Open relay or some other issue?

kojow7 asked:

I am running a dovecot/postfix server with virtual users/aliases. According to tools such as http://www.mailradar.com/openrelay/ I do not have any open relays. However, I am getting a lot of records showing up in my syslog that would lead me to think something is being accessed that should not be accessed. Here is a portion of my syslog (with self-identifying information changed of course):

Feb 18 10:13:42 server1 postfix/pickup[3995]: 1A6413627F: uid=33 from=<www-data>
Feb 18 10:13:42 server1 postfix/cleanup[3826]: 1A6413627F: message-id=<20160218161342.1A6413627F@server1.myserverdomain.com>
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signature data
Feb 18 10:13:42 server1 postfix/qmgr[4479]: 1A6413627F: from=<www-data@myemaildomain.com>, size=2153, nrcpt=1 (queue active)
Feb 18 10:13:43 server1 postfix/smtp[4007]: 1A6413627F: to=<a...a@mail.ru>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.9, delays=0.01/0/0.77/1.1, dsn=2.0.0, status=sent (250 OK id=1aWRD5-0005o9-J0)
Feb 18 10:13:43 server1 postfix/qmgr[4479]: 1A6413627F: removed


Feb 18 10:13:54 server1 postfix/pickup[3995]: 5CF523627F: uid=33 from=<www-data>
Feb 18 10:13:54 server1 postfix/cleanup[3826]: 5CF523627F: message-id=<20160218161354.5CF523627F@server1.myserverdomain.com>
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signature data
Feb 18 10:13:54 server1 postfix/qmgr[4479]: 5CF523627F: from=<www-data@myemaildomain.com>, size=2158, nrcpt=1 (queue active)
Feb 18 10:13:55 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:48:b9:08:00 SRC=45.33.58.84 DST=216.58.192.14 LEN=73 TOS=0x00 PREC=0x00 TTL=63 ID=45696 PROTO=UDP SPT=53 DPT=51450 LEN=53 
Feb 18 10:13:55 server1 postfix/smtp[3982]: 5CF523627F: to=<y...s@mail.ru>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.6, delays=0.01/0/0.55/1, dsn=2.0.0, status=sent (250 OK id=1aWRDH-0003yi-IS)
Feb 18 10:13:55 server1 postfix/qmgr[4479]: 5CF523627F: removed


Feb 18 10:14:02 server1 postfix/pickup[3995]: A72D73627F: uid=33 from=<www-data>
Feb 18 10:14:02 server1 postfix/cleanup[3826]: A72D73627F: message-id=<20160218161402.A72D73627F@server1.myserverdomain.com>
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signature data
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: from=<www-data@myemaildomain.com>, size=2172, nrcpt=1 (queue active)
Feb 18 10:14:02 server1 postfix/smtp[4002]: A72D73627F: to=<c....8@gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:400e:c03::1b]:25, delay=0.24, delays=0.01/0/0.09/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1455812042 u6si8951789par.57 - gsmtp)
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: removed

Feb 18 10:14:44 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33433 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
Feb 18 10:14:47 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33434 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
Feb 18 10:14:53 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33435 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
Feb 18 10:15:01 server1 /USR/SBIN/CRON[4054]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

Feb 18 10:15:02 server1 postfix/pickup[3995]: CDA813627F: uid=33 from=<www-data>
Feb 18 10:15:02 server1 postfix/cleanup[3826]: CDA813627F: message-id=<20160218161502.CDA813627F@server1.myserverdomain.com>
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signature data
Feb 18 10:15:02 server1 postfix/qmgr[4479]: CDA813627F: from=<www-data@myemaildomain.com>, size=2141, nrcpt=1 (queue active)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: host mta6.am0.yahoodns.net[98.138.112.35] said: 421 4.7.0 [GL01] Message from (216.58.192.14) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html (in reply to MAIL FROM command)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: lost connection with mta6.am0.yahoodns.net[98.138.112.35] while sending RCPT TO
Feb 18 10:15:04 server1 postfix/smtp[4007]: CDA813627F: to=<s...6@yahoo.com>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, delay=1.3, delays=0.02/0/0.49/0.77, dsn=2.0.0, status=sent (250 ok dirdel)
Feb 18 10:15:04 server1 postfix/qmgr[4479]: CDA813627F: removed

Any ideas what the issue is?

My answer:


These messages originate from the user ID running your web server and its web applications. In short, your web site has been hacked, and it is being used to send spam.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.