Help - hacked may be ?

Questions and answers about how to do stuff
Post Reply
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Help - hacked may be ?

Post by bas60 »

today Server processed 23.63GB emails from midnight to 7am
165,088 emails!!
99.9% clean !

At 16:08 I have 6 outbout queues

89F3B80404 4234 Thu Oct 12 15:57:30 MAILER-DAEMON
(host mail.antims.com[212.83.169.103] refused to talk to me: 421 Too many concurrent SMTP connections; please try again later.)
mailhealthquotes-alan.green=domain-on-efa.co.uk@antims.com
also

D0A4C8006C 29307 Wed Oct 11 09:25:35 MAILER-DAEMON
(connect to cassia.groupe-afnor.org[195.115.26.218]:25: Connection refused)
afnoruk@groupe-afnor.org


any ideas? - is this an outbound relay

mxtoolbox says its not a relay !

How can I clear the Queues??
TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Help - hacked may be ?

Post by TheGr8Wonder »

What version eFa are you running?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help - hacked may be ?

Post by pdwalker »

Also, can you check the messages in your queue and see where they came from and who sent them? Surely there is a record of all the outgoing messages from your efa box.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Help - hacked may be ?

Post by shawniverson »

Too many SMTP concurrent connections is common when you are a high volume sender.

For example, when I email verizon, I must tune postfix as follows:

master.cf

Code: Select all

smtp      inet  n       -       n       -        1       smtpd
I literally have to limit myself to a single daemon and have one conversation at a time with the other end of a connection. I could make this more advanced and dedicate a smtpd daemon to verizon with some postfix wizardry, but I don't send enough mail to necessitate that.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Help - hacked may be ?

Post by shawniverson »

As for the high # of messages, did you receive any EFA-Monitor Alerts? Was clamd, for instance, crashing on your relay?
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: Help - hacked may be ?

Post by bas60 »

No, I don't see that much email - period!

I'm not sure where these emails are coming from - looks like some spoofing - may be?

Typically mail volumes are only 2000-3000 per day - Monday to Friday
much less at the weekend

NOT using EFA for Outgoing - only incoming

version: MailWatch for MailScanner v1.2.3-dev running on EFA-3.0.2.3 - © 2006-2017

System seems to be SLOW - is thee anyway I can delete these Queued items ?
Last edited by bas60 on 12 Oct 2017 20:58, edited 1 time in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help - hacked may be ?

Post by pdwalker »

Can you run the total messages by date report and post a screenshot here? It's under search and reports.

https://<your efa box>/mailscanner/rep_total_mail_by_date.php
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: Help - hacked may be ?

Post by bas60 »

emm I see HIGH amounts 2 days in a row

NONE of the users have complanied about a LOT of emails ?

Date Total
Mail Clean Low Spam High Spam Blocked Virus Volume
# % # % # % # % # %
05/10/17 2,147 1,917 89.3 155 7.2 72 3.4 . . 3 0.1 407.04MB
06/10/17 2,248 2,003 89.1 179 8.0 65 2.9 . . 1 . 378.61MB
07/10/17 426 353 82.9 25 5.9 48 11.3 . . . . 40.77MB
08/10/17 522 451 86.4 35 6.7 35 6.7 . . 1 0.2 36.17MB
09/10/17 2,320 2,106 90.8 168 7.2 42 1.8 . . 2 0.1 304.67MB
10/10/17 2,667 2,413 90.5 166 6.2 82 3.1 4 0.1 1 . 310.52MB
11/10/17 144,678 144,458 99.8 163 0.1 56 0.0 1 . . . 20.75GB
12/10/17 165,132 164,993 99.9 74 0.0 54 0.0 . . . . 23.64GB
Totals 320,140 318,694 100% 965 0% 454 0% 5 0% 8 0% 45.83GB

BTW: My box ran out of Space last week and I cleaned out all but 7 days

Could it be some internal process crashing resulting in reported volume ?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help - hacked may be ?

Post by pdwalker »

Clearly something is abnormal.

Go to Search and Reports, Message Listing and go find some of those weird messages. It should be obvious which ones they are, especially as these messages are 60-70 times more than your normal traffic.

Find a message, look at the message details and then you'll find out where the messages are coming from. Once you know where they are actually coming from you can figure out how to solve your problem

PS: and this is why you ran out of space. it's a symptom of your real problem.
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: Help - hacked may be ?

Post by bas60 »

Strange...

I Blacklisted mailhunt- etc
mailhaunt-george.parker=myvaliddomain.co.uk...
mailhealthquotes-alan.green=myvaliddomain.c...

If i look at Quarantine and yesterday's date the number of emails is only 995 for 12th not 164k mentioned yesterday! (in Todays Totals)
Message Total by date still shows 164k !

is something else going on here
shawniverson mentioned Clamd crashing - how do I check ?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help - hacked may be ?

Post by pdwalker »

Trying to diagnose your problem is like trying to eat cake with both hands tied behind your back, while blindfolded and having three burly men hold you back from the table. You really need to provide a lot more information before anyone can really help.

Just because the system only quarantined 995 messages, it doesn't mean your system sent out 165K messages that day. The two things are unrelated. Forget the quarantine report, it's irrelevant for now.

Can you look at the Message Listing and just scroll few a through pages. I suspect you will find those messages in the message listing. Something in that list, like the "from" address, or the message subject should appear different from the normal 2.5K messages your system normally handles.

Until you look at those messages, and then figure out why your system was sending them, and who in your network (or perhaps outside your network) send them through your box, you are going to continue to have a problem.

If my system suddenly starts sending 60x the normal amount of mail, I'd immediately suspect that I've got either an open mail relay somehow, or someone on my network is running a spam zombie and now my system is flooding the internet with junk.

Look through that message history and find the messages, look at the message details and figure it out, or post the information here so someone can actually tell you what's going on.
bas60
Posts: 57
Joined: 04 Feb 2014 13:58

Re: Help - hacked may be ?

Post by bas60 »

Thank you for looking at my replies

I realise you are working Blind to help me. Much appreciated.

Went through the 1st 400 of 330x pages yesterday looking for something obvious
Also jumpped about a bit - ie. 3303, 3250, 3230 ie backwards
(1) the very 1st thing we did was check Workstations for Malware
(2) Most email is addressed to the "domains" on the EFA and majority are addressed to live mailboxes
ocassionally there are emails to non-existing users but only occasionally
there are people who have left - but these would be FWD'd to someone
This would mean if someone had 500+ messages in 1 day - they would have let me know!
[unless they are all lagitimate / non-spam]

What I havn't done is ASK if anyone had received unusual amount of emails !

(3) EFA is NOT setup to SEND emails out
(4) I have checked ALL Mail Servers and EFA for OPEN RELAY
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Help - hacked may be ?

Post by pdwalker »

You have to look at the message details for these messages.

The message details will tell you where the messages actually came from and where they really went. It'll all be there in the headers. Once you know that, you'll know what your problem is and how to fix it.
TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Help - hacked may be ?

Post by TheGr8Wonder »

Since efa isnt an outbound relay, you can edit this file

/etc/postfix/main.cf

Look for "my networks" and remove the entry for your subnet, and just leaving the 127.0.0.1 entry. By default efa will allow your entire subnet to relay against the box.

You can then log into webmin and look at the postfix server, and remove all messages from the queue there as well.
Post Reply