user getting heavily spammed

B

BrianUK

Verified User
Joined
Feb 4, 2006
Messages
89
I've got a user getting heavily spammed but other users on the same domain are fine, it all started last night here's some info and hope you can help me....

I've got loads of these in 'top'

5975 dovecot 15 0 3712 1712 1432 S 0.0 0.2 0:00.00 imap-login

and these in ps dovecot

dovecot 5250 5533 0 13:05 ? 00:00:00 pop3-login
root 5533 1 0 11:21 ? 00:00:00 /usr/sbin/dovecot
root 5534 5533 0 11:21 ? 00:00:00 dovecot-auth
dovecot 5663 5533 0 12:15 ? 00:00:00 pop3-login

ps exim i've got

mail 19725 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 19732 19725 0 15:03 ? 00:00:00 [exim] <defunct>
mail 20142 19725 0 15:03 ? 00:00:00 [exim] <defunct>
mail 20280 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 20321 20280 0 15:03 ? 00:00:00 [exim] <defunct>
mail 20358 32303 0 15:03 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 20368 20358 0 15:03 ? 00:00:00 [exim] <defunct>
mail 20476 20358 0 15:04 ? 00:00:00 [exim] <defunct>
mail 21589 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 21610 21589 0 15:04 ? 00:00:00 [exim] <defunct>
mail 21655 20280 0 15:04 ? 00:00:00 [exim] <defunct>
mail 21711 20358 0 15:04 ? 00:00:00 [exim] <defunct>
mail 21769 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 21783 21769 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22180 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22183 22180 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22227 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22244 22227 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22262 20280 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22296 19725 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22302 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22325 22302 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22353 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22360 22353 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22372 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22383 22372 0 15:04 ? 00:00:00 [exim] <defunct>
mail 22403 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 22411 22403 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23610 22372 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23616 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23634 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23638 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23652 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23653 23616 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23659 23634 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23666 23638 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23684 23652 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23691 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23694 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
mail 23695 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
root 23696 1 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
mail 23697 23696 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
mail 23698 23697 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
mail 23699 23697 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A6-9b
mail 23701 23697 0 15:04 ? 00:00:00 [exim] <defunct>
root 23704 23691 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
root 23708 23638 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
mail 23709 23708 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
mail 23710 23709 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
mail 23711 23709 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-00069G-1R
mail 23713 23709 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23717 23704 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
mail 23718 23717 0 15:04 ? 00:00:00 /usr/sbin/exim -oMr spam-scanned -bS
mail 23719 23717 0 15:04 ? 00:00:00 /usr/sbin/exim -Mc 1QUKJW-0006A7-9F
mail 23721 23717 0 15:04 ? 00:00:00 [exim] <defunct>
mail 23733 32303 0 15:04 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid
root 23735 30339 0 15:05 pts/0 00:00:00 grep exim
mail 32303 1 0 14:59 ? 00:00:00 /usr/sbin/exim -bd -q15m -oP /var/run/exim.pid

paniclog

2011-06-08 15:01:04 daemon: accept process fork failed: Cannot allocate memory
2011-06-08 15:01:05 1QUKFj-0002eY-4B daemon: delivery process fork failed: Cannot allocate memory
2011-06-08 15:01:05 1QUKFk-0002eZ-3v daemon: delivery process fork failed: Cannot allocate memory
2011-06-08 15:01:06 1QUKFh-0002e0-4F failed to fork automatic delivery process: Cannot allocate memory
2011-06-08 15:01:12 1QUKFn-0002f7-6z == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12
2011-06-08 15:01:12 1QUKFp-0002vp-7G == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12
2011-06-08 15:01:12 1QUKFp-0002vt-9x == [email protected] R=spamcheck_director T=spamcheck defer (12): Cannot allocate memory: Error 12

and lots of

2011-06-08 15:08:10 queue run: process 7848 crashed with signal 11 while delivering 1OYH1M-0004FY-5M
2011-06-08 15:08:10 queue run: process 7849 crashed with signal 11 while delivering 1OuoOM-0006hP-I1
2011-06-08 15:08:10 queue run: process 7858 crashed with signal 11 while delivering 1P5bLM-0007o5-9O
2011-06-08 15:08:10 queue run: process 7862 crashed with signal 11 while delivering 1OY2oM-0006GB-Gp
2011-06-08 15:08:10 queue run: process 7863 crashed with signal 11 while delivering 1OuoOM-0006hO-3O
2011-06-08 15:08:10 queue run: process 7873 crashed with signal 11 while delivering 1OuaZM-0005bT-FU
2011-06-08 15:08:10 queue run: process 7874 crashed with signal 11 while delivering 1OYH1M-0004az-Mu
2011-06-08 15:08:10 queue run: process 7876 crashed with signal 11 while delivering 1PpRfM-0007JO-JA

it's the [email protected] that's getting hit

I've found the file exploit in tmp directory but keeps getting re-created after deletion.
 
Last edited:
If it gets recreated then you will probably have to hire someone to check your server out. You probably have some of exploit somewhere.
 
the os has been re-installed and the latest version of DA as well. The deleted the users email account but it's still trying to be spammed

Code: 
2011-06-11 09:36:39 H=omr15.networksolutionsemail.com [205.178.146.65] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:39 H=omr15.networksolutionsemail.com [205.178.146.65] incomplete transaction (RSET) from <[email protected]>
2011-06-11 09:36:40 H=dell200-549.rapidns.com [206.183.108.198] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:41 H=dell200-549.rapidns.com [206.183.108.198] incomplete transaction (QUIT) from <[email protected]>
2011-06-11 09:36:42 H=director.trueband.net (trueband.net) [216.163.120.8] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:42 H=director.trueband.net (trueband.net) [216.163.120.8] incomplete transaction (QUIT) from <[email protected]>
2011-06-11 09:36:42 H=omr1.networksolutionsemail.com [205.178.146.51] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:42 H=omr1.networksolutionsemail.com [205.178.146.51] incomplete transaction (RSET) from <[email protected]>
2011-06-11 09:36:43 H=smtp-2.vancouver.ipapp.com [216.152.192.163] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:44 H=smtp-2.vancouver.ipapp.com [216.152.192.163] incomplete transaction (QUIT) from <[email protected]>
2011-06-11 09:36:45 H=out6.laposte.net (out5.laposte.net) [193.251.214.123] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:45 H=out6.laposte.net (out5.laposte.net) [193.251.214.123] incomplete transaction (RSET) from <[email protected]>
2011-06-11 09:36:47 H=omr7.networksolutionsemail.com [205.178.146.57] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:47 H=omr7.networksolutionsemail.com [205.178.146.57] incomplete transaction (RSET) from <[email protected]>
2011-06-11 09:36:47 H=cluster1.bresnan.net (cluster2.bresnan.net) [69.145.248.58] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:48 H=omr12.networksolutionsemail.com [205.178.146.62] F=<[email protected]> rejected RCPT <[email protected]>: 
2011-06-11 09:36:48 H=omr12.networksolutionsemail.com [205.178.146.62] incomplete transaction (RSET) from <[email protected]>
2011-06-11 09:36:51 H=dell200-549.rapidns.com [206.183.108.198] F=<[email protected]> rejected RCPT <[email protected]>:

It's just constant any ideas on how I can tackle it?
 
Well sure it is. The spam is coming from a server you don't control. Rebuilding your server is simply a wasted effort.

You should probably block the IP#s which are attacking you. If they keep changing then you can use a firewall to block automatically; see other threads on these forums. If you can't afford the resources to block an attack for this domain you may need to get your upstream involved, or even need to refuse to host email for this domain.

Jeff
 
Hi the rebuild was necessary to ensure the exploit was removed. I've tried searching but can't find any suitable threads about blocking a single email accounts spam.
 
You must log in or register to reply here.
Back
Top