Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Pat Gallagher
Pat Gallagher Author
User level: Level 1
145 points

My server appears hacked - sending spam email.

Below is a snippet from my smtp log:


Mar 24 13:15:52 xserve postfix/smtp[4700]: 53DAA333FF9A: to=<soldier_style_bk@yahoo.co.jp>, relay=mx1.mail.yahoo.co.jp[183.79.29.234], delay=67809, status=sent (250 ok dirdel)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204A331DEE2: from=<kristinabangs@cox.net>, size=2194, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53DAA333FF9A: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204C330094F: from=<>, size=4660, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 271F932EC252: from=<joancaz@cox.net>, size=2208, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4513]: 53E383351159: to=<borisj@bcorp.ru>, relay=mail.bcorp.ru[79.143.64.177], delay=64711, status=bounced (host mail.bcorp.ru[79.143.64.177] said: 550 5.7.1 Message rejected. (in reply to end of DATA command))\

Mar 24 13:15:52 xserve postfix/cleanup[4699]: 64FB23375A10: message-id=<20150324171552.64FB23375A10@mail.galadv.com>\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53E383351159: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204C334F114: from=<tnkuhn@cox.net>, size=2490, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4701]: 53F7432F83E0: to=<support@helpmorepeople.com>, relay=aspmx.l.google.com[74.125.22.27], delay=84576, status=sent (250 2.0.0 OK 1427217352 78si4573754qhf.108 - gsmtp)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53F7432F83E0: removed\

Mar 24 13:15:52 xserve postfix/smtp[3137]: 53F38332C56F: to=<saynex@mail.ru>, relay=mxs.mail.ru[217.69.139.150], delay=71896, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204D334242B: from=<chisato_zoo_land@yahoo.co.jp>, size=2448, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4662]: 53F49335601C: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 620553336028: from=<cryssy@cryssycheung.com>, size=2366, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4660]: 53F583345400: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:52 xserve postfix/smtp[4562]: 53F6732FD2C7: to=<gryzia2008@rambler.ru>, relay=imx1.rambler.ru[81.19.66.234], delay=83175, status=bounced (host imx1.rambler.ru[81.19.66.234] said: 540 5.7.1 <gryzia2008@rambler.ru>: Recipient address rejected: Your emails has been returned because the intented recipient's email account has been suspended. The account must be re-activated to receive incoming messages. (in reply to RCPT TO command))\

Mar 24 13:15:52 xserve postfix/cleanup[4706]: E5C7D3375A13: message-id=<20150324171552.E5C7D3375A13@mail.galadv.com>\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53F6732FD2C7: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6205B331A67C: from=<paulsteventon@tiscali.co.uk>, size=2255, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4570]: 53F3A3320030: to=<varivodski@mail.ru>, relay=mxs.mail.ru[217.69.139.150], delay=74560, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 6205E330A111: from=<mikuku0419@yahoo.co.jp>, size=2383, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[4673]: 53F4D331345E: to=<evgeniy.astakhov@bk.ru>, relay=mxs.mail.ru[217.69.139.150], delay=78037, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/smtp[4427]: 53F7C3350497: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 6205E3324A01: from=<jtmorry-mekiana@nsbsd.org>, size=2545, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[3641]: 53F82332C362: to=<cockroach08@rambler.ru>, relay=imx1.rambler.ru[81.19.66.234], delay=71920, status=bounced (host imx1.rambler.ru[81.19.66.234] said: 540 5.7.1 <cockroach08@rambler.ru>: Recipient address rejected: Your emails has been returned because the intented recipient's email account has been suspended. The account must be re-activated to receive incoming messages. (in reply to RCPT TO command))\

Mar 24 13:15:53 xserve postfix/smtpd[4109]: warning: unknown[188.135.211.83]: SASL LOGIN authentication failed\

Mar 24 13:15:53 xserve postfix/smtp[4641]: 53F3732F3265: to=<pjrgh126@yahoo.co.jp>, relay=mx5.mail.yahoo.co.jp[183.79.29.238], delay=85493, status=sent (250 ok dirdel)\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 53F3732F3265: removed\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 62061334E5F6: from=<jmd@dlgpa.com>, size=2205, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/cleanup[4698]: 5EA063375A17: message-id=<20150324171553.5EA063375A17@mail.galadv.com>\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 53F82332C362: removed\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 620643345EF7: from=<sarah-hove@ntlworld.com>, size=2217, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[3738]: 53F8B330E45E: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:53 xserve postfix/smtp[4662]: 53F49335601C: to=<auto-ugra@mail.ru>, relay=mxs.mail.ru[94.100.180.150], delay=63847, status=deferred (host mxs.mail.ru[94.100.180.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 62065332A440: from=<kurt@mail.galadv.com>, size=2692, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[4513]: 53F963348DF1: host mxs.mail.ru[94.100.180.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

}

Shown below is my postconf -n:


command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

enable_server_options = yes

html_directory = no

inet_interfaces = all

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

luser_relay =

mail_owner = postfix

mailbox_size_limit = 0

mailbox_transport = cyrus

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

maps_rbl_domains =

message_size_limit = 0

mydestination = $myhostname,localhost.$mydomain,localhost,galadv.com,mail.galadv.com,gallaghera dvertising.com,mail.gallagheradvertising.com

mydomain = galadv.com

mydomain_fallback = localhost

myhostname = mail.galadv.com

mynetworks = 127.0.0.1/32,10.1.10.0/24

mynetworks_style = host

newaliases_path = /usr/bin/newaliases

queue_directory = /private/var/spool/postfix

readme_directory = /usr/share/doc/postfix

relayhost =

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_client_restrictions = hash:/etc/postfix/smtpdreject, permit_sasl_authenticated, permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, permit

smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, permit

smtpd_delay_reject = yes

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_pw_server_security_options = plain,login

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

smtpd_sasl_auth_enable = yes

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, permit

smtpd_tls_key_file = /etc/certificates/Default.key

smtpd_use_pw_server = yes

strict_rfc821_envelopes = yes

unknown_local_recipient_reject_code = 550


This seems to have started yesterday morning and continues. Have no idea how to stop it. Any thoughts?

Thank you

Work- XServe G5 Dual 2.3 GHz 10.4.9, Personal - intel iMac 10.5.6, Mac OS X (10.6.7), 16 year OS9 user, 9 year OSX user

Posted on Mar 24, 2015 10:33 AM

Reply
1 reply

My server appears hacked - sending spam email.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up