On Wed, Jun 17, 2015 at 06:25:10AM -0700, Jithesh AP wrote:
> >>Received: from 54.183.212.207 (ip-172-31-5-33.us-west-1.compute.internal
> >>[172.31.5.33])
> >>by ml.w8timez.com (Postfix) with SMTP id 24B0841557;
> >>Tue, 16 Jun 2015 21:22:33 -0700 (PDT)
> >>Message-ID:
> >
> >Su
On Wed, 17 Jun 2015 06:05:17 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 09:37:24PM -0700, Jithesh AP wrote:
>> mynetworks was fully commented, now i have added as you indicated,
but
>> fully commenting it will also have a similar effect right?
>
> No, that makes "mynetworks_sty
On Tue, Jun 16, 2015 at 09:37:24PM -0700, Jithesh AP wrote:
> >> mynetworks was fully commented, now i have added as you indicated, but
> >> fully commenting it will also have a similar effect right?
> >
> > No, that makes "mynetworks_style" take effect instead, which
> > may configure mynetworks
On Tue, Jun 16, 2015 at 09:21:36PM -0700, Jithesh AP wrote:
> >In the mean time, set "mynetworks = 127.0.0.1", that might
> >limit further damage.
> >
> mynetworks was fully commented, now i have added as you indicated, but fully
> commenting it will also have a similar effect right?
No, that mak
On Tue, 16 Jun 2015 20:45:12 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote:
I tried that, the first line client = ip-172 is the internal/private ip
of
my server. So does this mean somehow it is being sent from my server
itself?
grep 6CB584162
On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote:
> I tried that, the first line client = ip-172 is the internal/private ip of
> my server. So does this mean somehow it is being sent from my server itself?
>
> grep 6CB5841627 /var/maillog
> Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5
I tried that , the first line client = ip-172 is the internal/private ip
of my server. So does this mean somehow it si being sent from my server
itself?
grep 6CB5841627 /var/maillog
Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627:
client=ip-172-31-5-33.us-west-1.compute.internal[172.31
On 6/16/2015 9:43 PM, Jithesh AP wrote:
>
> Grep for the message-id in maillog just gives this, should i search
> in some other location
> grep kflvqedfdosxjjhkebewy...@sfilc.com /var/maillog-2015 | head
> Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627:
> message-id=
> Jun 16 13:21:49 ml po
On Tue, 16 Jun 2015 19:26:48 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 07:21:39PM -0700, Jithesh AP wrote:
>This was created locally via the "sendmail" command. What user
>account has "uid" 5005? If this is www-data or similar, you likely
>have an insecure PHP script that i
On Tue, Jun 16, 2015 at 07:21:39PM -0700, Jithesh AP wrote:
> >This was created locally via the "sendmail" command. What user
> >account has "uid" 5005? If this is www-data or similar, you likely
> >have an insecure PHP script that is being exploited to send spam.
> >
> >Just look for any other
On Tue, 16 Jun 2015 19:08:36 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote:
This is the maillog result of the grep, but i dont see IP address etc
(not
sure if the actual log got deleted when i removed the big log).
Jun 16 13:21:49 ml postfix/pick
On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote:
> This is the maillog result of the grep, but i dont see IP address etc (not
> sure if the actual log got deleted when i removed the big log).
>
> Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005
> from=
> Jun 16 13:21:49 ml
This is the maillog result of the grep, but i dont see IP address etc (not
sure if the actual log got deleted when i removed the big log).
Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005
from=
Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A:
message-id=
Jun 16 13:21:49
Jithesh AP:
> unfortunately have logs of messages generating like the below (snippet
> from postqueue -p)
>
> 0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw
> (delivery temporarily suspended: connect to
> mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed
On Tue, Jun 16, 2015 at 01:30:49PM -0700, Jithesh AP wrote:
> 0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw
> (delivery temporarily suspended: connect to
> mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out)
> 0...
unfortunately have logs of messages generating like the below (snippet
from postqueue -p)
0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw
(delivery temporarily suspended: connect to
mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out)
oh ok, then i am out of luck :(, in haste i removed that log file as it
was 700MB.
On Tue, 16 Jun 2015 11:12:37 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 10:25:05AM -0700, Jithesh AP wrote:
On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni
wrote:
>On Tue, Jun 16, 2015 at
On Tue, Jun 16, 2015 at 10:25:05AM -0700, Jithesh AP wrote:
> On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni
> wrote:
>
> >On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote:
> >
> >>Did a grep for the q ID - 15542416CE and looks like that is the last i
> >>see
> >>of it. (this chec
On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote:
Did a grep for the q ID - 15542416CE and looks like that is the last i
see
of it. (this check is nearly an hour after (08.45)
Jun 16 07:50:15 ml postfix/error[653]: 1
On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote:
> Did a grep for the q ID - 15542416CE and looks like that is the last i see
> of it. (this check is nearly an hour after (08.45)
>
> Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=,
> relay=none, delay=1271, delays=953/269/0/49,
Did a grep for the q ID - 15542416CE and looks like that is the last i see
of it. (this check is nearly an hour after (08.45)
Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=,
relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred
(delivery temporarily suspended: conn
On Tue, Jun 16, 2015 at 08:26:33AM -0700, Jithesh AP wrote:
>
> Thank you for the mail below is my postconf -n output
>
> [...]
>
> >>Jun 16 07:50:15 ml postfix/error[653]: 15542416CE:
> >>to=,
> >>relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred
> >>(delivery temporarily
I have not tried fail2ban, i will check it out on this, hopefully by
weekend.
Regards
Jithesh
On Tue, 16 Jun 2015 08:12:19 -0700, Mauricio Tavares
wrote:
On Tue, Jun 16, 2015 at 9:51 AM, Jithesh AP wrote:
Ok thank you for the info, this did scare me :). Its taxing my small
system.
Hi Victor,
Thank you for the mail below is my postconf -n output
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfi
On Tue, Jun 16, 2015 at 9:51 AM, Jithesh AP wrote:
> Ok thank you for the info, this did scare me :). Its taxing my small system.
>
Have you considered running something like fail2ban on the
system? It would temporarily (you set the time) block said IP at the
firewall, which usually make the
On Tue, Jun 16, 2015 at 08:01:31AM -0700, Jithesh AP wrote:
> Did a restart of postfix and this is what i see below, does it mean i am
> seeing old queue relays or new one's?
>
> I also deleted all the messages in q with postsuper -d ALL (but when i run
> it after few mins, there are some messag
Thank you.
I have updated main.cf to have notify_classes as below.
notify_classes =
Did a restart of postfix and this is what i see below, does it mean i am
seeing old queue relays or new one's?
I also deleted all the messages in q with postsuper -d ALL (but when i
run it after few mins,
On Tue, Jun 16, 2015 at 06:51:51AM -0700, Jithesh AP wrote:
> Ok thank you for the info, this did scare me :). Its taxing my small system.
Most of the cost is the processing of postmaster notices. If you
turn those off (and just read a log report once a day from your
favourite log reporting tool
Ok thank you for the info, this did scare me :). Its taxing my small
system.
Regards
Jithesh
On Tue, 16 Jun 2015 06:48:01 -0700, Viktor Dukhovni
wrote:
On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote:
I have an attack on my mail system and the mail i got from mailer
deamon
On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote:
> I have an attack on my mail system and the mail i got from mailer deamon is
> (got 1000s of such mails)
You've set "notify_classes" to send you too much email.
> --
> Transcript of session follows.
>
>
Hi All,
I have an attack on my mail system and the mail i got from mailer deamon
is (got 1000s of such mails)
--
Transcript of session follows.
Out: 220 ml.w8timez.com ESMTP Postfix
In: HELO 54.183.212.207
Out: 250 ml.w8timez.com
In: MAIL FROM:
Out: 25
31 matches
Mail list logo
