fuchs: medicinally Wearily-Stravinsky-Read: 74 Content-Transfer-Encoding: 7bit Message-ID: <[email protected]> Subject: USPostalService notification No.32698 MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Please advise what should i do
Your mailserver is sending spam/scam. 1. Stop your mail server (postfix) 2. Find out how the mails enter your system 3. Fix the problem, empty the queue and restart postfix Is that your real server? Than it is not properly configured. There is more than one problem.. The email seems to enter your system via JavaMail, so it is probably a webhost which was hacked.
Hi Steinni86, Thanks for your input and support. Thats exactly what I am trying to do. But I am stuck at step #2. I did realize that something related to javamail, but how i could trace it to which webhost it belongs? Thanks
Is there a way to trace This JavaMail.|i already did a scan using ispprotect and found nothing as malware
You could search for the web, that uses java mail for a start: find /var/www -name 'javax.mail.jar' If that does not find something, do a longer search in file contents grep -rnw '/var/www/' -e 'java.mail' -r is recursive, -n is line number -w stands for match the whole word. - e search pattern -l (lower L) can be added to just show the file containing pattern Otherwise look for more logs. For example at the time the mail gets submitted to postfix, which sites were accessed. If the problem persists, increase log level to get more information
Do you have many websites which run java apps? You could depending on your environment, but those are so few in my world it would be pretty obvious/easy to check each. Some things to check are: httpd (apache/nginx) logs, and correlate HTTP requests with the timestamps of those emails. Or if there are a lot of emails, simply check the logs for lots of requests coming in. The mail appears to have been sent by a smtp connection to localhost, probably on port 25, so you can see what processes are connecting there, eg. with Code: lsof -i @127.0.0.1:25 You might also check port 465 and 587 if either of those allow unauthenticated SMTP from localhost. That would show active processes, so would only help while the smtp connection itself is established, but if you found such a process you can then see what other file handles it has open to identify the site, or maybe correlate log files looking for that process id or it's parent to see where it started. You could try to search for websites which use JavaMail, though I'm not very adept at how that would be done right offhand. A quick Code: find /var/www/clients | grep -i java | grep -i mail might find some candidates just based on filenames. You could try Code: grep -RFl javax.mail /var/www/clients and maybe find something. I imagine there is a way to find compiled java code and dump dependencies for it (same as 'ldd' for C programs) and search the output, but if I ever knew specifically how, I have forgotten long ago. Probably some web searches asking similar questions to yours would find some help.
Please can you advise how i can do this? i have around 75 websites to clients that i dont have direct control. Majority is wordpress but again is there a way to determin which clients are running Java Apps. or is there a way to bock java apps on the server?
Find the time the message was delivered (in the Received headers or fields in 'postcat' output), then look in web server log files for requests made at that time (eg. exact same second or within a few seconds prior, most likely). It's manual, but I would simply run a few grep commands to find matches for timestamps of interest. It has been many years since I've written or deployed anything related to Java, so more knowledgeable folks could surely have better input. The greps above (for eg. javax.mail) would match if the .java source itself is within the website - pure gold, if you find it. If you do not, it may be that the java source has been compiled into byte code, and that is what you would find .class files. I believe you can wrap the whole thing up in a .jar archive, so look for those, too. Also .jsp and .jws, and there may well be others, it's really out of my forte. It will take a while to run, but you could try: Code: find /var/www/clients -type f | xargs file | grep Java Heck, even try Code: grep -Rl /var/www/clients JavaMail And it wouldn't hurt to take a quick look at running applications, as any java app I've dealt with has always been a huge memory sucker. You might try even Code: ps auxww | grep -Ei 'java|james|tomcat|websphere' That depends on how they run (deployment), and as above, I'm pretty rusty. There are servers like Apache James, Tomcat, I think WebSphere, and probably plenty others. I'd guess these are unlikely, and will be pretty obvious (due to resources used) though if you find processes for 'java' or some of the others, you may be dealing with them. Then I believe you can deploy compiled bytecode right from a simple webpage, and have it run in a browser, though to send mail you would still need a server-side component to handle the connection. So see what you find with the above searches, if anything. And check, do you even have java installed on your server? There is the very real possibility that none of your sites are running any java apps at all. As far as I know, that determination was based solely on 'JavaMail' being present in the Message-ID? I would also presume the message was originated via a java app somehow, but it doesn't mean that anything java related will be found on your server. I don't know how likely, but as an obfuscation, any app (eg. php script) could add a Message-ID header with 'JavaMail' in it. It's possible something is running on your server and relaying a connection from a different port to localhost:25, and merely passes the message through. That would include something like a script originating a connection to a remote server (eg. a simple curl request to remote url) to get the message contents, and submitting it locally. You may have a malicious script uploaded and operating, or you may simply have a vulnerability in one of your many wordpress (or other) sites performing this. You could even have vulnerabilities in completely unrelated software which allow this (eg. old proxy-through-ftp-server connections, misconfiguration in your web server, even the old HTTPOXY vulnerability in the HTTP protocol itself did this). A lot of possibilities, but don't freak out, just start digging and you'll find it before long.
Thanks @Jesse Norell for your support. the result for this is: Code: root 6166 0.0 0.0 12780 1020 pts/0 S+ 21:45 0:00 grep -Ei java|james|tomcat|websphere While this is showing: grep: javamil: no such file or directory while is results in : Code: /var/www/clients/client0/web28/web/wp-content/themes/pearl/includes/admin/theme_options/includes/src/index.main.js: Java source, ASCII text /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js: Java source, ASCII text /var/www/clients/client0/web28/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js: Java source, ASCII text /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/index.js: Java source, ASCII text /var/www/clients/client0/web25/web/wp-content/plugins/revslider/includes/gutenberg-blocks/blocks/revslider/index.js: Java source, ASCII text /var/www/clients/client0/web25/web/wp-content/plugins/houzez-login-register/social/Facebook/Helpers/FacebookJavaScriptHelper.php: PHP script, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-shortcode.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/products.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/test/get-query.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/deprecations.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/shared-attributes.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/utils/get-query.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-on-sale/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/product-best-sellers/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/block.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/featured-category/utils.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/blocks/handpicked-products/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/widgets.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/woo.js: Java source, ASCII text, with very long lines /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/folder-star.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/icons/checkbox-checked.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/test/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/product-preview/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/products-control/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/components/grid-layout-control/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/load-more-button/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list-item/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/test/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/label/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-order-select/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/review-list/index.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/base/components/read-more/test/index.js: Java source, ASCII text, with very long lines /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/test/with-searched-products.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-product.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-searched-products.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/hocs/with-category.js: Java source, ASCII text /var/www/clients/client7/web29/web/demo/wp-content/plugins/woocommerce/packages/woocommerce-blocks/assets/js/index.js: Java source, ASCII text /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java.min.js: ASCII text, with very long lines, with no line terminators /var/www/clients/client6/web26/web/wp-content/plugins/quform/js/cultures/kendo.culture.jv-Java-ID.min.js: ASCII text, with very long lines, with no line terminators /var/www/clients/client6/web26/web/wp-content/plugins/download-manager/libs/socialconnect/Facebook/Helpers/FacebookJavaScriptHelper.php: PHP script, ASCII text
Sorry, I had that switched, try Code: grep -Rl JavaMail /var/www/clients That looks like mainly javascript files miss-identified as Java source, but is normal. Do try that other grep for 'JavaMail' string, but you might well not have the (presumably java) code which generates these emails on your server, which means something is merely passing the messages through. You might need to correlate messages with HTTP requests (web server logs) to find it. syslog would be worth checking for something tunneled through FTP (though I think those holes are generally closed "out of the box" nowadays), but no, /var/log/syslog does not have your web server logs. On a debian server the primary apache log to search is /var/log/apache2/other_vhosts_access.log, and that gets rotated daily (so you can search older days in the files /var/log/apache2/other_vhosts_access.log.1 and /var/log/apache2/other_vhosts_access.log.*.gz You can see the date format in those, eg. '[17/Jan/2020:09:15:31 -0700]' .. so just grep for '17/Jan/2020:09:15' or so to match all requests during that minute. Correlate the time with when your spam messages were submitted.
Code: grep -Rl JavaMail /var/www/clients grep: /var/www/clients/client3/web16/log/access.log: No such file or directory grep: /var/www/clients/client3/web16/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client3/domain1.co/log/access.log: No such file or directory grep: /var/www/clients/client3/domain1.co/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client0/web24/log/access.log: No such file or directory grep: /var/www/clients/client0/web24/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client0/domain2.ae/log/access.log: No such file or directory grep: /var/www/clients/client0/domain2.ae/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client6/masterplan.domain3.com/log/access.log: No such file or directory grep: /var/www/clients/client6/masterplan.domain3.com/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client6/web22/log/access.log: No such file or directory grep: /var/www/clients/client6/web22/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client2/web3/log/access.log: No such file or directory grep: /var/www/clients/client2/web3/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client2/domain4.com/log/access.log: No such file or directory grep: /var/www/clients/client2/domain4.com/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client2/web2/log/access.log: No such file or directory grep: /var/www/clients/client2/web2/log/yesterday-access.log: No such file or directory grep: /var/www/clients/client2/domain5.me/log/access.log: No such file or directory grep: /var/www/clients/client2/domain5.me/log/yesterday-access.log: No such file or directory currently having no mails in queue, once have will try to search in the log and see what could i find and post it. Thanks for your help and support @Jesse Norell
Still Stuck and have no clue from where spam is originating. if anyone could help that would be much appreciated
So that pretty well confirms the mail is likely not generated by code found in your websites. Follow the other suggestions above to work on tracking it down.
So mail queue is having around 21 message similar to the below: Code: -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 8CC7C1E01884 7650 Wed Jan 22 08:17:07 [email protected] (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb111) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=xxx.xx.xxx.xxx&c=poli) [email protected] 8833C1E01885 7420 Wed Jan 22 08:22:27 [email protected] (host mx.lb.btinternet.com[213.120.69.89] said: 421-Too many messages (1.5.7.1) on 2020/01/22 09:37:42 GMT from un-validated IP address: xxx.xx.xxx.xxx. Please add a SPF record for the domain frankusher.co.uk to your DNS or ask your service provider to do this, 421 we will be unable to deliver email until this is done due to the volume of email being sent from this IP address. An SPF record allows us to verify you and confidently deliver your email to our customers. Our Postmaster will be unable to help you. (in reply to MAIL FROM command)) [email protected] 9A8191E0180A 7880 Wed Jan 22 07:09:20 [email protected] (delivery temporarily suspended: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb010) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=xxx.xx.xxx.xxx&c=poli) [email protected] using command postcat -q 8CC7C1E01884 which is for the first messagein queue show this: Code: postcat -q 8CC7C1E01884 *** ENVELOPE RECORDS deferred/8/8CC7C1E01884 *** message_size: 7650 669 1 0 7650 0 message_arrival_time: Wed Jan 22 12:17:07 2020 create_time: Wed Jan 22 12:17:07 2020 named_attribute: log_ident=8CC7C1E01884 named_attribute: rewrite_context=local sender: [email protected] named_attribute: encoding=7bit named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=55182 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=55182 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS deferred/8/8CC7C1E01884 *** Received: from localhost (localhost [127.0.0.1]) by mhd101.mymailserver.com (Postfix) with ESMTP id 8CC7C1E01884 for <[email protected]>; Wed, 22 Jan 2020 12:17:07 +0400 (+04) X-Virus-Scanned: Debian amavisd-new at mhd101.myhostingdeal.com Received: from mhd101.mymailserver.com ([127.0.0.1]) by localhost (mhd101.mymailserver.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6NDevIYeFgWt for <[email protected]>; Wed, 22 Jan 2020 12:17:07 +0400 (+04) Received: from mhd101.mymailserver.com (localhost [127.0.0.1]) by mhd101.mymailserver.com (Postfix) with ESMTP id F082B1E0180C for <[email protected]>; Wed, 22 Jan 2020 12:17:06 +0400 (+04) Withstood-Winnipesaukee: DB573DC8 Message-ID: <[email protected]> Content-Type: text/html; charset=utf-8 Scamper-Treks: 3 Subject: United States Postal Service ticket #95256 From: USPS <[email protected]> To: [email protected] Encamps-Britannica-Generating: 7559 Inhibitions-Dostoevsky: schroeder Date: Wed, 22 Jan 2020 12:17:06 -0600 (CST) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit searching in mail.log to all instances of "[email protected]" as this id is the sender of the message shows:
Based on this looks like the message was sent on jan22 @ around 12:17 doing a search in appache log for that date at 12:16 and 12:17 results in: Is there anything specific that could lead to the issue or am i still missing any location to search for more evidence. Any thoughts or suggestions are much appreciated as i am totally stuck now not knowing how to go further. Thanks for you support everyone
First you could hold all mails, and release them by hand to no longer send spam messages (otherwise your mail sender reputation will be worthless forever): Code: defer_transports = hold default_transport = hold Add to your php.ini setting: Code: mail.add_x_header = On mail.log = /var/log/phpmail.log This adds a "X-PHP-Originating-Script" header to the email which should give you more information about which script is sending these mails. Then look at /var/log/phpmail.log or use "postcat -q ID | grep X-PHP-Originating-Script". The output should be like "X-PHP-Originating-Script: 1012:script.php" where the number is the linux user id sending and script.php the scriptname. Consider to only allow your own domains as sender addresses. (Reduces spam but does not solve the problem of your compromised script) Can you do a "egrep 8CC7C1E01884 /var/log/mail.log"?
Perfect, so ignoring autodiscover.xml requests and all you had hitting your server per those logs is to the single site jumeirahluxuryliving.com. There was a normal wordpress cron run, a page read by a bot, and a lot of POST by 94.206.63.46, which I suspect is a compromised client sending your spam. Code: jumeirahluxuryliving.com:443 94.206.63.46 - - [22/Jan/2020:12:16:58 +0400] "POST / HTTP/1.1" 200 143938 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4312; Pro)" I am not familiar with posts by ms office right offhand to know what on the server side would be handling that, but you should be able to log the full requests and get a lot more info. On logging full requests, a little searching indicates you can use mod_log_forensic, mod_security, and mod_dumpio. Eg. add to the apache snippets for jumeirahluxuryliving.com: Code: <IfModule mod_log_forensic.c> ForensicLog logging/jumeirahluxuryliving.log </IfModule> Then enable mod_log_forensic: Code: mkdir /etc/apache2/logging chgrp www-data /etc/apache2/logging chmod 770 /etc/apache2/logging a2enmod log_forensic systemctl restart apache2 Then wait a bit and see what you find in /etc/apache2/logging/jumeirahluxuryliving.log. Note there could be sensitive info in those requests, don't blindly post any here without looking at what you might post first.
Code: egrep 8CC7C1E01884 /var/log/mail.log Jan 22 12:17:07 mhd101 postfix/smtpd[7416]: 8CC7C1E01884: client=localhost[127.0.0.1] Jan 22 12:17:07 mhd101 postfix/cleanup[7408]: 8CC7C1E01884: message-id=<[email protected]> Jan 22 12:17:07 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 12:17:07 mhd101 amavis[2600]: (02600-03) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1]:36948 <[email protected]> -> <[email protected]>, Queue-ID: F082B1E0180C, Message-ID: <[email protected]>, mail_id: 6NDevIYeFgWt, Hits: 1.771, size: 7154, queued_as: 8CC7C1E01884, 670 ms Jan 22 12:17:07 mhd101 postfix/smtp[7412]: F082B1E0180C: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.78, delays=0.08/0.02/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 8CC7C1E01884) Jan 22 12:17:07 mhd101 postfix/smtp[7417]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli Jan 22 12:17:08 mhd101 postfix/smtp[7417]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=0.58, delays=0.13/0.01/0.44/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 12:22:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 12:22:42 mhd101 postfix/smtp[7767]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli Jan 22 12:22:42 mhd101 postfix/smtp[7767]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=335, delays=335/0/0.45/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb012) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 12:32:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 12:32:42 mhd101 postfix/error[8439]: 8CC7C1E01884: to=<[email protected]>, relay=none, delay=935, delays=935/0.01/0/0.02, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 12:52:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 12:52:42 mhd101 postfix/smtp[9818]: 8CC7C1E01884: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb010) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli Jan 22 12:52:42 mhd101 postfix/smtp[9818]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha02.web.de[212.227.17.8]:25, delay=2135, delays=2135/0.03/0.45/0, dsn=4.0.0, status=deferred (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb112) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 13:32:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 13:32:42 mhd101 postfix/smtp[12641]: 8CC7C1E01884: host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli Jan 22 13:32:43 mhd101 postfix/smtp[12641]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha02.web.de[212.227.17.8]:25, delay=4535, delays=4535/0.03/0.48/0, dsn=4.0.0, status=deferred (host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb111) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 14:42:42 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) Jan 22 14:42:43 mhd101 postfix/smtp[17721]: 8CC7C1E01884: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 421-web.de (mxweb113) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli Jan 22 14:42:43 mhd101 postfix/smtp[17721]: 8CC7C1E01884: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=8736, delays=8735/0.02/0.48/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 421-web.de (mxweb011) Nemesis ESMTP Service not available 421-Service unavailable 421-Reject due to policy violations. 421 For explanation visit https://web.de/email/senderguidelines?ip=172.93.148.133&c=poli) Jan 22 15:52:43 mhd101 postfix/qmgr[22729]: 8CC7C1E01884: from=<[email protected]>, size=7650, nrcpt=1 (queue active) c=poli) i deleted some due to post size limit Can you advise how to do so? already added this in /etc/php/7.0/apache2/php.ini but phpmail..log empty unless i missed something or doing things . normally i deleting the emails from queue is it still necessary to do the above? Thanks
