Returned Mail by the 1000s

Brandon Stout bms at
Fri Feb 2 10:47:53 MST 2007

Clint Savage wrote:
> Gary thanx.
> That sort of blocked it, but now I get hundreds of Undeliverable
> messages in
> my inbox.  I am guessing that if I remove the "mail for is not
> deliverable" part from the transport file, this will go away?
> Also, I do think it's something local on my box, but nothing really
> appears
> out of the ordinary.  Looking around, I've so far located a couple
> processes
> that are suspect, but nothing really solid.  Are there any good tools out
> there to help identify the culprit?
> Cheers,
> Clint
> On 1/30/07, Gary Thornock <gthornock at> wrote:
>> You might check the mynetworks and relay_domains settings in
>> Postfix, but I suspect they're fine.  This looks more like
>> there's an application running on your box that's sending mail.
>> That's a more difficult problem to solve, unfortunately, unless
>> it's an application that's supposed to be there and it's just
>> being misused.
>> If all of the mails being sent have the same destination domain,
>> you can at least temporarily stop the flow by adding a couple of
>> lines to /usr/local/etc/postfix/transport:
>>   error:mail for is not deliverable
>>  error:mail for is not deliverable
>> and then running the usual "postmap transport && postfix reload".
>> Check first to make sure Postfix is using the transport map.
>> There should be a line like this in
>>   transport_maps = hash:/usr/local/etc/postfix/transport
>> Ultimately, though, if there is an unwanted application on your
>> system sending email, you've got some work ahead of you getting
>> things cleaned up.  The only way to really be sure that other
>> parts of your system aren't also compromised is to reinstall. 
If you can't find what you want in your logs, look for a mail script
(PHP, Perl, or whatever you use).  It's likely an exploited script, and
the fix not to send to certain places is only a band-aid fix.  You'll
cut down on processor/memory usage if you find the exploited script.

Brandon Stout

More information about the PLUG mailing list