Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Weep Unto Oblivion
Weep Unto Oblivion Author
User level: Level 1
0 points

stop spam in mail queue

Hi,


We have a 10.6 server which we use for our e-mail, the only computers on the local network are a mixed between mac os x 10.6/10.7 and 10.8. We have a firewall blocking all smtp traffic out except from the server and maildistillar outbound relaying to stop any spam getting through to the outside world. As well as eset anti virus installed on all clients and server.


Recently we look to have a spammer on the network, when I check the mailq it is listing thousands of spam messages from random email addresses such as johnmartin598@gmail.com , deamon messages. (see below)


F423511B1D879 3458 Wed Nov 14 00:09:28 johnmartin598@gmail.com

(delivery temporarily suspended: lost connection with outbound.maildistiller.com[77.107.230.21] while sending RCPT TO)

tania.castro@aol.com

tania.devilla@aol.com

tania.escudero@aol.com

tania.ferreira@aol.com

tania.horton@aol.com

tania.hoyt@aol.com


The combination of all these messages are delaying legitimate mail. I checked the mail log (under smtp) and found the messages being submitted to the queue, but it doesn't list a user or source IP.


I have authenticatation setup in mail and users have recently changed their passwords.


Below are some of the actions in the smtp log of mail.


ov 14 13:00:21 companydomainname postfix/smtp[31912]: 379D511B502B6: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1202, delays=896/4.6/301/0.66, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07A5E80037)


Nov 14 13:00:16 companydomainname postfix/smtp[31891]: 0088C11B502BF: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1196, delays=895/0.02/301/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1A4D180060)


Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 0088C11B502BF: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM


Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 379D511B502B6: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM


These will be removed but it takes far too long. Is there anyway I can track which mac has the spam agent installed? Also is there a way in postfix to block smtp traffic from entering the queue if it doesn't match an address with the correct @mydomain.com extension?

Thanks for your time,



Curtis.

iMac, Mac OS X (10.6.7)

Posted on Nov 14, 2012 5:27 AM

Reply
1 reply
User profile for user: Camelot
Camelot
User level: Level 9
54,333 points

Nov 14, 2012 9:57 AM in response to Weep Unto Oblivion

There's no way the logs won't show where the message is coming from - it may just be you're looking in the wrong place.


If you look at the log messages you posted you'll see the delay= section. This tells you how long the message has been in the queue (in seconds), so in the case of:


ov 14 13:00:21 companydomainname postfix/smtp[31912]: 379D511B502B6: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1202, delays=896/4.6/301/0.66, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07A5E80037)

You need to look back in the log about 20 minutes to find where the message came from.


You can also look at the actual message spool file on disk for anymessage still in the queue. In the case of:


Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 0088C11B502BF: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM

Look for the file '0088C11B502BF' somewhere within the /var/spool/postfix directory. It will contain the mail headers, including the originating host's IP address.

Reply

stop spam in mail queue

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up