Returned Mail by the 1000s

Brandon Stout bms at mscis.org
Fri Feb 2 10:47:53 MST 2007


Clint Savage wrote:
> Gary thanx.
>
> That sort of blocked it, but now I get hundreds of Undeliverable
> messages in
> my inbox.  I am guessing that if I remove the "mail for korea.com is not
> deliverable" part from the transport file, this will go away?
>
> Also, I do think it's something local on my box, but nothing really
> appears
> out of the ordinary.  Looking around, I've so far located a couple
> processes
> that are suspect, but nothing really solid.  Are there any good tools out
> there to help identify the culprit?
>
> Cheers,
>
> Clint
>
> On 1/30/07, Gary Thornock <gthornock at yahoo.com> wrote:
>>
>> You might check the mynetworks and relay_domains settings in
>> Postfix, but I suspect they're fine.  This looks more like
>> there's an application running on your box that's sending mail.
>> That's a more difficult problem to solve, unfortunately, unless
>> it's an application that's supposed to be there and it's just
>> being misused.
>>
>> If all of the mails being sent have the same destination domain,
>> you can at least temporarily stop the flow by adding a couple of
>> lines to /usr/local/etc/postfix/transport:
>>
>>   korea.com   error:mail for korea.com is not deliverable
>>   .korea.com  error:mail for korea.com is not deliverable
>>
>> and then running the usual "postmap transport && postfix reload".
>> Check first to make sure Postfix is using the transport map.
>> There should be a line like this in main.cf:
>>
>>   transport_maps = hash:/usr/local/etc/postfix/transport
>>
>> Ultimately, though, if there is an unwanted application on your
>> system sending email, you've got some work ahead of you getting
>> things cleaned up.  The only way to really be sure that other
>> parts of your system aren't also compromised is to reinstall. 
If you can't find what you want in your logs, look for a mail script
(PHP, Perl, or whatever you use).  It's likely an exploited script, and
the fix not to send to certain places is only a band-aid fix.  You'll
cut down on processor/memory usage if you find the exploited script.

Brandon Stout
http://mscis.org



More information about the PLUG mailing list