0

Tests say my server isn't an open relay, but all of a sudden sendmail stopped working and I have spam like contents in my mailq:

5F543CE3A73     1000 Sat Mar  2 01:28:41  [REMOVED]@[REMOVED]
(delivery temporarily suspended: host mta5.am0.yahoodns.net[98.136.216.26] refused to talk to me: 421 4.7.0 [TS01] Messages from 70.xx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
                                         tonysimms63@yahoo.com

Any idea whats happening?

Update: Clearing the mailq and it starts filling immediately. I have turned off postfix.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
Brandon Wamboldt
  • 426
  • 5
  • 17
  • 1
    It sounds like you've been hacked and are now sending spam. – Grumpy Mar 04 '13 at 11:34
  • @Grumpy Well what should I do :O – Brandon Wamboldt Mar 04 '13 at 11:35
  • 1
    Given what you said, we don't know how you've been compromised, so we can't conclusively help you in any direction. It's possible that another client on you server's been compromised, your forms/site/application or it's possible that your server itself has been compromised. Each will require a different solution. I would, however, suggest to you to find a security company who deals with compromised servers to assist you in this matter. It's very long, but I would also suggest you read the above link MadHatter linked about how to deal with it. – Grumpy Mar 04 '13 at 11:44
  • Please don't edit "answers" into your question -- feel free to leave a *comment* here detailing what you've found / what conclusions you've made, but editing answers into questions fundamentally breaks the Stack Exchange model... – voretaq7 Mar 04 '13 at 18:02

2 Answers2

1

Either you're relaying for an actual user of yours who is sending spam/virus email, or you have a user who sends email which a lot of yahoo users don't like receiving, or maybe someone has figured how to relay through you (for example an exploitable script on a web server which by default can send through you).

NickW
  • 10,183
  • 1
  • 18
  • 26
  • How can I even start tracking this down? I use plesk and only have a few sites on my server, only two users (both owned by me) with SSH access – Brandon Wamboldt Mar 04 '13 at 11:44
  • As suggested above, you might want to read through the suggested links. My first step was usually to read back through the logs, to find the mail sent to tonysimms76 for example, and find out where the origin of the mail is, if it's from another server, an external host, or the server itself.. from there forward there is no way to fit in this little box the possible solutions and next steps. – NickW Mar 04 '13 at 11:53
  • 1
    Dropping in some information about what the issue was. This was the result of a compromised Invision Power Board installation. I figured it was that so I disabled the two domains running IPB and the mail queue stopped growing. I had already turned off Postfix so it wouldn't send emails out. Then I proceeded to track down the exploit, fix it, and remove the compromised files. I've fixed the root cause of the exploit as well. – Brandon Wamboldt Apr 07 '14 at 18:30
  • Godd job, it's always valuable experience this sort of thing. – NickW Apr 08 '14 at 08:38
1

How can I even start tracking this down?

You can start disabling mail service for domains one by one and checking for mail queue activity.

Or if you have Plesk version 11 you can try to use CommTouch (Parallels Premium Outbound Antispam). Update CommTouch is dropped in Plesk.

Plesk 12 will comes with Outgoing spam control tool.

Oleg Neumyvakin
  • 599
  • 4
  • 15