NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re:[Cancel]How can I tell "who" is injecting mail into the queue?

From: John Nichel (johnkegworks.com)
Date: Wed Feb 27 2008 - 10:15:56 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Nichel wrote:
> Hi,
>
> Recently our company grew enough to warrant a separate web server.
> This box came as a default RHEL4 install, and since this box only needed
> to send mail out, I just left the default Postfix install on and closed
> off all ports other than 80, 443 and 22. Everything has been working
> fine for about a year now, but I have started to notice some strange
> entries in the log watch for that box....
>
>> Foreign Bounce:
>> To achgomail.com Msg="host mail-com.mr.outblaze.com[208.36.123.68]
>> said: 550 <achgomail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To achgomail.com Msg="host mail-com.mr.outblaze.com[64.62.181.82]
>> said: 550 <achgomail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To aczfmmail.com Msg="host mail-com.mr.outblaze.com[208.36.123.17]
>> said: 550 <aczfmmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To aczfmmail.com Msg="host mail-com.mr.outblaze.com[208.36.123.55]
>> said: 550 <aczfmmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To azrdjmail.com Msg="host mail-com.mr.outblaze.com[208.36.123.55]
>> said: 550 <azrdjmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To azrdjmail.com Msg="host mail-com.mr.outblaze.com[208.36.123.68]
>> said: 550 <azrdjmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To bbzmymail.com Msg="host mail-com.mr.outblaze.com[208.36.123.55]
>> said: 550 <bbzmymail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To bbzmymail.com Msg="host mail-com.mr.outblaze.com[208.36.123.68]
>> said: 550 <bbzmymail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To cewvmmail.com Msg="host mail-com.mr.outblaze.com[64.62.181.82]
>> said: 550 <cewvmmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>> To cewvmmail.com Msg="host mail-com.mr.outblaze.com[64.71.166.199]
>> said: 550 <cewvmmail.com>: User unknown (in reply to RCPT TO command"
>> : 1 Time(s)
>
>
> So on, and so forth. There are a few hundred entries a day like
> this...just random, gibberish addresses. Being that the box won't even
> accept smtp connections, I'm guessing this machine has been compromised
> in some way. I've looked and looked, Googled and Googled, but have
> found nothing. I can look at all these messages in the queue, but I
> haven't found any way to determine who or what put the messages there.
> Any suggestions? Thanks.
>

Nevermind. I found the problem. Seems that an internal app was built
to "send this to a friend" from our product pages, and it's now being
used by spammers.

--
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
johnkegworks.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]