Spam Trouble

indiferencia · May 7, 2009

Hello, My CentOS server w/DA is sending a lot of spam, It was reinstalled, I deleted roundcube, chmod 0 /var/www/html/webmail, empty /tmp directory, but it continues doing that. I need help ASAP. I'm a newbie in server administration so please be "for dummies" in your answers. In the log there is no U= tag, so it appears to be no user doing that.

There are some lines of the log:

2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=g.mx.mail.yahoo.com [209.191.118.103]* C="250 ok dirdel 22/8"
2009-05-07 21:27:48 1M2Bh3-00075n-Hq == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host g.mx.mail.yahoo.com [209.191.118.103]: 452 Too many recipients
2009-05-07 21:27:48 1M2Bh3-00075n-Hq == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host g.mx.mail.yahoo.com [209.191.118.103]: 452 Too many recipients
2009-05-07 21:27:48 1M2Bh3-00075n-Hq == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host g.mx.mail.yahoo.com [209.191.118.103]: 452 Too many recipients
2009-05-07 21:27:49 1M2Bgp-0007A8-3g Remote host g.mx.mail.yahoo.com [209.191.118.103] closed connection in response to MAIL FROM:<> SIZE=6258
2009-05-07 21:27:49 1M2Bgp-0007A8-3g == [email protected] R=lookuphost T=remote_smtp defer (-18): Remote host g.mx.mail.yahoo.com [209.191.118.103] closed connection in response to MAIL FROM:<> SIZE=6258
2009-05-07 21:27:49 1M29j7-0003BG-Rf SMTP error from remote mail server after initial connection: host g.mx.mail.yahoo.com [209.191.118.103]: 421 4.7.0 [TS01] Messages from 76.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2009-05-07 21:27:49 1M29j7-0003BG-Rf == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host g.mx.mail.yahoo.com [209.191.118.103]: 421 4.7.0 [TS01] Messages from 76.XXX.XXX.XXX temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2009-05-07 21:28:21 1M2FLx-0002HL-VM <= [email protected] U=apache P=local S=2265 T="Bienvenido a Capital Otaku" from <[email protected]> for [email protected]
2009-05-07 21:28:22 1M2FLx-0002HL-VM => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2321 H=mx1.hotmail.com [65.54.245.8] C="250 mail from IP 76.XXX.XXX.XXX soft failed sender ID check. Please ensure this IP is authorized to "
2009-05-07 21:28:22 1M2FLx-0002HL-VM Completed
2009-05-07 21:28:37 1M2Apf-0005OA-PF SMTP error from remote mail server after initial connection: host mx2.optimum.net [167.206.5.228]: 452 try later
2009-05-07 21:28:37 1M2Apf-0005OA-PF == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.optimum.net [167.206.5.228]: 452 try later
2009-05-07 21:30:18 1M2BPp-0006a5-0g => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2963 H=mail-in.roc2.bluetie.com [208.89.132.202] C="250 2.0.0 Ok: queued as E23AF11B80F9"
2009-05-07 21:30:49 1M2Ah9-00053J-J0 mail4.glic.com [63.66.47.200] Connection timed out
2009-05-07 21:30:49 1M2Ah9-00053J-J0 == [email protected] R=lookuphost T=remote_smtp defer (110): Connection timed out
2009-05-07 21:32:20 1M2BBX-0006C1-33 Remote host barracuda600.edzone.net [198.111.152.204] closed connection in response to RCPT TO:<[email protected]>
2009-05-07 21:32:20 1M2BBX-0006C1-33 == [email protected] R=lookuphost T=remote_smtp defer (-18): Remote host barracuda600.edzone.net [198.111.152.204] closed connection in response to RCPT TO:<[email protected]>
2009-05-07 21:32:48 1M29IO-0002UX-PC SMTP error from remote mail server after initial connection: host mx2.optonline.net [167.206.4.79]: 452 try later
2009-05-07 21:32:48 1M29IO-0002UX-PC == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.optonline.net [167.206.4.79]: 452 try later
2009-05-07 21:32:53 1M29Bs-0002HR-9v Malformed SMTP reply from mail.mediadistributors.com [70.86.107.135] in response to initial connection: rblsmtpd: 76.XXX.XXX.XXX pid 30656: 451 Listed in PSBL, see http://psbl.surriel.com/listing?ip=76.XXX.XXX.XXX
2009-05-07 21:32:53 1M29Bs-0002HR-9v == [email protected] R=lookuphost T=remote_smtp defer (-19): Malformed SMTP reply from mail.mediadistributors.com [70.86.107.135] in response to initial connection: rblsmtpd: 76.XXX.XXX.XXX pid 30656: 451 Listed in PSBL, see http://psbl.surriel.com/listing?ip=76.XXX.XXX.XXX
2009-05-07 21:33:27 1M29mR-0003Fj-Dc plateau.net [66.116.109.44] Connection refused
2009-05-07 21:33:27 1M29mR-0003Fj-Dc == [email protected] R=lookuphost T=remote_smtp defer (111): Connection refused

Please help me ASAP.

tillo · May 8, 2009

In this log snippet there is only one incoming message (the one that begins with "<=") and seems to be a legitimate one.
Outgoing messages log lines will not help much, search where those messages came from.

Rich-Boy · May 8, 2009

tillo I think that the user is highlighting the fact that his server is sending out lots of unwanted spam rather then receiving it.

Hello, My CentOS server w/DA is sending a lot of spam, It was reinstalled, I deleted roundcube, chmod 0 /var/www/html/webmail, empty /tmp directory, but it continues doing that.

Firstly, indiferencia, you could impose a restriction to limit the number of emails sent by each user, see http://help.directadmin.com/item.php?id=81
Unfortunately i don't know enough about how exim processes emails to advise much further but I would say it is most likely nothing to do with IMAP (webmail) but instead to do with the use of SMTP to send out spam. It is imperative you find out which user is the culprit and one method (albeit probably not the best one) is to suspend each user on your system until the emails are no longer being sent out.

tillo · May 9, 2009

Thank you Rich-Boy, but I know what the OP wanted. Only, for an MTA to send a message it has to receive it first.
It could from the "sendmail" binary, from queue injection, from SMTP authenticated or unauthenticated connection from an internal or external IP address... those things will tell us where is the spammer and how is it doing it.

jissh · May 9, 2009

I would also check for a CGI script running under one of your users accounts.

indiferencia · May 9, 2009

Thanks, I'll check it out. Any other ideas, please, let me know, I'll check.

Spam Trouble

indiferencia

New member

tillo

Verified User

Rich-Boy

Verified User

tillo

Verified User

jissh

Verified User

indiferencia

New member