Posts by Phinous

    Here my /etc/postfix/main.cf : http://p.mufff.in/?f3692398a23…xzWb3Zehk1VJ60nYHCRLPDoY=


    And my /etc/postfix/master.cf : http://p.mufff.in/?c65c71a398b…Rab07H4vgUMoDKYMrITFzeQI=



    ~# ps aux | grep nc

    Code
    1. root 60 0.0 0.0 0 0 ? S 13:06 0:00 [async/mgr]
    2. root 232 0.0 0.0 0 0 ? S 13:06 0:00 [sync_supers]
    3. www-data 16799 0.0 0.0 0 0 ? Z 15:27 0:00 [apache2] <defunct>
    4. postfix 17438 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
    5. postfix 17500 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
    6. postfix 18445 0.0 0.1 5528 1804 ? S 15:29 0:00 bounce -z -n defer -t unix -u -c
    7. postfix 18570 0.0 0.1 5528 1872 ? S 15:29 0:00 bounce -z -t unix -u -c
    8. postfix 18589 0.0 0.1 5528 1876 ? S 15:29 0:00 bounce -z -t unix -u -c
    9. postfix 18628 0.0 0.1 5528 1832 ? S 15:29 0:00 bounce -z -t unix -u -c
    10. root 18635 0.0 0.0 3036 792 pts/0 S+ 15:29 0:00 grep nc

    Hi,


    On one of my server, I have a spam problem.
    Here the /var/log/mail.log file :


    Code
    1. Aug 8 13:51:27 servername postfix/smtp[5004]: 5FAF9227B5: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.67.27]:25, delay=1, delays=0.03/0.4/0.03/0.56, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.67.27] said: 550-5.7.1 [207.73.100.36 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. lk7si2833406wic.68 - gsmtp (in reply to end of DATA command))Aug 8 13:51:27 servername postfix/cleanup[4788]: 646E32278E: message-id=<[email protected]>Aug 8 13:51:27 servername postfix/smtp[4974]: 62BCB227AA: to=<[email protected]>, relay=spool.mail.gandi.net[217.70.184.6]:25, conn_use=3, delay=0.01, delays=0/0/0/0, dsn=5.7.1, status=bounced (host spool.mail.gandi.net[217.70.184.6] said: 550 5.7.1 <[email protected]>: Recipient address rejected: bounce limit for domaine2.org (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 62BCB227AA: removedAug 8 13:51:27 servername postfix/bounce[4780]: 5FAF9227B5: sender non-delivery notification: 646E32278EAug 8 13:51:27 servername postfix/qmgr[27088]: 646E32278E: from=<>, size=3388, nrcpt=1 (queue active)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: host mta7.am0.yahoodns.net[98.138.112.37] said: 421 4.7.0 [TS01] Messages from 207.73.100.36 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM command)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TOAug 8 13:51:27 servername postfix/qmgr[27088]: 5FAF9227B5: removedAug 8 13:51:27 servername postfix/smtp[5006]: 5DA85223A1: to=<[email protected]>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, conn_use=5, delay=0.03, delays=0/0.02/0/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <[email protected]>... User unknown (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 5DA85223A1: removedAug 8 13:51:27 servername postfix/smtp[4950]: 62118223B4: to=<[email protected]>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, delay=0.04, delays=0.01/0.01/0.01/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <[email protected]>... User unknown (in reply to RCPT TO command))


    It's look like a robot is using my server as spam relay.


    postqueue -p :

    Code
    1. 86D8332E9A 758 Fri Aug 8 13:14:46 [email protected] [email protected] 654 Fri Aug 8 13:13:44 [email protected] [email protected] 703 Fri Aug 8 13:09:20 [email protected] [email protected] 630 Fri Aug 8 13:12:43 [email protected] [email protected] 561 Fri Aug 8 13:14:07 [email protected] [email protected] 655 Fri Aug 8 13:13:10 [email protected] [email protected]


    domain2.com exist on my server, but not the user [email protected]


    ps aux | grep "postfix" :


    My server is a little bit older and it's running a legacy version of i-MSCP (ispCP 1.0.3 OMEGA build: 20091224 Codename: Priamos).
    Please don't laught about it : it's not so easy to migrate this kind of server with lots of customers on it (I also looking for a way to do this easily ;) ).
    So maybe there is a security hole on it, but my question is how can I stop this spam attack.
    And I came here to post my question because several member of the original ispCP team moved here and there is no chance to get answer over there :(


    Thanks a lot for your help.