Postfix/Relay Question

[mattjurado]

I have a postfix server that we are monitoring some strange mail activity. Originally we thought it was a virus infected desktop that may have been generating bogus mail, but we have shut down all computers, purged the mail queue, and we're still seeing many entries such as below. It is not open relay, although we do allow the use of this server for smtp externally, with a username/password. We've run several tests, and cannot use this server for smtp without authentication. We reset the password to something different, and we starting seeing this stuff in the mail queue right away again. Its very puzzling. Any suggestions? Obviously, it does appear to be spam!

316DF1A6BD 11274 Thu Aug 12 18:24:00 (MAILER-DAEMON)
(connect to mail.superiormkt.us[65.59.208.90]: Connection timed out)
power@powerzipship.com

38F321A6FA 11261 Thu Aug 12 18:23:32 (MAILER-DAEMON)
(connect to mail.helpaccount.net[65.182.142.10]: Connection timed out)
slert@stockalert911.us

689A6191F5 4025 Thu Aug 12 18:23:05 (MAILER-DAEMON)
(host mx3.mail.yahoo.com[67.28.114.36] said: 421 mta192.mail.dcn.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.3].)
Bowlesjjar@yahoo.com

6F3B61920F 3556 Thu Aug 12 18:21:02 (MAILER-DAEMON)
(host mx3.mail.yahoo.com[64.156.215.7] said: 421 mta250.mail.scd.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.3].)
Jodienucleolus3788404509@yahoo.com

C45BD1B323 3749 Thu Aug 12 18:33:47 (MAILER-DAEMON)
(Name service error for no.valid.emailaddresses.here.com: Host not found, try again)
FNSDMQQKTMF@inker.com


Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[mattjurado]

By the way, I have tried sites to test the server for open relay, such as

http://www.abuse.net/relay.html

They all come up clean!

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[thedaver]

You sure those aren't bogus bounce/double-bounce messages? I don't know $hit about postfix, but I read those as undeliverable bounces from inbound spam.

http://www.surfinbox.com/dir.php

 

[mattjurado]

We typically only see sendmail too, but these appear to be failures on postfix to deliver. What I didn't include are similar to those in my first post, that show a full sender and a recipient, postfix appears to be trying to deliver the messages, and is failing.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[thedaver]

I see potpourri of issues. Your first two are clearly outbound spoofed spam, which should be worrisome. The third and fourth are stalled deliveries to an MTA at Yahoo that isn't ready to talk to you. The fifth example is probably a spam as well with a faked reply-to.

You do indeed have something to look into!

http://www.surfinbox.com/dir.php

 

[mattjurado]

Yeah, I can't figure out how the mail is arriving to postfix and getting slapped in its smtp queue, I must be overlooking something.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.