postfix overrun - IP blacklisted

It appears that my system has been hacked? the domina IP is now on 3 differnet blacklists and somehow there are over 8000 queued emails in Postfix that are bouncing.
ex: Mail ID: 007E112E5DA9
DATE: 2010/12/27 16:54
FROM: admin@duncan.com
TO: yagu_ecengineer@yahoo.com yainadys80@yahoo.com yakuza_mf@yahoo.com yan_yumul@yahoo.com yankeebennett@yahoo.com yankeebynature1@yahoo.com yankeefay2@yahoo.com yankeegirlrebelled@yahoo.com yanni_21157@yahoo.com yanushfl@yahoo.com yardrarig@yahoo.com yardstuf@yahoo.com yaroslavzenda@yahoo.com yasdahak@yahoo.com yagabe@aol.com yahairar320@aol.com yami0095@aol.com yami292@aol.com yanez1015@aol.com yankeemom@aol.com SIZE: 2.70 kB
STATUS: delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 64.211.213.17 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html

how did this happen? How can it be resolved? how can this be avoided? I have never had this problem in 2 years on another Virtualmin instance with 50 domains!

Status: 
Active

Comments

Well, the first thing you may want to do is look at some of the messages in your Mail Queue, and determine where they're coming from (that is, what account do they belong to).

You can do that by logging into Virtualmin, and going into Webmin -> Servers -> Postfix -> Mail Queue. Once you click a message, choose "View All Headers" on the top-right. Then, look at the "Received" header... what userid does it say generated it?

The most common cause for what you're seeing is that a spam bot takes advantage of a security flaw in a web application running on your server. Often, this occurs because that web app (or one of it's plugins) isn't running at the newest version.

So once you determine which account is generating those mails, the next step is to review the web apps associated with that account, and make sure they're all at the newest revision.

Once you have a handle on which account is responsible for the email, you'd want to delete those messages out of your Postfix queue. Once your system stops sending them for a few hours, most hosts will begin the process of removing your IP from their blacklist.

OK... so here are the headers of some: how do i determine the user they are coming from, when I have only 2 users set up and am still in test mode?

from User (unknown [41.138.179.200]) by usdm01.ggreenpower.com (Postfix) with ESMTPA id 007E112E5DA9; Mon, 27 Dec 2010 16:54:45 -0500 (EST) Reply-To: duncnlawchamber@sify.com From: "DUNCAN LAW FIRM"admin@duncan.com Subject: Your Urgent Attention Needed Immediately. Date: Mon, 27 Dec 2010 22:54:24 +0100 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Received: from User (unknown [184.154.8.140]) by usdm01.ggreenpower.com (Postfix) with ESMTPA id 00C1D12E326B; Mon, 27 Dec 2010 04:06:20 -0500 (EST) Reply-To: duncanlawchamberrs@gmail.com From: "Duncan Law Chambers"duncanlawcchambers@gmail.com Subject: Your Urgent Attention Needed Immediately Date: Mon, 27 Dec 2010 09:06:09 -0000 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

I just updated the following updates: landscape-common New version 1.5.5.1-0ubuntu0.10.04.0 ubuntu libudev0 udev library New version 151-12.3 ubuntu linux-headers-server Linux kernel headers on Server Equipment.New version 2.6.32.27.29 ubuntu linux-image-server Linux kernel image on Server Equipment. New version 2.6.32.27.29 ubuntu linux-libc-dev Linux Kernel Headers for development New version 2.6.32-27.49 ubuntu linux-server Complete Linux kernel on Server Equipment. New version 2.6.32.27.29 ubuntu rsyslog enhanced multi-threaded syslogd New version 4.2.0-2ubuntu8.1 ubuntu udev rule-based device node and kernel event manager

I have no web services loaded other than the default webmail that virtualmin offers.

With over 8000 messages in the Queue, is there a command to quickly delete all messages in teh Queue? CLI command?

It looks like someone from the IP "41.138.179.200" is sending the spam.

What I did is I blocked that IP, and I cleared out the outgoing spam in your Mail Queue.

I'll work with Jamie to see if we can determine the cause of the issue.

I noticed that there was still 2 users on each domain (test and jamie) the test user had a simple password of "test". So i deleted both users as all other users have a 12-14 character alpha/numeric password. Thanks for your help, if you see anything else, let me know.

I created that "jamie" user to test mail delivery on your system for a previous bug, but it didn't have an easily guessable password.

Eric - was the spammer relaying mail through the system, or exploiting a PHP app to send mail?

OK... then who is Eric? like i said... I made a very very simple user/password for testing test/test. Naturally I deleted the user this morning as soon as I realized it was there.

Eric is andreychek.

Was the spammer actually relaying using that test/test account though?

Yeah, emails were indeed being relayed via the test account. It doesn't look like there were any web apps being exploited.