Trying to understand some email issues
Valeri Galtsev
galtsev at kicp.uchicago.edu
Mon Jan 21 14:31:58 UTC 2019
On 1/21/19 12:33 AM, Patrick Mahan wrote:
> All,
>
> FreeBSD 11.2
>
> Running postfix 3.3.2_1,1
>
> I'm getting hammered with thousands of emails from yahoo.com -
>
> Here is an example -
>
> Jan 20 22:09:01 ns postfix/smtp[1308]: 2DA97A2E2EF: to=<pwascak at aol.com>,
> relay=mx-aol.mail.gm0.yahoodns.net[98.137.157.43]:25, delay=13730,
> delays=13728/0.31/1.1/0.06, dsn=4.7.0, status=deferred (host
> mx-aol.mail.gm0.yahoodns.net[98.137.157.43] said: 421 4.7.0 [TSS04]
> Messages from 23.24.207.145 temporarily deferred due to user complaints -
> 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply
> to MAIL FROM command))
>
> I'm trying to determine if I am somehow relaying emails to yahoo.com, or is
> this someone attacking me.
>
> I am pretty sure I have postfix to avoid acting like a relay for
> unauthenticated connections. But this maybe something I have messed up.
> This has been happening only since I upgraded to 11.2 (I was at 9.x). I
> also just recently switch from sendmail to postfix as well.
>
> I can provide my postfix config on request if needed.
>
> Pointers to other mail-lists are welcomed. I decided to start here before
> jumping on the postfix mailing list.
Do you users have shell access to your mail server? If yes, then I would
check if nothing happens from one of user accounts (stolen password, bad
guys got shell as that user). They can set process that loads addresses
from remote place and sends spam message to them all. Most often they
would do it through your postfix locally. Then postfix queue will be big
time to time. And you will see this in maillog. In less likely scenario
(of it really originating from you) when scrips sends directly itself
you may increase verbosity of firewall log. One more thing to check is
that there are no unexplained processes on the machine.
If the machine is simultaneously a web server, that would be next
suspect. They may be some form that sends email to address provided by
web visitor. But this will be one of the possibilities which most likely
will be visible in your mail logs.
After you investigated all on your side (or maybe even before that), do
as Odhiambo suggested: go to yahoo URL provided and read what they say
there.
Good luck.
Valeri
>
> Thanks in advance,
>
> Patrick
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-questions
mailing list