Too much traffic
Ceyhun Ganioglu
Hi everybody,
I was using Postfix without any problems but last two months time the traffic usage of the server is increased too much. When I checked the mail queue I see emails for an account za...@likya.com which does not exist on my server. Below is an example how the mail queue looks like. I checked for open relay both manually and some online sites. There’s no open relay. Is this a kind of spam method? If yes, does anyone give me an idea how to fix it.
Kindest Regards
Ceyhun
Email queue:
AC5A615038A 635 Mon Apr 1 03:47:47 za...@likya.com
(connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A05E7150098 635 Sat Mar 30 13:33:46 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
ABDC81500CB 641 Sun Mar 31 05:28:05 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A333F150086 2786 Sat Mar 30 09:55:01 MAILER-DAEMON
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A594015008E 629 Sat Mar 30 12:03:53 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A122F150381 631 Mon Apr 1 00:34:18 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
Fernando Maior
- You sure have a DNS resolution problem. No external server should be resolved to 192.168.x.x, that is an internal network. Also, the last two octets (255.255) are almost allways used for broadcasting packets in the network. The IP address for mx1.likya.com should never be 192.168.255.255;
- Because of the DNS resolution problem, postfix is just trying to connect to 192.168.255.255 to deliver the message to za...@likya.com, but could not, of course.
John Peach
Fernando Maior <fernando.s...@gmail.com> wrote:
> Hi,
>
> I am not an specialist in Postfix, just a common admin. Yet, I can
> see two things from your message:
>
> the last two octets (255.255) are almost allways used for
> broadcasting packets in the network. The IP address for mx1.likya.com
> should never be 192.168.255.255;
> za...@likya.com, but could not, of course.
>
> I issued three commands:
> # dig likya.com ns
> # dig likya.com mx
> # host mx1.likya.com
>
> The first two seems that likya.com is configured correctly, instead
> the last command resolved to the IP address 192.168.255.255, that is
> wrong. So, problem with DNS resolution is with the admins of
> likya.com, not you. Best thing to do? I would just remove all entries
> in postfix queue that are for the wrong configured server (likya.com).
>
> Probably, someone at likya.com just made a wrong config. May be - in
> the interests of your users - you should try the likya.com site and
> look for a way to talk to them and tell them about the problem. Else
> you should keep an eye on the postfix queue and keep removing any
> messages for that domain, if they continue to pop.
check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
and in mx_access.cidr:
192.168.0.0/16 REJECT MX in bogon address space
>
> Cheers,
> ---
> Fernando Maciel Souto Maior
>
> On Mon, Apr 1, 2013 at 3:25 AM, Ceyhun Ganioglu
> <ceyhung...@gmail.com>wrote:
>
> >
> > ** **
> > I was using Postfix without any problems but last two months time
> > the traffic usage of the server is increased too much. When I
> > checked the mail queue I see emails for an account za...@likya.com
> > which does not exist on my server. Below is an example how the mail
> > queue looks like. I checked for open relay both manually and some
> > If yes, does anyone give me an idea how to fix it.****
> >
> > ** **
> >
> > Kindest Regards****
> >
> > Ceyhun ****
> >
> > ** **
> >
> > ** **
> >
> > Email queue:****
> >
> > ** **
> >
> > AC5A615038A 635 Mon Apr 1 03:47:47 za...@likya.com****
> > timed out)****
> >
> > za...@likya.com****
> >
> > ** **
> >
> > A05E7150098 635 Sat Mar 30 13:33:46 za...@likya.com****
> > (delivery temporarily suspended: connect to
> >
> > za...@likya.com****
> >
> > ** **
> >
> > ABDC81500CB 641 Sun Mar 31 05:28:05 za...@likya.com****
> > (delivery temporarily suspended: connect to
> >
> > za...@likya.com****
> >
> > ** **
> >
> > A333F150086 2786 Sat Mar 30 09:55:01 MAILER-DAEMON****
> > (delivery temporarily suspended: connect to
> >
> > za...@likya.com****
> >
> > ** **
> >
> > A594015008E 629 Sat Mar 30 12:03:53 za...@likya.com****
> > (delivery temporarily suspended: connect to
> >
> > za...@likya.com****
> >
> > ** **
> >
> > A122F150381 631 Mon Apr 1 00:34:18 za...@likya.com****
> > (delivery temporarily suspended: connect to
> >
> > za...@likya.com****
> >
Ceyhun Ganioglu
Hi Fernando,
Thanks for your reply. The problem is it is not a single mail sending problem. There were 756 email to be sent to za...@likya.com on the queue. I cleaned the queue. Then the emails appeared again. Something in my email server or maybe a content management system on my web server side has a vulnerability. I just need to make sure it is not from the Postfix side. Once I do this, I’ll check the web sites on my server.
Thanks for your help.
Ceyhun
From: Fernando Maior [mailto:fernando.s...@gmail.com]
Sent: Tuesday, April 02, 2013 5:25 PM
To: Ceyhun Ganioglu
Cc: postfix users
Subject: Re: Too much traffic
Hi,
I am not an specialist in Postfix, just a common admin. Yet, I can see two things from your message:
- You sure have a DNS resolution problem. No external server should be resolved to 192.168.x.x, that is an internal network. Also, the last two octets (255.255) are almost allways used for broadcasting packets in the network. The IP address for mx1.likya.com should never be 192.168.255.255;
- Because of the DNS resolution problem, postfix is just trying to connect to 192.168.255.255 to deliver the message to za...@likya.com, but could not, of course.
I issued three commands:
# dig likya.com ns
# dig likya.com mx
# host mx1.likya.com
The first two seems that likya.com is configured correctly, instead the last command resolved to the IP address 192.168.255.255, that is wrong. So, problem with DNS resolution is with the admins of likya.com, not you. Best thing to do? I would just remove all entries in postfix queue that are for the wrong configured server (likya.com).
Probably, someone at likya.com just made a wrong config. May be - in the interests of your users - you should try the likya.com site and look for a way to talk to them and tell them about the problem. Else you should keep an eye on the postfix queue and keep removing any messages for that domain, if they continue to pop.
Cheers,
---
Fernando Maciel Souto Maior
On Mon, Apr 1, 2013 at 3:25 AM, Ceyhun Ganioglu <ceyhung...@gmail.com> wrote:
Hi everybody,
I was using Postfix without any problems but last two months time the traffic usage of the server is increased too much. When I checked the mail queue I see emails for an account za...@likya.com which does not exist on my server. Below is an example how the mail queue looks like. I checked for open relay both manually and some online sites. There’s no open relay. Is this a kind of spam method? If yes, does anyone give me an idea how to fix it.
Kindest Regards
Ceyhun
Email queue:
AC5A615038A 635 Mon Apr 1 03:47:47 za...@likya.com
(connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A05E7150098 635 Sat Mar 30 13:33:46 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
ABDC81500CB 641 Sun Mar 31 05:28:05 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A333F150086 2786 Sat Mar 30 09:55:01 MAILER-DAEMON
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A594015008E 629 Sat Mar 30 12:03:53 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
A122F150381 631 Mon Apr 1 00:34:18 za...@likya.com
(delivery temporarily suspended: connect to mx1.likya.com[192.168.255.255]: Connection timed out)
Ansgar Wiechers
> The problem is it is not a single mail sending problem. There were 756
> email to be sent to za...@likya.com on the queue. I cleaned the queue.
> Then the emails appeared again. Something in my email server or maybe
> a content management system on my web server side has a vulnerability.
> I just need to make sure it is not from the Postfix side. Once I do
> this, I'll check the web sites on my server.
the mail entered Postfix (e.g. "grep AC5A615038A /var/log/mail.log").
Then block that route.
For further help post the output of "postconf -n" (as requested per the
list welcome message) and the abovementioned log excerpt.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Fernando Maior
KSB
> Ceyhun,
>
> It is not a problem with Postfix. Proceed looking for someone or some
> process that is forwarding those e-mails to your postfix server. Your
> postfix server is just receiving them from internal clients and putting
> them into the queue to send it out.
>
> Bye,
> ---
> Fernando Maciel Souto Maior
>
pfqueue to see original sender, ip, contents and so on...
--
KSB
Ceyhun Ganioglu
Hi Fernando,
Thanks for your response. This is exactly the case. I cleaned the mail queue last night and disabled one of the Drupal installations which seems vulnarable to me. Since last night there are no new emails sent. Which is good. Thank you for your help.
Regards
From: Fernando Maior [mailto:fernando.s...@gmail.com]
Sent: Wednesday, April 03, 2013 2:39 AM
To: Ceyhun Ganioglu
Cc: postfix users
Subject: Re: Too much traffic
Ceyhun,
It is not a problem with Postfix. Proceed looking for someone or some process that is forwarding those e-mails to your postfix server. Your postfix server is just receiving them from internal clients and putting them into the queue to send it out.
Bye,
---
Fernando Maciel Souto Maior
On Tue, Apr 2, 2013 at 6:06 PM, Ceyhun Ganioglu <ceyhung...@gmail.com> wrote:
Hi Fernando,
Thanks for your reply. The problem is it is not a single mail sending problem. There were 756 email to be sent to za...@likya.com on the queue. I cleaned the queue. Then the emails appeared again. Something in my email server or maybe a content management system on my web server side has a vulnerability. I just need to make sure it is not from the Postfix side. Once I do this, I’ll check the web sites on my server.
Thanks for your help.
Ceyhun
From: Fernando Maior [mailto:fernando.s...@gmail.com]
Sent: Tuesday, April 02, 2013 5:25 PM
To: Ceyhun Ganioglu
Cc: postfix users
Subject: Re: Too much traffic
Hi,
I am not an specialist in Postfix, just a common admin. Yet, I can see two things from your message:
- You sure have a DNS resolution problem. No external server should be resolved to 192.168.x.x, that is an internal network. Also, the last two octets (255.255) are almost allways used for broadcasting packets in the network. The IP address for mx1.likya.com should never be 192.168.255.255;
- Because of the DNS resolution problem, postfix is just trying to connect to 192.168.255.255 to deliver the message to za...@likya.com, but could not, of course.
I issued three commands:
# dig likya.com ns
# dig likya.com mx
# host mx1.likya.com
The first two seems that likya.com is configured correctly, instead the last command resolved to the IP address 192.168.255.255, that is wrong. So, problem with DNS resolution is with the admins of likya.com, not you. Best thing to do? I would just remove all entries in postfix queue that are for the wrong configured server (likya.com).
Probably, someone at likya.com just made a wrong config. May be - in the interests of your users - you should try the likya.com site and look for a way to talk to them and tell them about the problem. Else you should keep an eye on the postfix queue and keep removing any messages for that domain, if they continue to pop.
Cheers,
---
Fernando Maciel Souto Maior
On Mon, Apr 1, 2013 at 3:25 AM, Ceyhun Ganioglu <ceyhung...@gmail.com> wrote: