Returned Mail by the 1000s
bms at mscis.org
Fri Feb 2 10:47:53 MST 2007
Clint Savage wrote:
> Gary thanx.
> That sort of blocked it, but now I get hundreds of Undeliverable
> messages in
> my inbox. I am guessing that if I remove the "mail for korea.com is not
> deliverable" part from the transport file, this will go away?
> Also, I do think it's something local on my box, but nothing really
> out of the ordinary. Looking around, I've so far located a couple
> that are suspect, but nothing really solid. Are there any good tools out
> there to help identify the culprit?
> On 1/30/07, Gary Thornock <gthornock at yahoo.com> wrote:
>> You might check the mynetworks and relay_domains settings in
>> Postfix, but I suspect they're fine. This looks more like
>> there's an application running on your box that's sending mail.
>> That's a more difficult problem to solve, unfortunately, unless
>> it's an application that's supposed to be there and it's just
>> being misused.
>> If all of the mails being sent have the same destination domain,
>> you can at least temporarily stop the flow by adding a couple of
>> lines to /usr/local/etc/postfix/transport:
>> korea.com error:mail for korea.com is not deliverable
>> .korea.com error:mail for korea.com is not deliverable
>> and then running the usual "postmap transport && postfix reload".
>> Check first to make sure Postfix is using the transport map.
>> There should be a line like this in main.cf:
>> transport_maps = hash:/usr/local/etc/postfix/transport
>> Ultimately, though, if there is an unwanted application on your
>> system sending email, you've got some work ahead of you getting
>> things cleaned up. The only way to really be sure that other
>> parts of your system aren't also compromised is to reinstall.
If you can't find what you want in your logs, look for a mail script
(PHP, Perl, or whatever you use). It's likely an exploited script, and
the fix not to send to certain places is only a band-aid fix. You'll
cut down on processor/memory usage if you find the exploited script.
More information about the PLUG