detect malicious script used to send mail

Question

I was recently used as an open relay and mass spam was sent through my server. I since then stopped it but my mail logs grew enormously with this type of log.

Aug 20 07:00:29 veepiz postfix/smtp[15001]: DC8BD1641F1: lost connection with mx1.hotmail.com[65.55.92.168] while sending RCPT TO
Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: host mx3.hotmail.com[65.55.92.152] said: 421 RP-001 (SNT0-MC2-F19) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command)
Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: lost connection with mx3.hotmail.com[65.55.92.152] while sending RCPT TO
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host a.mx.mail.yahoo.com[67.195.168.31] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Aug 20 07:00:29 veepiz postfix/smtpd[11929]: 6E6221641F2: reject: RCPT from cpe-76-175-170-10.socal.res.rr.com[76.175.170.10]: 554 5.7.1 <make30000000@yahoo.com.tw>: Relay access denied; from=<wowaish@gmail.com> to=<make30000000@yahoo.com.tw> proto=SMTP helo=<cpe-76-175-170-10.socal.res.rr.com>
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host c.mx.mail.yahoo.com[98.139.175.225] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Aug 20 07:00:29 veepiz postfix/smtp[15001]: DC8BD1641F1: to=<leebosser@msn.com>, relay=mx4.hotmail.com[65.55.92.136]:25, delay=44, delays=44/0.04/0.26/0.04, dsn=4.0.0, status=deferred (host mx4.hotmail.com[65.55.92.136] said: 421 RP-001 (SNT0-MC1-F17) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: host k.mx.mail.yahoo.com[98.139.54.60] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Aug 20 07:00:29 veepiz postfix/smtp[15000]: DC8BD1641F1: to=<yuejane81@hotmail.com>, relay=mx4.hotmail.com[65.54.188.126]:25, delay=44, delays=44/0.04/0.31/0.06, dsn=4.0.0, status=deferred (host mx4.hotmail.com[65.54.188.126] said: 421 RP-001 (BAY0-MC4-F28) Unfortunately, some messages from 50.57.111.177 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Aug 20 07:00:29 veepiz postfix/smtpd[4410]: NOQUEUE: reject: RCPT from ppp089210016127.dsl.hol.gr[89.210.16.127]: 554 5.7.1 <swsead@yahoo.com.tw>: Relay access denied; from=<sdlhjjluct@googlegroups.com> to=<swsead@yahoo.com.tw> proto=SMTP helo=<ppp089210016127.dsl.hol.gr>
Aug 20 07:00:29 veepiz postfix/smtpd[11903]: NOQUEUE: reject: RCPT from ppp089210016127.dsl.hol.gr[89.210.16.127]: 554 5.7.1 <stanley890143@yahoo.com.tw>: Relay access denied; from=<xlywm@yahoogroups.com> to=<stanley890143@yahoo.com.tw> proto=SMTP helo=<ppp089210016127.dsl.hol.gr>
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<alishatp@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<harleywsx@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<jujenwang@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<lace10200520@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 20 07:00:29 veepiz postfix/smtp[15016]: DC8BD1641F1: to=<wu6428g@yahoo.com>, relay=d.mx.mail.yahoo.com[209.191.88.254]:25, delay=44, delays=44/0.04/0.41/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 50.57.111.177 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Aug 20 07:00:29 veepiz postfix/smtpd[4063]: 3B9AA1641EC: reject: RCPT from cpe-76-175-170-10.socal.res.rr.com[76.175.170.10]: 554 5.7.1 <iuiu0452@yahoo.com.tw>: Relay access denied; from=<upqaxexwgcorm@googlegroups.com> to=<iuiu0452@yahoo.com.tw> proto=SMTP helo=<cpe-76-175-170-10.socal.res.rr.com>
Aug 20 07:00:29 veepiz postfix/smtpd[7964]: connect from unknown[89.207.68.10]
Aug 20 07:00:29 veepiz postfix/smtpd[5382]: NOQUEUE: reject: RCPT from 203-114-141-105.mu.eth.dyn.inspire.net.nz[203.114.141.105]: 554 5.7.1 <u8811086@yahoo.com.tw>: Relay access denied; from=<jutdtpibfavs@yahoo.com.tw> to=<u8811086@yahoo.com.tw> proto=SMTP helo=<203-114-141-105.mu.eth.dyn.inspire.net.nz>
Aug 20 07:00:29 veepiz postfix/smtpd[4041]: connect from unknown[221.132.37.55]

#qshape incoming active deferred

                          T   5  10  20   40   80 160 320 640 1280 1280+
                 TOTAL 8899 511 402 646 2569 4771   0   0   0    0     0
           hotmail.com 7838 376 325 530 2217 4390   0   0   0    0     0
               msn.com  839  31  77 109  301  321   0   0   0    0     0
             yahoo.com   78  16   0   3   27   32   0   0   0    0     0
             gmail.com   65  65   0   0    0    0   0   0   0    0     0
              kimo.com   41  12   0   3   16   10   0   0   0    0     0
          yahoo.com.tw   15   9   0   0    1    5   0   0   0    0     0
              live.com    4   0   0   0    3    1   0   0   0    0     0
              citi.com    1   0   0   1    0    0   0   0   0    0     0
              dfsd.com    1   0   0   0    0    1   0   0   0    0     0
              benq.com    1   0   0   0    0    1   0   0   0    0     0
              kim0.com    1   0   0   0    1    0   0   0   0    0     0
              kiom.com    1   1   0   0    0    0   0   0   0    0     0
              1111.com    1   0   0   0    0    1   0   0   0    0     0
              test.com    1   0   0   0    0    1   0   0   0    0     0
             kitty.com    1   0   0   0    0    1   0   0   0    0     0
             hanam.com    1   0   0   0    1    0   0   0   0    0     0
            pchome.com    1   0   0   0    1    0   0   0   0    0     0
            hotmal.com    1   1   0   0    0    0   0   0   0    0     0
           sinopac.com    1   0   0   0    0    1   0   0   0    0     0
           hopnail.com    1   0   0   0    0    1   0   0   0    0     0
           hoymail.com    1   0   0   0    0    1   0   0   0    0     0
          sinamail.com    1   0   0   0    0    1   0   0   0    0     0
          hiotmail.com    1   0   0   0    1    0   0   0   0    0     0
          hotmaill.com    1   0   0   0    0    1   0   0   0    0     0
          xasamail.com    1   0   0   0    0    1   0   0   0    0     0
        twn.dupont.com    1   0   0   0    0    1   0   0   0    0     0

I still cannot send or receive mail. I've secured my contact form and have tried blocking some offending IP addresses. This morning I found new ip addresses.

I've also tried http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam but the log file does not append. I'm really devastated and haven't found a solution yet. Can some one point me towards what steps I can take to solve the problem. Please. Also, my mail queues have grown enormously. What steps would I take to find any malicious script on my server? Why won't sending mail work?

Ask me any logs and I'll output them here to attempt to solve this.

I'm using centos, nginx(as proxy), varnish, apache2 for php, and postfix. Thanks.

Man. Why did you modify your `main.cf` posted at http://serverfault.com/questions/302818/how-to-close-an-open-relay-in-postfix? This `main.cf` prevented you from being an open relay. And now you messed it again! Look for a consultant, read the links I provided but don't ignore them and later ask why nothing works! — mailq, Aug 20 '11 at 08:15
i didnt modify anything!!! the configuration posted by Shane is missing so im adding it now. thanx for your help mailq, but what is the beef? — Sir Lojik, Aug 20 '11 at 08:24
i might have changed alot when installing postfix but of recent... no — Sir Lojik, Aug 20 '11 at 08:38

score 3 · Accepted Answer · answered Aug 20 '11 at 09:17

3

Sorry Shane.

But Shane is wrong with his recommendation. Now you refuse any connection from outside! It must be smtpd_recipient_restrictions = permit_mynetworks, reject

The previous configuration is not the problem. The parameters Shane misses are implicitly set by Postfix if you don't set them. Not smtpd_client_restrictions but smtpd_recipient_restrictions but these have the same effect. I tested the given configuration and with that you have no open relay.

By the way the given logs don't show any suspicious activity from outside. Only connects that are not bad and REJECTS which are good.

You only see outgoing mails. Wherever they come from as you didn't show the logs how e.g. the mail with Id DC8BD1641F1 came from.

answered Aug 20 '11 at 09:17

mailq

17,023
2
37
69

The rejections on the logs in the question are all from remote servers rejecting message delivery, there aren't rejections of client relay. While I agree that there's no clear indication from those logs that he was an open relay, the 9000 messages in queue imply it and an open relay test confirmed. I was thinking that the service was only needed as a relay for the web app on the local system, hence the recommendation to change client restrictions, but I now see that it's configured as his `MX` entry too - so you're right that my solution was bad. Thanks for the help, +1. – Shane Madden Aug 20 '11 at 15:27
@Shane The NOQUEUE lines are from external connections that leads to rejects in Postfix (not that external servers reject the mails). The others are - as you said - outgoing mails that get rejected outside. – mailq Aug 20 '11 at 17:50
Sorry. Better indication: the lines with `postfix/smtp` are rejects at outside servers (as Postfix is a SMTP client in that case). The lines with `postfix/smtpd` are rejects of Postfix (as Postfix is a SMTP server in that case). – mailq Aug 20 '11 at 17:53
Thanks for clarifying. My postfix skills clearly need some work ;) – Shane Madden Aug 20 '11 at 19:46

detect malicious script used to send mail

1 Answers1