36k plus queued emails

5 posts / 0 new
Last post
#1 Fri, 01/21/2011 - 15:27
coldlamper

36k plus queued emails

My server was running slow and when I checked the postfix server it had 36256 queued messeges.

Can anyone tell why I would have so many(smtp hacked, server hacked, mis-configuration) or how I can figure out where all the emails are coming from? Thanks for any help.

here is the details of one of the messages(they are all similar):

Mail headers View basic headers
Received: from SPRINCYCS (unknown [220.178.41.50]) by ewtechnologies.com (Postfix) with ESMTP id 0018F21DF68; Mon, 17 Jan 2011 21:58:23 +0000 (UTC)
Date: Tue, 18 Jan 2011 05:57:33 +0800
From: "Garrison" <kankeadias90shibaqi@msn.com>
To: "advocate319" <advocate319@yahoo.com>
Reply-To: <ibdandevelop@126.com>
Subject: iPhone/iPad Application D evelopment - Blackberry/A ndroid Application Develo pment
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: base64
Content-Disposition: inline
Message-Id: <20110117215824.0018F21DF68@ewtechnologies.com>
iPhone/iPad Application Development - Blackberry/Android Mobile Application Development

We are China based company explicitly active for iPhone software programming solutions
and Mobile Application Development services as well as wireless application (WAP)
development. We are organized to deliver premium quality services to our clients
ranging from large organizations to smaller groups and individuals from all over
the sphere. We implement creative ideas with latest technologies and constantly eager
to meet all needs of our clients with supreme level customer care with a view to
maintain long-term business relations.

Our team is perfect blend of experience and talented Mobile Application Developers,
who are successfully providing appropriate & quality solutions to our global iPhone
clients according to their respective needs like Android Mobile Application Development
& Mobile Website Development. We believe our enthusiastic approach towards latest
mobile technologies directly increase our mobile application development proficiency
in form of iPhone Application Development, iPhone 3G Games/Mac Games Development
and iPhone Calendar Application Development.

Services offered:
iPhone Application Development
iPad Application Development
Hire iPhone Programmers
iPhone Game Development
iPhone Theme & Icon Design
iPhone Calendar Application Development
Mobile Application Development
Android Mobile Application Development
Blackberry Mobile Application Development
Mobile Website Development
Wireless (WAP) Mobile Applications Development
Windows Mobile Application Development
J2ME based Mobile Application Development

Best regards,
Garrison
Gaersonsine iPhone Application Development
Contact: mobileibtech@yeah.net
Fri, 01/21/2011 - 15:43
andreychek

Howdy,

The key to where they're coming from is likely in the mail headers. For example, this line:

Received:    from SPRINCYCS (unknown [220.178.41.50])    by ewtechnologies.com (Postfix) with ESMTP id 0018F21DF68;  Mon, 17 Jan 2011 21:58:23 +0000 (UTC)

That means the email originated from the IP "220.178.41.50".

You can then look in the mail logs at "Mon, 17 Jan 2011 21:58:23", look for the IP "220.178.41.50", and use that to retrieve information on who exactly is responsible for those. It's possible someone email account password was "hacked", for example, and a spammer may be relaying email through that account. If that's the case, you should be able to determine that from the logs.

Also, once you have a good idea of where those emails are coming from, you'll probably want to clear out your email queue. You can do that with this command:

postsuper -d all

That will delete all queued email. So before running that, you'd want to make sure you really want all that email deleted :-)

-Eric

Fri, 01/21/2011 - 17:41 (Reply to #2)
coldlamper

Thanks for the info. I'm looking at maillog and the only info i seem to find is like below:

Jan 17 21:58:23 ewtechnologies postfix/smtp[14284]: A71FB21E761: host gmail-smtp-in.l.google.com[74.125.95.27] said: 421-4.7.0 [184.106.202.123 4] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 blocked. Please visit http://www.google.com/mail/help/bulk_mail.html 421 4.7.0 to review our Bulk Email Senders Guidelines. f13si12248733ibb.100 (in reply to end of DATA command)

and

Jan 17 21:58:13 ewtechnologies postfix/smtpd[14614]: connect from unknown[220.178.41.50]

Jan 17 21:58:13 ewtechnologies postfix/smtpd[14614]: NOQUEUE: reject: RCPT from unknown[220.178.41.50]: 554 5.7.1 <advertising@denbighshirefreepress.co.uk>: Relay access denied; from=<kankeadias90shibaqi@msn.com> to=<advertising@denbighshirefreepress.co.uk> proto=ESMTP helo=<SPRINCYCS>

Jan 17 21:58:14 ewtechnologies postfix/smtpd[14614]: disconnect from unknown[220.178.41.50]

How do I decipher what account that is from or is it from an insecure php form or what?

ewtechnologies.com is my host

Is ewtechnologies the user account it was sent from?

Fri, 01/21/2011 - 22:36 (Reply to #3)
coldlamper

apparently my server was an open relay, I don't ever remember touching the postfix main.cf but these were the settings smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

I changed them to smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject

and so far it seems to have fixed the problem

i used this site to test with http://www.wormly.com/test_smtp_server

Fri, 01/21/2011 - 21:42
andreychek

Howdy,

The name "ewtechnologies" in the logs is just your hostname.

The email listed in there -- it doesn't appear as if that was accepted, it appears to have been rejected by Postfix.

However, according to the headers in the email -- that does appear the be the computer name and IP that sent the spam that you posted above.

So, what you might try doing is clearing out all the spam in the queue, and see if more gets added in. If you see more spam being added to the queue, I might suggest double-checking the logs to see if any of the more recent attempts are any more clear as to what the problem is.

However, you do always have the option of banning that particular IP address. You can ban an IP by typing this as root on the command line:

route add -host 220.178.41.50 reject