Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Pat Gallagher
Pat Gallagher Author
User level: Level 1
145 points

My server appears hacked - sending spam email.

Below is a snippet from my smtp log:


Mar 24 13:15:52 xserve postfix/smtp[4700]: 53DAA333FF9A: to=<soldier_style_bk@yahoo.co.jp>, relay=mx1.mail.yahoo.co.jp[183.79.29.234], delay=67809, status=sent (250 ok dirdel)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204A331DEE2: from=<kristinabangs@cox.net>, size=2194, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53DAA333FF9A: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204C330094F: from=<>, size=4660, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 271F932EC252: from=<joancaz@cox.net>, size=2208, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4513]: 53E383351159: to=<borisj@bcorp.ru>, relay=mail.bcorp.ru[79.143.64.177], delay=64711, status=bounced (host mail.bcorp.ru[79.143.64.177] said: 550 5.7.1 Message rejected. (in reply to end of DATA command))\

Mar 24 13:15:52 xserve postfix/cleanup[4699]: 64FB23375A10: message-id=<20150324171552.64FB23375A10@mail.galadv.com>\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53E383351159: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204C334F114: from=<tnkuhn@cox.net>, size=2490, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4701]: 53F7432F83E0: to=<support@helpmorepeople.com>, relay=aspmx.l.google.com[74.125.22.27], delay=84576, status=sent (250 2.0.0 OK 1427217352 78si4573754qhf.108 - gsmtp)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53F7432F83E0: removed\

Mar 24 13:15:52 xserve postfix/smtp[3137]: 53F38332C56F: to=<saynex@mail.ru>, relay=mxs.mail.ru[217.69.139.150], delay=71896, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6204D334242B: from=<chisato_zoo_land@yahoo.co.jp>, size=2448, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4662]: 53F49335601C: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 620553336028: from=<cryssy@cryssycheung.com>, size=2366, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4660]: 53F583345400: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:52 xserve postfix/smtp[4562]: 53F6732FD2C7: to=<gryzia2008@rambler.ru>, relay=imx1.rambler.ru[81.19.66.234], delay=83175, status=bounced (host imx1.rambler.ru[81.19.66.234] said: 540 5.7.1 <gryzia2008@rambler.ru>: Recipient address rejected: Your emails has been returned because the intented recipient's email account has been suspended. The account must be re-activated to receive incoming messages. (in reply to RCPT TO command))\

Mar 24 13:15:52 xserve postfix/cleanup[4706]: E5C7D3375A13: message-id=<20150324171552.E5C7D3375A13@mail.galadv.com>\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 53F6732FD2C7: removed\

Mar 24 13:15:52 xserve postfix/qmgr[73]: 6205B331A67C: from=<paulsteventon@tiscali.co.uk>, size=2255, nrcpt=1 (queue active)\

Mar 24 13:15:52 xserve postfix/smtp[4570]: 53F3A3320030: to=<varivodski@mail.ru>, relay=mxs.mail.ru[217.69.139.150], delay=74560, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 6205E330A111: from=<mikuku0419@yahoo.co.jp>, size=2383, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[4673]: 53F4D331345E: to=<evgeniy.astakhov@bk.ru>, relay=mxs.mail.ru[217.69.139.150], delay=78037, status=deferred (host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/smtp[4427]: 53F7C3350497: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 6205E3324A01: from=<jtmorry-mekiana@nsbsd.org>, size=2545, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[3641]: 53F82332C362: to=<cockroach08@rambler.ru>, relay=imx1.rambler.ru[81.19.66.234], delay=71920, status=bounced (host imx1.rambler.ru[81.19.66.234] said: 540 5.7.1 <cockroach08@rambler.ru>: Recipient address rejected: Your emails has been returned because the intented recipient's email account has been suspended. The account must be re-activated to receive incoming messages. (in reply to RCPT TO command))\

Mar 24 13:15:53 xserve postfix/smtpd[4109]: warning: unknown[188.135.211.83]: SASL LOGIN authentication failed\

Mar 24 13:15:53 xserve postfix/smtp[4641]: 53F3732F3265: to=<pjrgh126@yahoo.co.jp>, relay=mx5.mail.yahoo.co.jp[183.79.29.238], delay=85493, status=sent (250 ok dirdel)\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 53F3732F3265: removed\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 62061334E5F6: from=<jmd@dlgpa.com>, size=2205, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/cleanup[4698]: 5EA063375A17: message-id=<20150324171553.5EA063375A17@mail.galadv.com>\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 53F82332C362: removed\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 620643345EF7: from=<sarah-hove@ntlworld.com>, size=2217, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[3738]: 53F8B330E45E: host mxs.mail.ru[217.69.139.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

Mar 24 13:15:53 xserve postfix/smtp[4662]: 53F49335601C: to=<auto-ugra@mail.ru>, relay=mxs.mail.ru[94.100.180.150], delay=63847, status=deferred (host mxs.mail.ru[94.100.180.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command))\

Mar 24 13:15:53 xserve postfix/qmgr[73]: 62065332A440: from=<kurt@mail.galadv.com>, size=2692, nrcpt=1 (queue active)\

Mar 24 13:15:53 xserve postfix/smtp[4513]: 53F963348DF1: host mxs.mail.ru[94.100.180.150] said: 421 Ratelimit exceeded for 70.91.53.30. Try again later. (in reply to DATA command)\

}

Shown below is my postconf -n:


command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

enable_server_options = yes

html_directory = no

inet_interfaces = all

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

luser_relay =

mail_owner = postfix

mailbox_size_limit = 0

mailbox_transport = cyrus

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

maps_rbl_domains =

message_size_limit = 0

mydestination = $myhostname,localhost.$mydomain,localhost,galadv.com,mail.galadv.com,gallaghera dvertising.com,mail.gallagheradvertising.com

mydomain = galadv.com

mydomain_fallback = localhost

myhostname = mail.galadv.com

mynetworks = 127.0.0.1/32,10.1.10.0/24

mynetworks_style = host

newaliases_path = /usr/bin/newaliases

queue_directory = /private/var/spool/postfix

readme_directory = /usr/share/doc/postfix

relayhost =

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_client_restrictions = hash:/etc/postfix/smtpdreject, permit_sasl_authenticated, permit_mynetworks, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, permit

smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, permit

smtpd_delay_reject = yes

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_pw_server_security_options = plain,login

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

smtpd_sasl_auth_enable = yes

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, permit

smtpd_tls_key_file = /etc/certificates/Default.key

smtpd_use_pw_server = yes

strict_rfc821_envelopes = yes

unknown_local_recipient_reject_code = 550


This seems to have started yesterday morning and continues. Have no idea how to stop it. Any thoughts?

Thank you

Work- XServe G5 Dual 2.3 GHz 10.4.9, Personal - intel iMac 10.5.6, Mac OS X (10.6.7), 16 year OS9 user, 9 year OSX user

Posted on Mar 24, 2015 10:33 AM

Reply
1 reply

My server appears hacked - sending spam email.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up