Loading ...
Sorry, an error occurred while loading the content.

How can I tell "who" is injecting mail into the queue?

Expand Messages
  • John Nichel
    Hi, Recently our company grew enough to warrant a separate web server. This box came as a default RHEL4 install, and since this box only needed to send mail
    Message 1 of 3 , Feb 27, 2008
    • 0 Attachment
      Hi,

      Recently our company grew enough to warrant a separate web server.
      This box came as a default RHEL4 install, and since this box only needed
      to send mail out, I just left the default Postfix install on and closed
      off all ports other than 80, 443 and 22. Everything has been working
      fine for about a year now, but I have started to notice some strange
      entries in the log watch for that box....

      > Foreign Bounce:
      > To achgo@... Msg="host mail-com.mr.outblaze.com[208.36.123.68] said: 550 <achgo@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To achgo@... Msg="host mail-com.mr.outblaze.com[64.62.181.82] said: 550 <achgo@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To aczfm@... Msg="host mail-com.mr.outblaze.com[208.36.123.17] said: 550 <aczfm@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To aczfm@... Msg="host mail-com.mr.outblaze.com[208.36.123.55] said: 550 <aczfm@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To azrdj@... Msg="host mail-com.mr.outblaze.com[208.36.123.55] said: 550 <azrdj@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To azrdj@... Msg="host mail-com.mr.outblaze.com[208.36.123.68] said: 550 <azrdj@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To bbzmy@... Msg="host mail-com.mr.outblaze.com[208.36.123.55] said: 550 <bbzmy@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To bbzmy@... Msg="host mail-com.mr.outblaze.com[208.36.123.68] said: 550 <bbzmy@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To cewvm@... Msg="host mail-com.mr.outblaze.com[64.62.181.82] said: 550 <cewvm@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)
      > To cewvm@... Msg="host mail-com.mr.outblaze.com[64.71.166.199] said: 550 <cewvm@...>: User unknown (in reply to RCPT TO command" : 1 Time(s)


      So on, and so forth. There are a few hundred entries a day like
      this...just random, gibberish addresses. Being that the box won't even
      accept smtp connections, I'm guessing this machine has been compromised
      in some way. I've looked and looked, Googled and Googled, but have
      found nothing. I can look at all these messages in the queue, but I
      haven't found any way to determine who or what put the messages there.
      Any suggestions? Thanks.

      --
      John C. Nichel IV
      System Administrator
      KegWorks
      http://www.kegworks.com
      716.362.9212 x16
      john@...
    • John Nichel
      ... Nevermind. I found the problem. Seems that an internal app was built to send this to a friend from our product pages, and it s now being used by
      Message 2 of 3 , Feb 27, 2008
      • 0 Attachment
        John Nichel wrote:
        > Hi,
        >
        > Recently our company grew enough to warrant a separate web server.
        > This box came as a default RHEL4 install, and since this box only needed
        > to send mail out, I just left the default Postfix install on and closed
        > off all ports other than 80, 443 and 22. Everything has been working
        > fine for about a year now, but I have started to notice some strange
        > entries in the log watch for that box....
        >
        >> Foreign Bounce:
        >> To achgo@... Msg="host mail-com.mr.outblaze.com[208.36.123.68]
        >> said: 550 <achgo@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To achgo@... Msg="host mail-com.mr.outblaze.com[64.62.181.82]
        >> said: 550 <achgo@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To aczfm@... Msg="host mail-com.mr.outblaze.com[208.36.123.17]
        >> said: 550 <aczfm@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To aczfm@... Msg="host mail-com.mr.outblaze.com[208.36.123.55]
        >> said: 550 <aczfm@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To azrdj@... Msg="host mail-com.mr.outblaze.com[208.36.123.55]
        >> said: 550 <azrdj@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To azrdj@... Msg="host mail-com.mr.outblaze.com[208.36.123.68]
        >> said: 550 <azrdj@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To bbzmy@... Msg="host mail-com.mr.outblaze.com[208.36.123.55]
        >> said: 550 <bbzmy@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To bbzmy@... Msg="host mail-com.mr.outblaze.com[208.36.123.68]
        >> said: 550 <bbzmy@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To cewvm@... Msg="host mail-com.mr.outblaze.com[64.62.181.82]
        >> said: 550 <cewvm@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >> To cewvm@... Msg="host mail-com.mr.outblaze.com[64.71.166.199]
        >> said: 550 <cewvm@...>: User unknown (in reply to RCPT TO command"
        >> : 1 Time(s)
        >
        >
        > So on, and so forth. There are a few hundred entries a day like
        > this...just random, gibberish addresses. Being that the box won't even
        > accept smtp connections, I'm guessing this machine has been compromised
        > in some way. I've looked and looked, Googled and Googled, but have
        > found nothing. I can look at all these messages in the queue, but I
        > haven't found any way to determine who or what put the messages there.
        > Any suggestions? Thanks.
        >

        Nevermind. I found the problem. Seems that an internal app was built
        to "send this to a friend" from our product pages, and it's now being
        used by spammers.

        --
        John C. Nichel IV
        System Administrator
        KegWorks
        http://www.kegworks.com
        716.362.9212 x16
        john@...
      • Randy Ramsdell
        ... That almost looks like a dictionary attack seen on mail servers that are public facing. Do you know outblaze.com? It show registered to
        Message 3 of 3 , Feb 27, 2008
        • 0 Attachment
          John Nichel wrote:
          > Hi,
          >
          > Recently our company grew enough to warrant a separate web server.
          > This box came as a default RHEL4 install, and since this box only
          > needed to send mail out, I just left the default Postfix install on
          > and closed off all ports other than 80, 443 and 22. Everything has
          > been working fine for about a year now, but I have started to notice
          > some strange entries in the log watch for that box....
          >
          >> Foreign Bounce:
          >> To achgo@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.68] said: 550 <achgo@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To achgo@... Msg="host mail-com.mr.outblaze.com[64.62.181.82]
          >> said: 550 <achgo@...>: User unknown (in reply to RCPT TO
          >> command" : 1 Time(s)
          >> To aczfm@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.17] said: 550 <aczfm@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To aczfm@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.55] said: 550 <aczfm@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To azrdj@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.55] said: 550 <azrdj@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To azrdj@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.68] said: 550 <azrdj@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To bbzmy@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.55] said: 550 <bbzmy@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To bbzmy@... Msg="host
          >> mail-com.mr.outblaze.com[208.36.123.68] said: 550 <bbzmy@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >> To cewvm@... Msg="host mail-com.mr.outblaze.com[64.62.181.82]
          >> said: 550 <cewvm@...>: User unknown (in reply to RCPT TO
          >> command" : 1 Time(s)
          >> To cewvm@... Msg="host
          >> mail-com.mr.outblaze.com[64.71.166.199] said: 550 <cewvm@...>:
          >> User unknown (in reply to RCPT TO command" : 1 Time(s)
          >
          >
          > So on, and so forth. There are a few hundred entries a day like
          > this...just random, gibberish addresses. Being that the box won't
          > even accept smtp connections, I'm guessing this machine has been
          > compromised in some way. I've looked and looked, Googled and Googled,
          > but have found nothing. I can look at all these messages in the
          > queue, but I haven't found any way to determine who or what put the
          > messages there. Any suggestions? Thanks.
          >

          That almost looks like a dictionary attack seen on mail servers that are
          public facing. Do you know outblaze.com? It show registered to
          "http://www.enom.com/." If not, I would suspect some sort of security
          issue on that server.

          Randy Ramsdell
        Your message has been successfully submitted and would be delivered to recipients shortly.