-1

for the past day my server is being used to send a spam. I'm using the Amazon Linux Distro (RedHat based). It has sendmail 8.14.4. It is setup to require authentication, SSL etc. Below are some excerpts from the log and mqueue. How can I found what is going on and fix it?

Sep 10 21:57:03 ps-aws-p1 sendmail[11662]: r8AJtH4r011662: from=<sepoh@project-syndicate.org>, size=464, class=0, nrcpts=10, msgid=<201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org>, proto=ESMTP, daemon=TLSMTA, relay=dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may be forged)
Sep 10 21:57:12 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<curlieq123@aol.com>, delay=00:00:18, xdelay=00:00:09, mailer=esmtp, pri=390464, relay=mailin-01.mx.aol.com. [205.188.159.42], dsn=5.1.1, stat=User unknown
Sep 10 21:57:19 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<debbie381@earthlink.net>, delay=00:00:25, xdelay=00:00:03, mailer=esmtp, pri=390464, relay=mx1.earthlink.net. [209.86.93.226], dsn=2.0.0, stat=Sent (1vju3P5qX3Nl34d0 Message accepted for delivery)
Sep 10 21:57:20 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<leocnandez@gmail.com>, delay=00:00:26, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=gmail-smtp-in.l.google.com. [74.125.136.27], dsn=2.0.0, stat=Sent (OK 1378843040 x42si1080567eel.116 - gsmtp)
Sep 10 21:57:21 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<foxxychocolate69@hotmail.com>, delay=00:00:27, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=5.1.1, stat=User unknown
Sep 10 21:57:22 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<neville.jackson@hotmail.com>,<jsepeda92@hotmail.com>, delay=00:00:28, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.hotmail.com. [65.55.37.88], dsn=2.0.0, stat=Sent ( <201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org> Queued mail for delivery)
Sep 10 21:57:24 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<123@nna.com>, delay=00:00:30, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=zeno.mx25.net. [207.210.234.36], dsn=2.0.0, stat=Sent (893 bytes received in 00:00:00; Message id 201309101457230095 accepted for delivery)
Sep 10 21:57:25 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<zzdarec@seznam.cz>, delay=00:00:31, xdelay=00:00:01, mailer=esmtp, pri=390464, relay=mx1.seznam.cz. [77.75.76.42], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:26 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<zzdarec@seznam.cz>, delay=00:00:32, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mx2.seznam.cz. [77.75.76.32], dsn=4.3.5, stat=Deferred: 451 4.3.5 Temporarily unavailable, try again later.
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: to=<patmcdyer@yahoo.com>,<vbrianbulfer@yahoo.com>, delay=00:00:34, xdelay=00:00:02, mailer=esmtp, pri=390464, relay=mta5.am0.yahoodns.net. [98.138.112.34], dsn=2.0.0, stat=Sent (ok dirdel 1/1)
Sep 10 21:57:28 ps-aws-p1 sendmail[11781]: r8AJtH4r011662: r8AJvS4i011781: DSN: User unknown




> V8 T1378843014 K0 N0 P300464 Fbs
> $_dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged) $rESMTP $saambanyoqp ${daemon_flags}s a
> ${if_addr}10.246.123.145 S<sepoh@project-syndicate.org> rRFC822;
> curlieq123@aol.com RPFD:<curlieq123@aol.com> rRFC822;
> debbie381@earthlink.net RPFD:<debbie381@earthlink.net> rRFC822;
> leocnandez@gmail.com RPFD:<leocnandez@gmail.com> rRFC822;
> jsepeda92@hotmail.com RPFD:<jsepeda92@hotmail.com> rRFC822;
> foxxychocolate69@hotmail.com RPFD:<foxxychocolate69@hotmail.com>
> rRFC822; neville.jackson@hotmail.com
> RPFD:<neville.jackson@hotmail.com> rRFC822; 123@nna.com
> RPFD:<123@nna.com> rRFC822; zzdarec@seznam.cz RPFD:<zzdarec@seznam.cz>
> rRFC822; vbrianbulfer@yahoo.com RPFD:<vbrianbulfer@yahoo.com> rRFC822;
> patmcdyer@yahoo.com RPFD:<patmcdyer@yahoo.com> H?P?Return-Path:
> <<81>g> H??Received: from aambanyoqp
> (dsl-189-187-243-152-dyn.prod-infinitum.com.mx [189.187.243.152] (may
> be forged))
>         (authenticated bits=0)
>         by ps-aws-p1.project-syndicate.org (8.14.4/8.14.4) with ESMTP id r8AJtH4r011662
>         (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
>         Tue, 10 Sep 2013 21:56:54 +0200 H?M?Message-Id: <201309101956.r8AJtH4r011662@ps-aws-p1.project-syndicate.org>
> H??Subject: H??From: "Wri Jm" <sepoh@project-syndicate.org> H??To:
> <vbrianbulfer@yahoo.com>, <jsepeda92@hotmail.com>,
>         <debbie381@earthlink.net>, <curlieq123@aol.com>,
>         <foxxychocolate69@hotmail.com>, <leocnandez@gmail.com>, <123@nna.com>,
>         <zzdarec@seznam.cz>, <neville.jackson@hotmail.com>,
>         <patmcdyer@yahoo.com> H??Date: Tue, 10 Sep 2013 20:47:12 -0700 H??Mime-Version: 1.0 H??Content-Type: text/plain; charset="utf-7"
jira
  • 109
  • 4
  • 2
    From the looks of it you have an open relay. You might have authentication enabled and available, but it doesn't look like you're blocking anonymous mail. See above linked canonical question. – Sammitch Sep 10 '13 at 20:09
  • I have define(`confAUTH_OPTIONS', `A p') in my sendmail.mc – jira Sep 10 '13 at 20:12
  • 1
    Yeah, I just took a poke at your mail server and it *is* rejecting my attempts to send mail through it. It looks like either your PC, your credentials, or both have been compromised. Do a virus scan, and change your passwords. – Sammitch Sep 10 '13 at 20:15

1 Answers1

1

Quite likely smtp passwords has been compromised.

Make your sendmail log SMTP AUTH credentials used - increase LogLevel to 10. The required sendmail.mc line:

define(`confLOG_LEVEL', `10')dnl

sendmail.mc requires recompilation into sendmail.cf. Sendmail daemon required restart (or sending HUP signal) to "see" new version of sendmail.cf.

Logging auth information in sendmail

AnFi
  • 5,883
  • 1
  • 12
  • 26