Results 1 to 7 of 7
-
09-04-2007, 01:23 PM #1Junior Guru Wannabe
- Join Date
- Aug 2006
- Location
- USA
- Posts
- 79
Thousands of emails being sent via sendmail to ne.jp emails. Help me find him...
Since Jan 07, one of our servers has been sending thousands of emails to ne.jp hosts.
Eg from logs:
Code:Sep 4 19:11:11 debian sm-mta[25383]: l84FY9ME016602: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYB7d016734: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FY9A4016629: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FY9la016616: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYCkO016807: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYB7B016730: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYCO0016757: to=, ctladdr= (2001/2001), delay=01:36:59, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYDjq016819: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYBhL016751: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. Sep 4 19:11:11 debian sm-mta[25383]: l84FYDPw016811: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
So I'm wondering if it is possible to prevent sendmail from sending to:
lsean.ezweb.ne.jp, OR
docomo.ne.jp, OR
softbank.ne.jp
/var/mail/vhostswww logs are not showing helpful info at all. Eg:
Code:--l84GRnX5029819.1188924137/debian-- Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041410.l84EA0Fh007971@debian> Date: Tue, 4 Sep 2007 16:10:00 +0200 Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Submit) id l84EA0Fh007971; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EA0jk007973 Received: from debian (localhost [127.0.0.1]) Return-Path: Content-Type: text/rfc822-headers --l84GRnX5029819.1188924137/debian Last-Attempt-Date: Tue, 4 Sep 2007 18:42:16 +0200 Diagnostic-Code: SMTP; 550 Invalid recipient: Remote-MTA: DNS; mx.softbank.ne.jp Status: 5.1.1 Action: failed Final-Recipient: RFC822; a_j.n-y_bluespider-tattoo@softbank.ne.jp Arrival-Date: Tue, 4 Sep 2007 16:10:00 +0200 Reporting-MTA: dns; debian Content-Type: message/delivery-status --l84GRnX5029819.1188924137/debian <<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows ----- (reason: 550 Invalid recipient: ) ----- The following addresses had permanent fatal errors ----- from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:10:00 +0200 --l84GRnX5029819.1188924137/debian This is a MIME-encapsulated message Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX5029819.1188924137/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX5029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:17 +0200 Tue, 4 Sep 2007 18:42:17 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX5029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:17 2007 --l84GRnX4029819.1188924135/debian-- Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041411.l84EB8CS011861@debian> Date: Tue, 4 Sep 2007 16:11:08 +0200 Tue, 4 Sep 2007 16:11:08 +0200 by debian (8.13.4/8.13.4/Submit) id l84EB8CS011861; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:11:09 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EB8f6011862 Received: from debian (localhost [127.0.0.1]) Return-Path: Content-Type: text/rfc822-headers --l84GRnX4029819.1188924135/debian Last-Attempt-Date: Tue, 4 Sep 2007 18:42:15 +0200 Diagnostic-Code: SMTP; 550 Invalid recipient: Remote-MTA: DNS; mx.softbank.ne.jp Status: 5.1.1 Action: failed Final-Recipient: RFC822; a_j.n-y_bluespider-tattoo@softbank.ne.jp Arrival-Date: Tue, 4 Sep 2007 16:11:09 +0200 Reporting-MTA: dns; debian Content-Type: message/delivery-status --l84GRnX4029819.1188924135/debian <<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows ----- (reason: 550 Invalid recipient: ) ----- The following addresses had permanent fatal errors ----- from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:11:09 +0200 --l84GRnX4029819.1188924135/debian This is a MIME-encapsulated message Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX4029819.1188924135/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX4029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:15 +0200 Tue, 4 Sep 2007 18:42:15 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX4029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:15 2007 --l84GRnX3029819.1188924134/debian--
Additional info about system:
> Debian Linux, latest kernel
> Sendmail (we've tried postfix, exim, with same results)
> Non cPanel system.
I'm also willing to pay anyone who's a top expert in this and can sort it out for us.
Thanks you.
Andre
-
09-06-2007, 11:44 AM #2Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
The best way is going to be your queue,
mailq -v -v
Then match the email id with the queue files (such as /var/spool/mqueue) , I assume your webserver is running as the same user that is sending the emails from above?
If so you can also use find with specific grep parameters to match the most common mail strings for perl+php.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
09-06-2007, 12:30 PM #3Junior Guru Wannabe
- Join Date
- Aug 2006
- Location
- USA
- Posts
- 79
I assume your webserver is running as the same user that is sending the emails from above?
Here's what mailq -v -v returns:
Code:debian: mailq -v -v MSP Queue status... WARNING: local host name (debian) is not qualified; see cf/README: WHO AM I? /var/spool/mqueue-client is empty Total requests: 0 MTA Queue status... WARNING: local host name (debian) is not qualified; see cf/README: WHO AM I? /var/spool/mqueue (2 requests) -----Q-ID----- --Size-- -Priority- ---Q-Time--- --------Sender/Recipient-------- l865sHgG004224* 686 4261227+Sep 6 07:54 <vhostswww@debian> (reply: read error from mail.orkeor.cn.) <etty@orkeor.cn> (Deferred: Connection timed out with mail.orkeor.cn.) l865u4kf004354 686 4351227+Sep 6 07:56 <vhostswww@debian> (reply: read error from mail.zuzanna.cn.) <uio@zuzanna.cn> (Deferred: Connection timed out with mail.zuzanna.cn.) Total requests: 2 You have new mail in /var/mail/root debian:
Spam seems to have finally gone, but I'm assuming it's gonna come back, so still treating this as "please help" case.
-
09-06-2007, 02:17 PM #4Web Hosting Master
- Join Date
- Apr 2004
- Location
- Singapore
- Posts
- 1,522
It seems to be sending from web scripts. You might want to patch PHP so that you know who is sending out from PHP scripts.
http://choon.net/php-mail-header.phptanfwc
-
09-07-2007, 09:15 AM #5Junior Guru Wannabe
- Join Date
- Aug 2006
- Location
- USA
- Posts
- 79
Already done a long time ago.
Thing is it's not showing in the logs.
And our server config only allows sendmail for paid members. So it's none of them.
Meaning a non-activated sendmail member is sending this. Likely found an exploit.
-
09-13-2007, 09:02 PM #6WHT Addict
- Join Date
- Dec 2002
- Posts
- 129
I'm going to hazard a wild guess based on something I encountered earlier involving zuzanna.cn. (I was searching on the domain, and your post here came up.)
One of your paid members may have been hit with a trojan from that site, possibly turning their PC into a "zombie box" that is being used to send spam.
-
09-13-2007, 09:09 PM #7Junior Guru Wannabe
- Join Date
- Aug 2006
- Location
- USA
- Posts
- 79
Resolved issue.