My server provider shutdown one of our servers and it says that is sending a tons of email. When I made a tcpdump I see the following:
04:52:49.743068 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1631:1662, ack 906, win 123, length 31: SMTP: RCPT TO:<fahriozlu@gmail.com>
04:52:49.959999 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 920, win 123, length 0
04:52:50.039830 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1662:1695, ack 920, win 123, length 33: SMTP: RCPT TO:<fahriozlu@hotmail.com>
04:52:50.253412 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 934, win 123, length 0
04:52:50.333509 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1695:1730, ack 934, win 123, length 35: SMTP: RCPT TO:<fahriozparlak@gmail.com>
04:52:50.556870 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 948, win 123, length 0
04:52:50.637048 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1730:1767, ack 948, win 123, length 37: SMTP: RCPT TO:<fahriozparlak@hotmail.com>
04:52:50.854218 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 962, win 123, length 0
04:52:50.934357 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1767:1809, ack 962, win 123, length 42: SMTP: RCPT TO:<fahriozparlak@yenikonya.com.tr>
04:52:51.152141 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 976, win 123, length 0
04:52:51.232339 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1809:1844, ack 976, win 123, length 35: SMTP: RCPT TO:<fahriozsoydan@gmail.com>
04:52:51.446160 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [.], ack 990, win 123, length 0
04:52:51.526295 IP <Our IP>.51796 > mail.dsityre.lk.smtp: Flags [P.], seq 1844:1881, ack 990, win 123, length 37: SMTP: RCPT TO:<fahriozsoydan@hotmail.com>
It sending tons of emails. Those email addresses is not even familiar to us. As you can see it is just changing the domain name of those email address.
Is there anything I can check or do? We already blocked the outgoing domain name in the firewall, but it is still there. We are using debian based linux. Whizzy I think.