|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Lots of bounces.. missing a setting? Joe job? Something else?
From: Allen (postfix
rfnj.org)
Date: Tue Dec 06 2005 - 09:29:27 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ok, I've done the requisite searching and so on, and perhaps this is just
a setting I've missed since this is the first time I've used virtual
*exclusively* for delivery in postfix.
Starting back about two days ago, I've been getting inundated with a storm
of bounces that more or less knocks the mailserver for a loop until I can
fix the problem. Today in the space of about an hour I recieved and
processed over 7000 bounce messages.
My first though was that this was just forged mail going out with one of
my domains in the envelope, but then I noticed my mailserver was also
attempting to send bounces itself, and my deferred queue was through the
roof trying to deliver bounce messages to the bogus addresses at the other
end.
Closer inspection revealed a mess of messages apparently directly injected
that I cannot account for all looking like this:
Dec 4 22:39:02 rfnj postfix/pickup[16782]: 241904F0: uid=65534 from=<nobody>
Dec 4 22:39:02 rfnj postfix/cleanup[17073]: 241904F0:
message-id=<84acaa82864972918384eab5e4eabf4fcartoesocarteiro.com>
Dec 4 22:39:02 rfnj postfix/qmgr[62336]: 241904F0:
from=<nobodyrfnj.org>, size=3896, nrcpt=1 (queue active)
Dec 4 22:39:02 rfnj postfix/pickup[16782]: 4B44F540: uid=65534 from=<nobody>
Dec 4 22:39:02 rfnj postfix/cleanup[17073]: 4B44F540:
message-id=<84acaa82864972918384eab5e4eabf4fcartoesocarteiro.com>
Dec 4 22:39:02 rfnj postfix/qmgr[62336]: 4B44F540:
from=<nobodyrfnj.org>, size=3894, nrcpt=1 (queue active)
Dec 4 22:39:02 rfnj postfix/pickup[16782]: 6BB4D585: uid=65534 from=<nobody>
Dec 4 22:39:02 rfnj postfix/cleanup[17073]: 6BB4D585:
message-id=<84acaa82864972918384eab5e4eabf4fcartoesocarteiro.com>
Dec 4 22:39:02 rfnj postfix/qmgr[62336]: 6BB4D585:
from=<nobodyrfnj.org>, size=3897, nrcpt=1 (queue active)
This "cartoescarteiro" garbage preceeds every one of these incidents so far.
I'm as certain as one can be that the box itself is not compromised,
shell-wise, and that the logs have not been tampered with. The above
messages appear to be messages put in the maildrop directly, by an
unpriv'd user like the webserver or ftpd, or via a local 'sendmail'
process.
About 30 minutes later, without fail, the bounces start to happen..
Dec 4 23:11:55 rfnj postfix/smtp[17390]: 0E6BD58A:
to=<pastori1spponline.com.br>, relay=none, delay=0, status=bounced (Host
or dom
ain name not found. Name service error for name=spponline.com.br type=A:
Host not found)
Dec 4 23:11:55 rfnj postfix/smtp[17394]: 1FEFE58C:
to=<pastori2spponline.com.br>, relay=none, delay=0, status=bounced (Host
or dom
ain name not found. Name service error for name=spponline.com.br type=A:
Host not found)
Dec 4 23:11:55 rfnj postfix/smtp[17399]: 3EF7F5A2:
to=<pastorispponline.com.br>, relay=none, delay=0, status=bounced (Host
or doma
in name not found. Name service error for name=spponline.com.br type=A:
Host not found)
Now I know spam, and those to addresses are *obviously* spam, going
through some kind of list. These bounces generate replies back to
"nobodyrfnj.org" which didn't exist until I made an alias for it, just to
see what was in the messages. Big mistake as my mailbox soon filled with
thousands of messages.
Anyway, I have the logs saved to dig deeper, I had to shut down the
mailserver and clean out the queues, but I did save one or two messages to
look at as well.
Any other thoughts on where to look for the source of this shitstorm? I'm
not above admitting I may have something misconfigured on my end, so I'm
attaching the output of my postconf -- it's rather long. I'm using
postfixadmin to manage the virtuals, and the database tables are clean and
correct.
spamassassin is the content filter in master.cf
The referenced files in maps/ are all very simple..
allowed-clients has just my home IP (the mailserver is a colo'd machine)
helo_checks has just five DISCARD rules for servers that try to HELO as my
own name.
pop-before-smtp is the db generated by the perl script of the same name,
that watches the pop3/imap logs for logins and allows smtp connections in
from those IPs for a short duration.
Thanks for any help.
- application/octet-stream attachment: postconf.out
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]