From owner-freebsd-questions@freebsd.org Mon Jan 21 14:31:57 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B808014AB3F7 for ; Mon, 21 Jan 2019 14:31:57 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 960638BCDB for ; Mon, 21 Jan 2019 14:31:55 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from [10.0.0.5] (adsl-108-68-162-1.dsl.chcgil.sbcglobal.net [108.68.162.1]) by kicp.uchicago.edu (Postfix) with ESMTP id 4831C71803F for ; Mon, 21 Jan 2019 08:31:49 -0600 (CST) Subject: Re: Trying to understand some email issues To: freebsd-questions@freebsd.org References: From: Valeri Galtsev Message-ID: Date: Mon, 21 Jan 2019 08:31:48 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 960638BCDB X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=uchicago.edu (policy=none) X-Spamd-Result: default: False [0.87 / 15.00]; ARC_NA(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[uchicago.edu : No valid SPF, No valid DKIM,none]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.54)[-0.545,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.44)[0.444,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-0.02)[country: US(-0.08)]; NEURAL_SPAM_SHORT(0.90)[0.897,0]; MX_GOOD(-0.01)[kicp.uchicago.edu]; RCVD_IN_DNSWL_NONE(0.00)[70.20.135.128.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:160, ipnet:128.135.0.0/16, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2019 14:31:58 -0000 On 1/21/19 12:33 AM, Patrick Mahan wrote: > All, > > FreeBSD 11.2 > > Running postfix 3.3.2_1,1 > > I'm getting hammered with thousands of emails from yahoo.com - > > Here is an example - > > Jan 20 22:09:01 ns postfix/smtp[1308]: 2DA97A2E2EF: to=, > relay=mx-aol.mail.gm0.yahoodns.net[98.137.157.43]:25, delay=13730, > delays=13728/0.31/1.1/0.06, dsn=4.7.0, status=deferred (host > mx-aol.mail.gm0.yahoodns.net[98.137.157.43] said: 421 4.7.0 [TSS04] > Messages from 23.24.207.145 temporarily deferred due to user complaints - > 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply > to MAIL FROM command)) > > I'm trying to determine if I am somehow relaying emails to yahoo.com, or is > this someone attacking me. > > I am pretty sure I have postfix to avoid acting like a relay for > unauthenticated connections. But this maybe something I have messed up. > This has been happening only since I upgraded to 11.2 (I was at 9.x). I > also just recently switch from sendmail to postfix as well. > > I can provide my postfix config on request if needed. > > Pointers to other mail-lists are welcomed. I decided to start here before > jumping on the postfix mailing list. Do you users have shell access to your mail server? If yes, then I would check if nothing happens from one of user accounts (stolen password, bad guys got shell as that user). They can set process that loads addresses from remote place and sends spam message to them all. Most often they would do it through your postfix locally. Then postfix queue will be big time to time. And you will see this in maillog. In less likely scenario (of it really originating from you) when scrips sends directly itself you may increase verbosity of firewall log. One more thing to check is that there are no unexplained processes on the machine. If the machine is simultaneously a web server, that would be next suspect. They may be some form that sends email to address provided by web visitor. But this will be one of the possibilities which most likely will be visible in your mail logs. After you investigated all on your side (or maybe even before that), do as Odhiambo suggested: go to yahoo URL provided and read what they say there. Good luck. Valeri > > Thanks in advance, > > Patrick > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++