Results 1 to 4 of 4

Thread: Help diagnosing postfix hack

  1. #1
    Join Date
    Jan 2008
    Beans
    8

    Help diagnosing postfix hack

    Hi,

    I think that my postfix installation has been hacked. My df -h shows that rootfs is used in 100%:
    Code:
    rootfs                 9,2G  8,7G   39M 100% /
    and I am constantly receiving emails like this:
    Email title: Postfix SMTP server: errors from 118-168-105-197.dynamic.hinet.net[118.168.105.197]
    Code:
    Out: 220 mydomain.example.pl ESMTP Postfix (Debian/GNU)
     In:  HELO 41.22.209.91
     Out: 250 mydomain.example.pl
     In:  MAIL FROM: <tbdzcpiqpktsze@yahoo.com>
     Out: 250 2.1.0 Ok
     In:  RCPT TO: <larry55662000@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <kang168168@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <juice2267@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <owenfrp@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <malinyi@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <jijd@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <k0918933@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <hurenling@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <kenchloe@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <joanna2890@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <mage0329@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <lee480506@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <ready0114@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <jmmr@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <orrira@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <mau_maukuo@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <onlykinki0410@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <k8a0r1r5y@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <k123363@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <ken112717@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <lingpiecesjj@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <lcabc1@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <lechiche@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <nslx@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  RCPT TO: <no92@yahoo.com.tw>
     Out: 250 2.1.5 Ok
     In:  DATA
     Out: 354 End data with <CR><LF>.<CR><LF>
     Out: 250 2.0.0 Ok: queued as 7897350311
     In:  RSET
     Out: 250 2.0.0 Ok
     In:  MAIL FROM: <zcwctmwuey@yahoo.com>
     Out: 452 4.3.1 Insufficient system storage
     Out: 421 4.7.0 mydomain.example.pl Error: too many errors
    
    Session aborted, reason: too many errors
    
    For other details, see the local mail logfile
    (domain name and IP are fake in above example, except title).

    Could someone help me in diagnosing this problem?

    Thanks in advance!

  2. #2
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Help diagnosing postfix hack

    It almost looks like someone is trying to use your server as a relay.

    The IP address 118.168.105.197 appears to be listed in a handful of DNSBLs, including Spamhaus's "PBL" list.

    If you haven't already done so, one solution might be to include something like this in Postfix's main.cf file:
    Code:
    smtpd_recipient_restrictions =
        reject_invalid_hostname, 
        reject_non_fqdn_sender, 
        reject_non_fqdn_recipient, 
        reject_unknown_sender_domain, 
        reject_unknown_recipient_domain, 
        reject_unauth_pipelining, 
        permit_mynetworks, 
        reject_unauth_destination, 
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        permit
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.
    Please use CODE tags.

  3. #3
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,371
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Help diagnosing postfix hack

    Take the server offline and read this: http://www.postfix.org/SMTPD_ACCESS_README.html.

    You're being exploited as an "open relay." Visit this page and enter your server's public IP address to see if you have yet been blacklisted.
    Last edited by SeijiSensei; March 19th, 2014 at 08:39 PM.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  4. #4
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Help diagnosing postfix hack

    Quote Originally Posted by SeijiSensei View Post
    Take the server offline and read this: http://www.postfix.org/SMTPD_ACCESS_README.html.

    You're being exploited as an "open relay" and have apparently already been listed on at least one blacklist.
    ^^^This.
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.
    Please use CODE tags.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •