0

I'm getting a continuous flow of messages in the mail.log file of our postfix mail server. Here is a santisied sample:

postfix/qmgr[7883]: 03DF631E8F: from=<user@problem.com>, size=1021, nrcpt=15 (queue active)
Jan 18 16:16:30 fadmin3 postfix/error[12269]: 923AC288B9: to=<u1@yahoo.com>, relay=none, delay=166662, delays=166657/0.59/0/4.2, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.35] while sending RCPT TO)
Jan 18 16:16:30 fadmin3 postfix/qmgr[7883]: 9D2F539889: from=<user@problem.com>, size=672, nrcpt=15 (queue active)
Jan 18 16:16:30 fadmin3 postfix/error[12267]: 9AFCD301D6: to=<u2@yahoo.com>, relay=none, delay=132365, delays=132362/0.64/0/1.8, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.35] while sending RCPT TO)
Jan 18 16:16:30 fadmin3 postfix/error[12254]: 92AB62E6E2: to=<u3@yahoo.com>, relay=none, delay=129814, delays=129813/0.36/0/0.28, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.35] while sending RCPT TO)
Jan 18 16:16:30 fadmin3 postfix/qmgr[7883]: 9AAB535F54: from=<user@problem.com>, size=648, nrcpt=15 (queue active)
Jan 18 16:16:30 fadmin3 postfix/smtp[12865]: 9DBD2266E1: to=<u4@d1.net>, relay=mta6.am0.yahoodns.net[98.136.217.203]:25, delay=176824, delays=176822/1.4/1.2/0.18, dsn=4.7.0, status=deferred (host mta6.am0.yahoodns.net[98.136.217.203] said: 421 4.7.0 [TS01] Messages from 54.171.74.133 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM command))
Jan 18 16:16:30 fadmin3 postfix/smtp[12873]: E47A02AE99: to=<u5@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.24.27]:25, delay=12531, delays=12525/0.99/0.06/5.2, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.24.27] said: 550-5.7.1 [54.171.74.133      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. eq5si19262603wjc.52 - gsmtp (in reply to end of DATA command))
Jan 18 16:16:30 fadmin3 postfix/error[12269]: 923AC288B9: to=<u6@yahoo.com>, relay=none, delay=166662, delays=166657/0.59/0/4.8, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta5.am0.yahoodns.net[98.138.112.35] while sending RCPT TO)
Jan 18 16:16:30 fadmin3 postfix/qmgr[7883]: 94AB125128: from=<user@problem.com>, size=1036, nrcpt=9 (queue active)

I should add we don't get or send much email and this is a fast constant flow, thousands of messages per hour going to lots of users and all from one user.

At first I thought that the mail server had been compromised, however I haven't found anything to confirm that. I'm still looking.

The service is not an open relay. I'm trying to contact the user to get them to check their machine, but in the meantime, what can I do on postfix to clean out all these massages for this user and stop them being sent? I've temporarily disabled their password, but it looks like there are thousands of queued messages, possibly as many deferred and I'm wondering how to best clean up this mess.

Any ideas (besides a virus on their system) what could cause this?

Thanks

MadHatter
  • 79,770
  • 20
  • 184
  • 232
mark
  • 130
  • 7

1 Answers1

1

The cleanup turned out to be fairly simple in the end. I ran the following

postsuper -d ALL deferred

and then for good measure

postsuper -d ALL

which removed about 45000 messages from the server.
I'm still interested in ideas about what might have caused this.

mark
  • 130
  • 7
  • 2
    If the mails are still coming, you should look in the headers of one of the spam mails. If not, you've already destroyed the evidence. – Jenny D Jan 19 '15 at 07:51