Author Topic: Mail queue filling by the second  (Read 2962 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
Mail queue filling by the second
« on: January 21, 2016, 03:44:29 AM »
Hey folks. Brand new installation of CWP on Centos 6.7. After just a few hours, postfix is just going crazy when trying to send email to anyone and everyone. I do not have any email ports open for inbound. I had to block outbound 25 just to get my IP off of the naughty lists with my datacenter. I even used yum to completely remove postfix, then installed it again. I even deleted all the files in the /etc/postfix folder. But, as soon as I start posfix, it automatically starts flooding with trying to send outbound email. Any ideas on where I should begin?

Robert

Offline
*
Re: Mail queue filling by the second
« Reply #1 on: January 21, 2016, 06:17:35 AM »
you should firstly start by checking what kind of email are that, you can do that by using mail queue in cwp.admin.
When you know about that then you can further
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: Mail queue filling by the second
« Reply #2 on: January 21, 2016, 02:19:45 PM »
OK, I can't get the postfix mail queue to display because of the shear volume of email trying to get out. I've got it blocked at my firewall so nothing is getting out at the moment. However, yesterday when I was able to view it, the majority of the email was random names at my domain name (ie; john_smith@craigcomm.net). What could this be?

Robert

Offline
*
Re: Mail queue filling by the second
« Reply #3 on: January 21, 2016, 04:44:14 PM »
you can't know anything if you don't check the emails and located the source of this issue, you would need to check that with your system admin or our managed support.

It could be
- hacked email account password
- injected php malware script in the website
or even something else like a rootkit

so you should start by checking emails and mail server logs.
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: Mail queue filling by the second
« Reply #4 on: January 22, 2016, 12:44:40 AM »
OK, below is a snippet from one of the 30k messages I finally retrieved from the queue. What am I looking for in the maillog? I am the administrator of this box. Its very new to me and I didn't think I would have any issues right after a brand new installation (this is the second installation that has yielded same results). Thanks for any help.

Robert

*** ENVELOPE RECORDS deferred/2/26700185424 ***
message_size:            1405             201               1               0            1405
message_arrival_time: Wed Jan 20 14:55:35 2016
create_time: Wed Jan 20 14:55:35 2016
named_attribute: rewrite_context=local
sender_fullname:
sender: eunice_guerrero@craignetwork.com
warning_message_time: Wed Dec 31 18:00:00 1969
*** MESSAGE CONTENTS deferred/2/26700185424 ***
regular_text: Received: by webserver1.craignetwork.com (Postfix, from userid 500)
regular_text:    id 26700185424; Wed, 20 Jan 2016 14:55:35 -0600 (CST)
regular_text: To: anonimissimus@tiscali.it
regular_text: Subject: 1 New SnapF#ck Alert
regular_text: X-PHP-Originating-Script: 500:cache.php(1973) : eval()'d code
regular_text: Date: Wed, 20 Jan 2016 20:55:34 +0000
regular_text: From: Eunice Guerrero <eunice_guerrero@craignetwork.com>
regular_text: Message-ID: <cac28a16de18fb6ef1978168c794cf97@craignetwork.com>
regular_text: X-Priority: 3
regular_text: X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
regular_text: MIME-Version: 1.0
regular_text: Content-Type: multipart/alternative;
regular_text:    boundary="b1_cac28a16de18fb6ef1978168c794cf97"
regular_text: Content-Transfer-Encoding: 8bit
regular_text:
regular_text: --b1_cac28a16de18fb6ef1978168c794cf97
regular_text: Content-Type: text/plain; charset=us-ascii
regular_text:
regular_text: r u online right now? i'm 27/f looking for a casual f#ckbuddy...
regular_text:
regular_text: r u online? i want to get f*cked by a stud right now
regular_text: [ http://weddenopvoetbalwedstrijden.net/diff.php?a=40&DuHbVnm=iUhonhyYQoup6Sf&a ]
regular_text: my profile here
regular_text:
regular_text:
regular_text: CHAT SOON
regular_text:
regular_text:
regular_text: --b1_cac28a16de18fb6ef1978168c794cf97
regular_text: Content-Type: text/html; charset=us-ascii

Offline
*
Re: Mail queue filling by the second
« Reply #5 on: February 07, 2016, 12:53:17 PM »
Seems like an open relay to me (which means everyone can use your server to send email. ). Follow instructions in this page:

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

apparently latest version of CWP can't properly  configure postfix to use dovecot authentication system, so everyone can send email without username/password from your SMTP server.

Offline
*
Re: Mail queue filling by the second
« Reply #6 on: February 07, 2016, 03:27:51 PM »
By the way, there is a way to read the content of your queue even when postfix is down:
for show the queue:
Code: [Select]
postqueue -pfor saving the list in a file:

Code: [Select]
postqueue -p > myfile.txt

for reading a single email:

Code: [Select]
postcat -q  AE6732A0189A
where AE6732A0189A is email id.

Offline
*
Re: Mail queue filling by the second
« Reply #7 on: April 15, 2016, 11:16:49 AM »
Your website is have no firewall which mean anyone can brute force your server and use it as a spambot target

Offline
*
Re: Mail queue filling by the second
« Reply #8 on: May 09, 2016, 04:41:41 PM »
I have this exact problem only on both my servers. I suspect it's an exploit of Wordpress.

Did you manage to nail it down? I've found most of it but still got 200 emails being created an hour.  I just can't track down where these are coming from now.