Results 1 to 7 of 7
  1. #1
    Join Date
    Aug 2006
    Location
    USA
    Posts
    79

    Thousands of emails being sent via sendmail to ne.jp emails. Help me find him...

    Since Jan 07, one of our servers has been sending thousands of emails to ne.jp hosts.

    Eg from logs:

    Code:
    Sep  4 19:11:11 debian sm-mta[25383]: l84FY9ME016602: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYB7d016734: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FY9A4016629: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FY9la016616: to=, ctladdr= (2001/2001), delay=01:37:02, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYCkO016807: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYB7B016730: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYCO0016757: to=, ctladdr= (2001/2001), delay=01:36:59, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYDjq016819: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYBhL016751: to=, ctladdr= (2001/2001), delay=01:37:00, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    
    Sep  4 19:11:11 debian sm-mta[25383]: l84FYDPw016811: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp.
    We're absolutely unable to track or find out who is sending it or how to stop this.

    So I'm wondering if it is possible to prevent sendmail from sending to:

    lsean.ezweb.ne.jp, OR
    docomo.ne.jp, OR
    softbank.ne.jp

    /var/mail/vhostswww logs are not showing helpful info at all. Eg:

    Code:
    --l84GRnX5029819.1188924137/debian--
    
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain; charset=ISO-2022-JP
    Mime-Version: 1.0
    From: hanako.@docomo.ne.jp
    Subject: 
    To: a_j.n-y_bluespider-tattoo@softbank.ne.jp
    Message-Id: <200709041410.l84EA0Fh007971@debian>
    Date: Tue, 4 Sep 2007 16:10:00 +0200
        Tue, 4 Sep 2007 16:10:00 +0200
        by debian (8.13.4/8.13.4/Submit) id l84EA0Fh007971;
    Received: (from vhostswww@localhost)
        for ; Tue, 4 Sep 2007 16:10:00 +0200
        by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EA0jk007973
    Received: from debian (localhost [127.0.0.1])
    Return-Path: 
    
    Content-Type: text/rfc822-headers
    --l84GRnX5029819.1188924137/debian
    
    Last-Attempt-Date: Tue, 4 Sep 2007 18:42:16 +0200
    Diagnostic-Code: SMTP; 550 Invalid recipient: 
    Remote-MTA: DNS; mx.softbank.ne.jp
    Status: 5.1.1
    Action: failed
    Final-Recipient: RFC822; a_j.n-y_bluespider-tattoo@softbank.ne.jp
    
    Arrival-Date: Tue, 4 Sep 2007 16:10:00 +0200
    Reporting-MTA: dns; debian
    
    Content-Type: message/delivery-status
    --l84GRnX5029819.1188924137/debian
    
    <<< 503 No recipients specified
    550 5.1.1 ... User unknown
    <<< 550 Invalid recipient: 
    >>> DATA
    ... while talking to mx.softbank.ne.jp.:
       ----- Transcript of session follows -----
    
        (reason: 550 Invalid recipient: )
    
       ----- The following addresses had permanent fatal errors -----
    
    from localhost [127.0.0.1]
    The original message was received at Tue, 4 Sep 2007 16:10:00 +0200
    
    --l84GRnX5029819.1188924137/debian
    
    This is a MIME-encapsulated message
    
    Auto-Submitted: auto-generated (failure)
    Subject: Returned mail: see transcript for details
        boundary="l84GRnX5029819.1188924137/debian"
    Content-Type: multipart/report; report-type=delivery-status;
    MIME-Version: 1.0
    To: 
    Message-Id: <200709041642.l84GRnX5029819@debian>
    From: Mail Delivery Subsystem 
    Date: Tue, 4 Sep 2007 18:42:17 +0200
        Tue, 4 Sep 2007 18:42:17 +0200
        by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX5029819;
    Received: from localhost (localhost)
    Return-Path: 
    From MAILER-DAEMON  Tue Sep  4 18:42:17 2007
    
    --l84GRnX4029819.1188924135/debian--
    
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain; charset=ISO-2022-JP
    Mime-Version: 1.0
    From: hanako.@docomo.ne.jp
    Subject: 
    To: a_j.n-y_bluespider-tattoo@softbank.ne.jp
    Message-Id: <200709041411.l84EB8CS011861@debian>
    Date: Tue, 4 Sep 2007 16:11:08 +0200
        Tue, 4 Sep 2007 16:11:08 +0200
        by debian (8.13.4/8.13.4/Submit) id l84EB8CS011861;
    Received: (from vhostswww@localhost)
        for ; Tue, 4 Sep 2007 16:11:09 +0200
        by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EB8f6011862
    Received: from debian (localhost [127.0.0.1])
    Return-Path: 
    
    Content-Type: text/rfc822-headers
    --l84GRnX4029819.1188924135/debian
    
    Last-Attempt-Date: Tue, 4 Sep 2007 18:42:15 +0200
    Diagnostic-Code: SMTP; 550 Invalid recipient: 
    Remote-MTA: DNS; mx.softbank.ne.jp
    Status: 5.1.1
    Action: failed
    Final-Recipient: RFC822; a_j.n-y_bluespider-tattoo@softbank.ne.jp
    
    Arrival-Date: Tue, 4 Sep 2007 16:11:09 +0200
    Reporting-MTA: dns; debian
    
    Content-Type: message/delivery-status
    --l84GRnX4029819.1188924135/debian
    
    <<< 503 No recipients specified
    550 5.1.1 ... User unknown
    <<< 550 Invalid recipient: 
    >>> DATA
    ... while talking to mx.softbank.ne.jp.:
       ----- Transcript of session follows -----
    
        (reason: 550 Invalid recipient: )
    
       ----- The following addresses had permanent fatal errors -----
    
    from localhost [127.0.0.1]
    The original message was received at Tue, 4 Sep 2007 16:11:09 +0200
    
    --l84GRnX4029819.1188924135/debian
    
    This is a MIME-encapsulated message
    
    Auto-Submitted: auto-generated (failure)
    Subject: Returned mail: see transcript for details
        boundary="l84GRnX4029819.1188924135/debian"
    Content-Type: multipart/report; report-type=delivery-status;
    MIME-Version: 1.0
    To: 
    Message-Id: <200709041642.l84GRnX4029819@debian>
    From: Mail Delivery Subsystem 
    Date: Tue, 4 Sep 2007 18:42:15 +0200
        Tue, 4 Sep 2007 18:42:15 +0200
        by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX4029819;
    Received: from localhost (localhost)
    Return-Path: 
    From MAILER-DAEMON  Tue Sep  4 18:42:15 2007
    
    --l84GRnX3029819.1188924134/debian--
    How would I solve this problem as it's making our server load skyhigh 24/7.

    Additional info about system:
    > Debian Linux, latest kernel
    > Sendmail (we've tried postfix, exim, with same results)
    > Non cPanel system.


    I'm also willing to pay anyone who's a top expert in this and can sort it out for us.

    Thanks you.
    Andre

  2. #2
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    The best way is going to be your queue,

    mailq -v -v

    Then match the email id with the queue files (such as /var/spool/mqueue) , I assume your webserver is running as the same user that is sending the emails from above?

    If so you can also use find with specific grep parameters to match the most common mail strings for perl+php.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  3. #3
    Join Date
    Aug 2006
    Location
    USA
    Posts
    79
    I assume your webserver is running as the same user that is sending the emails from above?
    No. It's running vhostswww which is for users apache/sendmail.

    Here's what mailq -v -v returns:

    Code:
    debian: mailq -v -v
    
    MSP Queue status...
    WARNING: local host name (debian) is not qualified; see cf/README: WHO AM I?
    /var/spool/mqueue-client is empty
                    Total requests: 0
    
    MTA Queue status...
    WARNING: local host name (debian) is not qualified; see cf/README: WHO AM I?
                    /var/spool/mqueue (2 requests)
    
    -----Q-ID----- --Size-- -Priority- ---Q-Time--- --------Sender/Recipient--------
    l865sHgG004224*     686    4261227+Sep  6 07:54 <vhostswww@debian>
                     (reply: read error from mail.orkeor.cn.)
                                                    <etty@orkeor.cn>
                     (Deferred: Connection timed out with mail.orkeor.cn.)
    
    l865u4kf004354      686    4351227+Sep  6 07:56 <vhostswww@debian>
                     (reply: read error from mail.zuzanna.cn.)
                                                    <uio@zuzanna.cn>
                     (Deferred: Connection timed out with mail.zuzanna.cn.)
    
                    Total requests: 2
    
    You have new mail in /var/mail/root
    debian:
    Not much helpful info.

    Spam seems to have finally gone, but I'm assuming it's gonna come back, so still treating this as "please help" case.

  4. #4
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    1,522
    It seems to be sending from web scripts. You might want to patch PHP so that you know who is sending out from PHP scripts.

    http://choon.net/php-mail-header.php
    tanfwc

  5. #5
    Join Date
    Aug 2006
    Location
    USA
    Posts
    79
    Already done a long time ago.

    Thing is it's not showing in the logs.

    And our server config only allows sendmail for paid members. So it's none of them.

    Meaning a non-activated sendmail member is sending this. Likely found an exploit.

  6. #6
    Join Date
    Dec 2002
    Posts
    129
    Quote Originally Posted by astounding View Post
    And our server config only allows sendmail for paid members. So it's none of them.

    Meaning a non-activated sendmail member is sending this. Likely found an exploit.
    I'm going to hazard a wild guess based on something I encountered earlier involving zuzanna.cn. (I was searching on the domain, and your post here came up.)

    One of your paid members may have been hit with a trojan from that site, possibly turning their PC into a "zombie box" that is being used to send spam.

  7. #7
    Join Date
    Aug 2006
    Location
    USA
    Posts
    79
    Resolved issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •