1 Reply Latest reply: Nov 14, 2012 9:57 AM by Camelot
Weep Unto Oblivion Level 1 Level 1 (0 points)

Hi,

 

We have a 10.6 server which we use for our e-mail, the only computers on the local network are a mixed between mac os x 10.6/10.7 and 10.8. We have a firewall blocking all smtp traffic out except from the server and maildistillar outbound relaying to stop any spam getting through to the outside world. As well as eset anti virus installed on all clients and server.

 

Recently we look to have a spammer on the network, when I check the mailq it is listing thousands of spam messages from random email addresses such as johnmartin598@gmail.com , deamon messages.  (see below)

 

F423511B1D879 3458 Wed Nov 14 00:09:28 johnmartin598@gmail.com

(delivery temporarily suspended: lost connection with outbound.maildistiller.com[77.107.230.21] while sending RCPT TO)

tania.castro@aol.com

tania.devilla@aol.com

tania.escudero@aol.com

tania.ferreira@aol.com

tania.horton@aol.com

tania.hoyt@aol.com

 

The combination of all these messages are delaying legitimate mail. I checked the mail log (under smtp) and found the messages being submitted to the queue, but it doesn't list a user or source IP.

 

I have authenticatation setup in mail and users have recently changed their passwords.

 

Below are some of the actions in the smtp log of mail.

 

ov 14 13:00:21 companydomainname postfix/smtp[31912]: 379D511B502B6: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1202, delays=896/4.6/301/0.66, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07A5E80037)

 

Nov 14 13:00:16 companydomainname postfix/smtp[31891]: 0088C11B502BF: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1196, delays=895/0.02/301/0.41, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1A4D180060)

 

Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 0088C11B502BF: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM

 

Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 379D511B502B6: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM

 

These will be removed but it takes far too long. Is there anyway I can track which mac has the spam agent installed? Also is there a way in postfix to block smtp traffic from entering the queue if it doesn't match an address with the correct @mydomain.com extension?

Thanks for your time,

 

 

Curtis.


iMac, Mac OS X (10.6.7)
  • 1. Re: stop spam in mail queue
    Camelot Level 8 Level 8 (45,790 points)

    There's no way the logs won't show where the message is coming from - it may just be you're looking in the wrong place.

     

    If you look at the log messages you posted you'll see the delay= section. This tells you how long the message has been in the queue (in seconds), so in the case of:

     

    ov 14 13:00:21 companydomainname postfix/smtp[31912]: 379D511B502B6: to=<johnmartin598@gmail.com>, relay=outbound.maildistiller.com[77.107.230.22]:25, delay=1202, delays=896/4.6/301/0.66, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07A5E80037)


    You need to look back in the log about 20 minutes to find where the message came from.

     

    You can also look at the actual message spool file on disk for anymessage still in the queue. In the case of:

     

    Nov 14 13:00:18 companydomainname postfix/smtp[31907]: 0088C11B502BF: conversation with outbound.maildistiller.com[77.107.230.21] timed out while sending MAIL FROM


    Look for the file '0088C11B502BF' somewhere within the /var/spool/postfix directory. It will contain the mail headers, including the originating host's IP address.