Date: Mon, 21 Jan 2019 08:31:48 -0600 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: Re: Trying to understand some email issues Message-ID: <ee13fc68-3214-927f-274f-4b95544af061@kicp.uchicago.edu> In-Reply-To: <CAFDHx1JFWH8FAJ3nbvZC3m6CCpbjCqrG01PYNMOHJSKo2HnWWQ@mail.gmail.com> References: <CAFDHx1JFWH8FAJ3nbvZC3m6CCpbjCqrG01PYNMOHJSKo2HnWWQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/21/19 12:33 AM, Patrick Mahan wrote: > All, > > FreeBSD 11.2 > > Running postfix 3.3.2_1,1 > > I'm getting hammered with thousands of emails from yahoo.com - > > Here is an example - > > Jan 20 22:09:01 ns postfix/smtp[1308]: 2DA97A2E2EF: to=<pwascak@aol.com>, > relay=mx-aol.mail.gm0.yahoodns.net[98.137.157.43]:25, delay=13730, > delays=13728/0.31/1.1/0.06, dsn=4.7.0, status=deferred (host > mx-aol.mail.gm0.yahoodns.net[98.137.157.43] said: 421 4.7.0 [TSS04] > Messages from 23.24.207.145 temporarily deferred due to user complaints - > 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply > to MAIL FROM command)) > > I'm trying to determine if I am somehow relaying emails to yahoo.com, or is > this someone attacking me. > > I am pretty sure I have postfix to avoid acting like a relay for > unauthenticated connections. But this maybe something I have messed up. > This has been happening only since I upgraded to 11.2 (I was at 9.x). I > also just recently switch from sendmail to postfix as well. > > I can provide my postfix config on request if needed. > > Pointers to other mail-lists are welcomed. I decided to start here before > jumping on the postfix mailing list. Do you users have shell access to your mail server? If yes, then I would check if nothing happens from one of user accounts (stolen password, bad guys got shell as that user). They can set process that loads addresses from remote place and sends spam message to them all. Most often they would do it through your postfix locally. Then postfix queue will be big time to time. And you will see this in maillog. In less likely scenario (of it really originating from you) when scrips sends directly itself you may increase verbosity of firewall log. One more thing to check is that there are no unexplained processes on the machine. If the machine is simultaneously a web server, that would be next suspect. They may be some form that sends email to address provided by web visitor. But this will be one of the possibilities which most likely will be visible in your mail logs. After you investigated all on your side (or maybe even before that), do as Odhiambo suggested: go to yahoo URL provided and read what they say there. Good luck. Valeri > > Thanks in advance, > > Patrick > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee13fc68-3214-927f-274f-4b95544af061>