Too much spamming from our mail-server !

Portal Home > Knowledgebase > Articles Database > Too much spamming from our mail-server !

Posted by shahzaibcw, 05-12-2014, 07:16 AM
We're using postfix/dovecot mail-server and there are tons of spamming emails originating from our mail-server. Below is the log of one of the email from localhost to remote domain : grep 11BD2340128F /var/log/maillog May 12 15:44:32 server postfix/pickup[24563]: 11BD2340128F: uid=500 from= May 12 15:44:32 server postfix/cleanup[24883]: 11BD2340128F: message-id=<402548a60e5441847c6ed3df08c02c28@mydomain.com> May 12 15:46:18 server postfix/qmgr[31793]: 11BD2340128F: from=, size=2391, nrcpt=1 (queue active) May 12 15:47:22 server postfix/smtp[31971]: 11BD2340128F: to=, relay=aspmx.l.google.com[74.125.196.27]:25, conn_use=4, delay=710, delays=646/63/0.2/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK 1399891945 a41si15394200yhj.51 - gsmtp) May 12 15:47:22 server postfix/qmgr[31793]: 11BD2340128F: removed Could some one help me regarding it ? Regards. Shahzaib Last edited by shahzaibcw; 05-12-2014 at 07:18 AM. Reason: question improve
Posted by Crsr, 05-12-2014, 09:27 AM
Check your domain with mxtoolbox for relay test as a starters. http://mxtoolbox.com/ This will check if your site is open to mail relay.
Posted by shahzaibcw, 05-12-2014, 10:04 AM
please check screenshot, its not open relay. http://prntscr.com/3ij4bj
Posted by FLDataTeK, 05-12-2014, 10:44 AM
That image says your reverse DNS does not match your forward DNS.. Most email servers will reject based off of that alone. I'd suggest getting your rDNS setup correctly.
Posted by shahzaibcw, 05-12-2014, 10:50 AM
That image says your reverse DNS does not match your forward DNS.. Most email servers will reject based off of that alone. I'd suggest getting your rDNS setup correctly. This is the issue off-course but the one with more priority is spamming. I'll be thankful if you help me on stopping the 1000 of spams emails originating from my mail-server.
Posted by Server Adminz, 05-12-2014, 11:07 AM
You need to analyze the mail logs in great detail, as well as email headers of any reported spam mail that you may have with you.
Posted by steven99, 05-12-2014, 01:26 PM
Is it always from webmaster@localhost? It could be a script (php, perl, etc) sending out via sendmail / sendmail bridge. What user matches ID 500?
Posted by Truman, 05-12-2014, 01:52 PM
Did you manage to track the spammer or still need help with the spamming issues? If the spamming is not done via authentication, check the access log for suspicious POST requests to php scripts and disable them.
Posted by Kailash12, 05-13-2014, 01:20 AM
There could be several reasons: - Compromised scripts - Compromised email accounts (in case if emails are being sent using authentication) - Outdated third party scripts like WordPress, Joomla First you will have to analyze your log to find the spam originating and then you can take corrective action. If you do not have much experience, I suggest you to hire management company immediately because you may start receiving complaints from your DC and if there is large number of complaints, they may block all outgoing emails.
Posted by shahzaibcw, 05-13-2014, 01:55 AM
Is it always from webmaster@localhost? It could be a script (php, perl, etc) sending out via sendmail / sendmail bridge. What user matches ID 500? ID 500 is related to a domain account and yes sendmail is sending tons of emails, i had to rename sendmail binary in order to stop spamming via sendmail until i find the malicious script. Is there any script which help me finding the compromised file? Last edited by shahzaibcw; 05-13-2014 at 01:58 AM.
Posted by gingir, 05-15-2014, 07:13 AM
1 I use mxtoolbox all the time too, I don't know what I would do without.

Add to Favourites Print this Article