Trying to understand some email issues
Patrick Mahan
plmahan at gmail.com
Mon Jan 21 19:05:08 UTC 2019
Valeri,
It does not seem compromised. I have no unexpected processes running. I'm
getting subscribe to the postfix mailing list and will seek help there.
The Yahoo URL only was singularly unhelpful, only stating that I might be
sending spam. Which is when I decided to seek help.
Thanks,
Patrick
On Mon, Jan 21, 2019 at 6:33 AM Valeri Galtsev <galtsev at kicp.uchicago.edu>
wrote:
>
>
> On 1/21/19 12:33 AM, Patrick Mahan wrote:
> > All,
> >
> > FreeBSD 11.2
> >
> > Running postfix 3.3.2_1,1
> >
> > I'm getting hammered with thousands of emails from yahoo.com -
> >
> > Here is an example -
> >
> > Jan 20 22:09:01 ns postfix/smtp[1308]: 2DA97A2E2EF: to=<pwascak at aol.com
> >,
> > relay=mx-aol.mail.gm0.yahoodns.net[98.137.157.43]:25, delay=13730,
> > delays=13728/0.31/1.1/0.06, dsn=4.7.0, status=deferred (host
> > mx-aol.mail.gm0.yahoodns.net[98.137.157.43] said: 421 4.7.0 [TSS04]
> > Messages from 23.24.207.145 temporarily deferred due to user complaints -
> > 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in
> reply
> > to MAIL FROM command))
> >
> > I'm trying to determine if I am somehow relaying emails to yahoo.com,
> or is
> > this someone attacking me.
> >
> > I am pretty sure I have postfix to avoid acting like a relay for
> > unauthenticated connections. But this maybe something I have messed up.
> > This has been happening only since I upgraded to 11.2 (I was at 9.x). I
> > also just recently switch from sendmail to postfix as well.
> >
> > I can provide my postfix config on request if needed.
> >
> > Pointers to other mail-lists are welcomed. I decided to start here
> before
> > jumping on the postfix mailing list.
>
> Do you users have shell access to your mail server? If yes, then I would
> check if nothing happens from one of user accounts (stolen password, bad
> guys got shell as that user). They can set process that loads addresses
> from remote place and sends spam message to them all. Most often they
> would do it through your postfix locally. Then postfix queue will be big
> time to time. And you will see this in maillog. In less likely scenario
> (of it really originating from you) when scrips sends directly itself
> you may increase verbosity of firewall log. One more thing to check is
> that there are no unexplained processes on the machine.
>
> If the machine is simultaneously a web server, that would be next
> suspect. They may be some form that sends email to address provided by
> web visitor. But this will be one of the possibilities which most likely
> will be visible in your mail logs.
>
> After you investigated all on your side (or maybe even before that), do
> as Odhiambo suggested: go to yahoo URL provided and read what they say
> there.
>
> Good luck.
>
> Valeri
>
> >
> > Thanks in advance,
> >
> > Patrick
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
> >
>
> --
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list