Stop Spamming going through Server

Question

Level 1

9 points

Stop Spamming going through Server

Hello

We are having OS X Server 5.0.15 on OS X El Capitan.

We are unable to send Emails as there are lots of deferred mails. When I go to terminal -> sudo mailq , It gives me a very large amount of data.

I tried to clear the mail queue through command : sudo postfix flush but it returned : "can not flush mail queue - mail system is down (actually mail system is not down)

I also tried : sudo postsuper -d ALL but it also didn't solve my issue.

Due to large number of emails in the queue, any new messages sent from these server are not being sent.

Can anyone help me? It is urgent.

Also is there any option to check the Email account which is being used to send spam emails? Actually I can not find anything meaningful in SMTP Log in the server app.

SMTP Logs :

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15515 of 19999 active queue entries

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: you may need a separate master.cf transport for gmail.com

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:42:55 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:43:02 server postfix/smtp[14885]: warning: valid_hostname: empty hostname

Dec 10 16:43:02 server postfix/smtp[14885]: warning: malformed domain name in resource data of MX record for yahpoo.com:

Dec 10 16:44:38 server postfix/smtp[15714]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:45:21 server postfix/smtp[16873]: warning: no MX host for my.cvcc.edu has a valid address record

Dec 10 16:46:56 server postfix/smtp[11603]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15643 of 20000 active queue entries

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:47:58 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:49:27 server postfix/smtp[17271]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:50:21 server postfix/smtp[17248]: warning: valid_hostname: empty hostname

Dec 10 16:50:21 server postfix/smtp[17248]: warning: malformed domain name in resource data of MX record for yahooo.com:

Dec 10 16:50:24 server postfix/smtp[16561]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:50:39 server postfix/smtpd[11190]: warning: hostname 201.14.127.218.brasiltelecom.net.br does not resolve to address 201.14.127.218: nodename nor servname provided, or not known

Dec 10 16:51:32 server postfix/smtpd[11190]: warning: Illegal address syntax from hal.grp7mail.com[64.79.109.20] in RCPT command: <rdiamente@comcast..net>

Dec 10 16:52:42 server postfix/qmgr[5739]: warning: connect to transport private/smtp-amavis: Connection refused

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: mail for gmail.com is using up 15650 of 20000 active queue entries

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: this may slow down other mail deliveries

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: please avoid flushing the whole queue when you have

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: lots of deferred mail, that is bad for performance

Dec 10 16:52:58 server postfix/qmgr[5739]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0

Dec 10 16:53:56 server postfix/qmgr[5739]: warning: connect to transport private/smtp-amavis: Connection refused

Dec 10 16:54:46 server postfix/smtp[16155]: warning: no MX host for houston.rr.com has a valid address record

Dec 10 16:55:36 server postfix/smtp[17267]: warning: valid_hostname: numeric hostname: 0

Dec 10 16:55:36 server postfix/smtp[17267]: warning: malformed domain name in resource data of MX record for viahealth.org: 0

Dec 10 16:55:38 server postfix/smtp[17192]: warning: valid_hostname: empty hostname

Dec 10 16:55:38 server postfix/smtp[17192]: warning: malformed domain name in resource data of MX record for yahoomail.com:

Dec 10 16:55:48 server postfix/smtp[16386]: warning: valid_hostname: empty hostname

Dec 10 16:55:48 server postfix/smtp[16386]: warning: malformed domain name in resource data of MX record for canada.com:

Dec 10 16:57:30 server postfix/postsuper[17879]: warning: bogus file name: incoming/556938.79056

Dec 10 16:58:28 server postfix/smtpd[17900]: warning: hostname static-17-154-25-46.ipcom.comunitel.net does not resolve to address 46.25.154.17: nodename nor servname provided, or not known

Mac mini, OS X El Capitan (10.11.1)

Posted on Dec 10, 2015 3:55 AM

Reply

Answer 1

Mar 27, 2017 1:11 PM in response to Tattwam

Hey Tattwam. Did you ever figure this out?? How to delete the mailqueue. I have the same issue that you do. Over 10,000 messages in the mailqueue and postsuper -d ALL does not work to clear them 😟

Please let me know how you fixed it. Thanks!

Reply

Answer 2

Mar 27, 2017 1:19 PM in response to Tattwam

hey Tattwam. The command postsuper -d ALL was not working for me either BUT

when I included the full path in the command it DID WORK and deleted over 10,000 emails in the queue. This is on macos server sierra.

this command with the full path DID WORK!

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin//postsuper -d ALL

this command without the path DID NOT WORK

sudo postsuper -d ALL

Reply

Answer 3

Tattwam Author

Level 1

9 points

Mar 29, 2017 4:36 AM in response to eddiek420

Hi eddiek420,

From past 5-6 months, I am not facing any spamming issues in my Server.

I think it is due to some modifications I have done in main.cf file. I have added lines for sender restrictions as well as data restrictions.

I will surely try your guide next time when I face the issue.

Thanks for your Help!

Reply

Answer 4

Linc Davis

Level 10

209,739 points

Dec 10, 2015 3:37 PM in response to Tattwam

It looks like you're spamming Gmail. Is this server supposed to be accessible from outside your network?

Reply

Answer 5

Tattwam Author

Level 1

9 points

Dec 10, 2015 7:33 PM in response to Linc Davis

Actually it isn't supposed to be. Only server mail are supposed to be accessible from outside network. What to do to stop this spamming?

Reply

Answer 6

Linc Davis

Level 10

209,739 points

Dec 10, 2015 9:29 PM in response to Tattwam

You need to edit the file /Library/Server/Mail/Config/postfix/main.cf:

http://www.postfix.org/SMTPD_ACCESS_README.html

Reply

Answer 7

UptimeJeff

Level 4

3,479 points

Dec 13, 2015 6:44 PM in response to Tattwam

To clear the queue (deleting all mail from queue)

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin//postsuper -d ALL

Reply

Answer 8

Tattwam Author

Level 1

9 points

May 12, 2016 11:23 PM in response to UptimeJeff

Will it affect any other mails? Just want to confirm that this command will delete mails from mail queue only.

Reply

Answer 9

May 13, 2016 1:10 PM in response to Tattwam

BY any chance, do you have websites hosted on this server? joomla, Drupal, Wordpress, or any other php based application?

I ask because it doesn't look like you have an open relay, but it does seem like you have a remote connection trying to send spam using your server. That can happen in a number of ways, but the three most likely are:

1) open smtp relay;

2) web host malware (such as infected Wordpress site); or,

3) hacked user credentials.

Yyou can check the imap log to see if there are odd remote connections issuing send commands ... If so, then the problem is 1 or 2.

To test for #2, turn off websites and see if it stops.

Reply

Answer 10

Tattwam Author

Level 1

9 points

May 13, 2016 7:17 PM in response to Ivan Robertovich

Thanks Ivan for replying.

We are using Roundcube webmail app and only that web page is being hosted. It is also on SSL.

Still I can not understand that if it is not an open relay, how my server is sending lots of spam mails.

Once the issue has been found, I can not do anything as I didn't get any solution to stop or delete outgoing mail queue.

It would be better if anybody can elaborate above command line as POSTSUPER -d ALL command is not working for me.

Also I can not find user id is that is being used to send mails in SMTP logs. That's disappointing.

Waiting for your reply. Thanks

Reply

Answer 11

May 13, 2016 8:23 PM in response to Tattwam

the IMAP log should give you more clues.

your server is receiving commands to send those spams. There are the only three vectors that are most likely above. Either someone installed malware in your web hosting, and the php module is receiving the remote commands. (test this by turning off php and python... round cube won't work while off, but it'll help you find the source of the spam).

If you are able to pinpoint when the problem started, that can help you compare backups to the current install to find malware. You can try clamxav or maldet to scan for it, but be sure it can scan your /Library/Server/ folder and your web installation folders.

The other vectors for your computer to get spam are someone's mail account is hacked or their computer is hacked. Track this down by examine the IMAP log.

Another vector is an smtp relay... you can check for this using mxtools. go here: http://mxtoolbox.com/diagnostic.aspx

I don't know enough about the mail spool command above to answer that part of your question.

GOOD LUCK!

Reply

Answer 12

May 13, 2016 8:29 PM in response to Tattwam

Tattwam wrote:

Once the issue has been found, I can not do anything as I didn't get any solution to stop or delete outgoing mail queue.

It would be better if anybody can elaborate above command line as POSTSUPER -d ALL command is not working for me.

check here: https://topicdesk.com/faqs/why-do-postconf-n-and-postfix-reload-produce-unexpect ed-output-on-os-x-server-5/

and here: https://topicdesk.com/faqs/os-x-server-mail-services/managing-the-mail-queue/

for more examples on how post super works, see this page: http://www.faqforge.com/linux/server/manage-the-postfix-mailqueue-with-postsuper -postqueue-und-mailq/

hope those help you figure out what each does so you can accomplish what you want.

Reply

Answer 13

Tattwam Author

Level 1

9 points

May 15, 2016 11:03 PM in response to Ivan Robertovich

Hello Ivan,

Thank you for the reply.

I have gone through links provided by you. But I am still not able to delete the mail queue. Sudo Postsuper -d ALL gives no result. There are about 20000 mails present in the queue that slow down other mail deliveries.

What if I setup another OS X Server on different machine and move mail data to that machine? Will it also migrate the outgoing mail queue?

Ivan Robertovich wrote:

the IMAP log should give you more clues.

Unfortunately in console app or in Server app, I am unable to see older logs.

Ivan Robertovich wrote:

You can try clamxav or maldet to scan for it, but be sure it can scan your /Library/Server/ folder and your web installation folders.

Can you explain how can I do this?

Thanks in advance

Reply