Server sending spam – how to find out why?

6bytes asked:

I have a CentOS 6 on a dedicated server. I’m the only one with shell access to it.
I host 2 WordPress and few simple PHP sites there. My hosting company just emailed me that they blocked my port 25 as I’m sending spam.

# cat /var/log/maillog
Jul 11 16:43:28 stock postfix/smtp[31689]: 2D55610D3EE: to=<bgpvv@athoise.com>, relay=mail.athoise.com[217.16.10.3]:25, delay=0.53, delays=0.04/0/0.42/0.07, dsn=5.1.1, status=bounced (host mail.athoise.com[217.16.10.3] said: 550 5.1.1 <bgpvv@athoise.com>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Jul 11 16:43:28 stock postfix/qmgr[15611]: 2D55610D3EE: removed
Jul 11 16:45:09 stock postfix/qmgr[15611]: C836D10D3AA: from=<>, size=15048, nrcpt=1 (queue active)
Jul 11 16:45:40 stock postfix/smtp[31836]: connect to syad.net[208.91.197.27]:25: Connection timed out
Jul 11 16:45:40 stock postfix/smtp[31836]: C836D10D3AA: to=<ngsukxaqiq@syad.net>, relay=none, delay=424757, delays=424727/0.02/30/0, dsn=4.4.1, status=deferred (connect to syad.net[208.91.197.27]:25: Connection timed out)
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max connection rate 1/60s for (smtp:92.84.169.239) at Jul 11 16:42:27
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max connection count 1 for (smtp:92.84.169.239) at Jul 11 16:42:27
Jul 11 16:45:48 stock postfix/anvil[31682]: statistics: max cache size 1 at Jul 11 16:42:27
Jul 11 16:50:09 stock postfix/qmgr[15611]: AC61110D254: from=<medications-discounted6@odessa.ua>, size=54804, nrcpt=1 (queue active)
Jul 11 16:50:57 stock postfix/smtp[32061]: AC61110D254: host gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1b] said: 421-4.7.0 [2001:41d0:2:a9e5::1      15] Our system has detected an unusual rate 421-4.7.0 of unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. ej4si5267528wid.3 - gsmtp (in reply to end of DATA command)
Jul 11 16:51:42 stock postfix/smtp[32061]: AC61110D254: to=<MY REAL EMAIL ADDRESS WAS HERE>, orig_to=<MY REAL EMAIL ADDRESS WAS HERE>, relay=gmail-smtp-in.l.google.com[173.194.67.26]:25, delay=1438, delays=1345/0.02/62/32, dsn=4.7.0, status=deferred (host gmail-smtp-in.l.google.com[173.194.67.26] said: 421-4.7.0 [188.165.222.229      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. fr7si4416957wib.79 - gsmtp (in reply to end of DATA command))
Jul 11 16:55:09 stock postfix/qmgr[15611]: 51C0910D03F: from=<pharmacy_affordable15@spdop.ru>, size=55141, nrcpt=1 (queue active)
Jul 11 16:55:38 stock postfix/smtp[32284]: 51C0910D03F: host gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1a] said: 421-4.7.0 [2001:41d0:2:a9e5::1      15] Our system has detected an unusual rate 421-4.7.0 of unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. pi9si4491273wjb.81 - gsmtp (in reply to end of DATA command)
Jul 11 16:56:09 stock postfix/smtp[32284]: 51C0910D03F: to=<MY REAL EMAIL ADDRESS WAS HERE>, orig_to=<MY REAL EMAIL ADDRESS WAS HERE>, relay=gmail-smtp-in.l.google.com[173.194.67.26]:25, delay=80376, delays=80316/0.02/50/11, dsn=4.7.0, status=deferred (host gmail-smtp-in.l.google.com[173.194.67.26] said: 421-4.7.0 [188.165.222.229      15] Our system has detected an unusual rate of 421-4.7.0 unsolicited mail originating from your IP address. To protect our 421-4.7.0 users from spam, mail sent from your IP address has been temporarily 421-4.7.0 rate limited. Please visit 421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk 421 4.7.0 Email Senders Guidelines. hj12si4501206wib.8 - gsmtp (in reply to end of DATA command))
Jul 11 17:00:09 stock postfix/qmgr[15611]: 64DEB10D2B9: from=<>, size=4743, nrcpt=1 (queue active)
Jul 11 17:00:11 stock postfix/smtp[32552]: 64DEB10D2B9: to=<wojtekd28@primesentry.com>, relay=none, delay=84582, delays=84580/0.02/1.9/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=primesentry.com type=MX: Host not found, try again)
Jul 11 17:05:49 stock dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=92.45.136.23, lip=188.165.222.229
Jul 11 17:06:17 stock dovecot: pop3-login: Disconnected (tried to use disabled plaintext auth): rip=92.45.136.23, lip=188.165.222.229
Jul 11 17:10:09 stock postfix/qmgr[15611]: 3E11910D212: from=<drugs_popular1@starnet.md>, size=58247, nrcpt=1 (queue active)

All of the above is SPAM.
How can I find out where it’s being sent from? Is it a hole in WordPress, is it some malicious script somehow installed on my server? Is it something else?

Any help greatly appreciated.
Thanks.

My answer:


From your log it appears that the messages were originally delivered to an email address on your server, which is set up to forward to a Gmail address.

Because the messages are spam, they are being seen as such when you send them back out.

My recommendation would be to not forward mail in this manner at all, and simply receive it here and deal with it here. Most of us have multiple email addresses to deal with, and it isn’t terribly inconvenient.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.