[sdnog] mail problem

Sahlih Shihab salih.shihab at sudren.edu.sd
Wed Jan 27 11:52:12 SAST 2016 

Dear Nishal
Greetings
Thanks for your advise, the problem solved by following this instructions
How (step by step):

    -Switch to a user with sudo rights
    -Check the mail queue with command mailq
    -The first column of the mail queue list shows unique mail ID's, pick one from an obvious spam email and copy it
    -Check this email's details with command postcat -q <ID> using the unique mail ID you copied in place of <ID>
    -Identify the line starting with "X-PHP-Originating-Script". This should show which script is generating the spam emails
    -Remove the script, patch the website with latest security fixes and make sure folder and file permissions are secure
    -Empty the mail queue with command postsuper -d ALL
    -Check the mail queue again with command mailq to see if more emails are now generated. If the problem persists, repeat the above steps and see if you find other scripts causing you problems.
from this Links http://frontmag.no/artikler/how-identify-script-sending-spam-through-postfix

I found the script inside the program folder the belong to roundcube, i removed it and the problem gone 

NOW i will do the best to remove our mail from global black list and increase the good reputation for our domain 

Thanks 
  

----- Original Message -----
From: "Nishal Goburdhan" <nishal at controlfreak.co.za>
To: "Sahlih Shihab" <salih.shihab at sudren.edu.sd>
Cc: "Sudan NOG" <sdnog at sdnog.sd>
Sent: Tuesday, January 26, 2016 1:49:35 PM
Subject: Re: [sdnog] mail problem

On 25 Jan 2016, at 13:51, Sahlih Shihab wrote:

> Dear All
> Greetings
> We need some help please,
> We have a hosting server with "postfix" mail server, our mail server 
> sent spam to outside - see the following-, while this email 
> cbe at carib.com not fount in our mail server
> What should we do to fix this issue.
> Thanks
>
> mailq output
> -- D94D9501C18 1340729 Fri Jan 22 22:39:02 cbe at carib.com
> (host mx-apac.mail.gm0.yahoodns.net[106.10.166.54] said: 421 4.7.0 
> [TS01] Messages from 41.67.16.200 temporarily deferred due to user 
> complaints - 4.16.55.1; see 
> https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL 
> FROM command))

well for a start, it would appear that someone was able to use your mail 
server to send lots of mail to yahoo.com.  that’s quite serious, since 
mail is largely “reputation based” and once you’ve been identified 
as a spam sender, it usually takes significant effort to get off it.
so, before doing anything, i’d suggest you spend some serious effort 
to understand how this (sending that large volume of mail) was able to 
be achieved.  your system logs are probably your best bet in determining 
this.  then check for weak passwords;  check to see who is allowed to 
relay mail through you, how that relay process works (eg. SMTP-AUTH), 
etc.

the error message at yahoo does indicate that this is a temporary block; 
  if you’re certain it’s unnecessary mail, consider flushing your 
mail queue?   i’m no mail expert, so hopefully others can give you  
better responses :-)

—n.

-- 

	
	
Salih S. M. Abdelhameed | Head of Electronics Service Unit 
Sudanese Research and Education Network | Address 
Nile St. | University of Khartoum 
Tel: +2491556620 71 | Mob: +24912 3788843

More information about the sdnog mailing list