Help - hacked may be ?
Help - hacked may be ?
today Server processed 23.63GB emails from midnight to 7am
165,088 emails!!
99.9% clean !
At 16:08 I have 6 outbout queues
89F3B80404 4234 Thu Oct 12 15:57:30 MAILER-DAEMON
(host mail.antims.com[212.83.169.103] refused to talk to me: 421 Too many concurrent SMTP connections; please try again later.)
mailhealthquotes-alan.green=domain-on-efa.co.uk@antims.com
also
D0A4C8006C 29307 Wed Oct 11 09:25:35 MAILER-DAEMON
(connect to cassia.groupe-afnor.org[195.115.26.218]:25: Connection refused)
afnoruk@groupe-afnor.org
any ideas? - is this an outbound relay
mxtoolbox says its not a relay !
How can I clear the Queues??
165,088 emails!!
99.9% clean !
At 16:08 I have 6 outbout queues
89F3B80404 4234 Thu Oct 12 15:57:30 MAILER-DAEMON
(host mail.antims.com[212.83.169.103] refused to talk to me: 421 Too many concurrent SMTP connections; please try again later.)
mailhealthquotes-alan.green=domain-on-efa.co.uk@antims.com
also
D0A4C8006C 29307 Wed Oct 11 09:25:35 MAILER-DAEMON
(connect to cassia.groupe-afnor.org[195.115.26.218]:25: Connection refused)
afnoruk@groupe-afnor.org
any ideas? - is this an outbound relay
mxtoolbox says its not a relay !
How can I clear the Queues??
-
- Posts: 97
- Joined: 01 Jul 2017 02:32
Re: Help - hacked may be ?
What version eFa are you running?
Re: Help - hacked may be ?
Also, can you check the messages in your queue and see where they came from and who sent them? Surely there is a record of all the outgoing messages from your efa box.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Help - hacked may be ?
Too many SMTP concurrent connections is common when you are a high volume sender.
For example, when I email verizon, I must tune postfix as follows:
master.cf
I literally have to limit myself to a single daemon and have one conversation at a time with the other end of a connection. I could make this more advanced and dedicate a smtpd daemon to verizon with some postfix wizardry, but I don't send enough mail to necessitate that.
For example, when I email verizon, I must tune postfix as follows:
master.cf
Code: Select all
smtp inet n - n - 1 smtpd
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Help - hacked may be ?
As for the high # of messages, did you receive any EFA-Monitor Alerts? Was clamd, for instance, crashing on your relay?
Re: Help - hacked may be ?
No, I don't see that much email - period!
I'm not sure where these emails are coming from - looks like some spoofing - may be?
Typically mail volumes are only 2000-3000 per day - Monday to Friday
much less at the weekend
NOT using EFA for Outgoing - only incoming
version: MailWatch for MailScanner v1.2.3-dev running on EFA-3.0.2.3 - © 2006-2017
System seems to be SLOW - is thee anyway I can delete these Queued items ?
I'm not sure where these emails are coming from - looks like some spoofing - may be?
Typically mail volumes are only 2000-3000 per day - Monday to Friday
much less at the weekend
NOT using EFA for Outgoing - only incoming
version: MailWatch for MailScanner v1.2.3-dev running on EFA-3.0.2.3 - © 2006-2017
System seems to be SLOW - is thee anyway I can delete these Queued items ?
Last edited by bas60 on 12 Oct 2017 20:58, edited 1 time in total.
Re: Help - hacked may be ?
Can you run the total messages by date report and post a screenshot here? It's under search and reports.
https://<your efa box>/mailscanner/rep_total_mail_by_date.php
https://<your efa box>/mailscanner/rep_total_mail_by_date.php
Re: Help - hacked may be ?
emm I see HIGH amounts 2 days in a row
NONE of the users have complanied about a LOT of emails ?
Date Total
Mail Clean Low Spam High Spam Blocked Virus Volume
# % # % # % # % # %
05/10/17 2,147 1,917 89.3 155 7.2 72 3.4 . . 3 0.1 407.04MB
06/10/17 2,248 2,003 89.1 179 8.0 65 2.9 . . 1 . 378.61MB
07/10/17 426 353 82.9 25 5.9 48 11.3 . . . . 40.77MB
08/10/17 522 451 86.4 35 6.7 35 6.7 . . 1 0.2 36.17MB
09/10/17 2,320 2,106 90.8 168 7.2 42 1.8 . . 2 0.1 304.67MB
10/10/17 2,667 2,413 90.5 166 6.2 82 3.1 4 0.1 1 . 310.52MB
11/10/17 144,678 144,458 99.8 163 0.1 56 0.0 1 . . . 20.75GB
12/10/17 165,132 164,993 99.9 74 0.0 54 0.0 . . . . 23.64GB
Totals 320,140 318,694 100% 965 0% 454 0% 5 0% 8 0% 45.83GB
BTW: My box ran out of Space last week and I cleaned out all but 7 days
Could it be some internal process crashing resulting in reported volume ?
NONE of the users have complanied about a LOT of emails ?
Date Total
Mail Clean Low Spam High Spam Blocked Virus Volume
# % # % # % # % # %
05/10/17 2,147 1,917 89.3 155 7.2 72 3.4 . . 3 0.1 407.04MB
06/10/17 2,248 2,003 89.1 179 8.0 65 2.9 . . 1 . 378.61MB
07/10/17 426 353 82.9 25 5.9 48 11.3 . . . . 40.77MB
08/10/17 522 451 86.4 35 6.7 35 6.7 . . 1 0.2 36.17MB
09/10/17 2,320 2,106 90.8 168 7.2 42 1.8 . . 2 0.1 304.67MB
10/10/17 2,667 2,413 90.5 166 6.2 82 3.1 4 0.1 1 . 310.52MB
11/10/17 144,678 144,458 99.8 163 0.1 56 0.0 1 . . . 20.75GB
12/10/17 165,132 164,993 99.9 74 0.0 54 0.0 . . . . 23.64GB
Totals 320,140 318,694 100% 965 0% 454 0% 5 0% 8 0% 45.83GB
BTW: My box ran out of Space last week and I cleaned out all but 7 days
Could it be some internal process crashing resulting in reported volume ?
Re: Help - hacked may be ?
Clearly something is abnormal.
Go to Search and Reports, Message Listing and go find some of those weird messages. It should be obvious which ones they are, especially as these messages are 60-70 times more than your normal traffic.
Find a message, look at the message details and then you'll find out where the messages are coming from. Once you know where they are actually coming from you can figure out how to solve your problem
PS: and this is why you ran out of space. it's a symptom of your real problem.
Go to Search and Reports, Message Listing and go find some of those weird messages. It should be obvious which ones they are, especially as these messages are 60-70 times more than your normal traffic.
Find a message, look at the message details and then you'll find out where the messages are coming from. Once you know where they are actually coming from you can figure out how to solve your problem
PS: and this is why you ran out of space. it's a symptom of your real problem.
Re: Help - hacked may be ?
Strange...
I Blacklisted mailhunt- etc
mailhaunt-george.parker=myvaliddomain.co.uk...
mailhealthquotes-alan.green=myvaliddomain.c...
If i look at Quarantine and yesterday's date the number of emails is only 995 for 12th not 164k mentioned yesterday! (in Todays Totals)
Message Total by date still shows 164k !
is something else going on here
shawniverson mentioned Clamd crashing - how do I check ?
I Blacklisted mailhunt- etc
mailhaunt-george.parker=myvaliddomain.co.uk...
mailhealthquotes-alan.green=myvaliddomain.c...
If i look at Quarantine and yesterday's date the number of emails is only 995 for 12th not 164k mentioned yesterday! (in Todays Totals)
Message Total by date still shows 164k !
is something else going on here
shawniverson mentioned Clamd crashing - how do I check ?
Re: Help - hacked may be ?
Trying to diagnose your problem is like trying to eat cake with both hands tied behind your back, while blindfolded and having three burly men hold you back from the table. You really need to provide a lot more information before anyone can really help.
Just because the system only quarantined 995 messages, it doesn't mean your system sent out 165K messages that day. The two things are unrelated. Forget the quarantine report, it's irrelevant for now.
Can you look at the Message Listing and just scroll few a through pages. I suspect you will find those messages in the message listing. Something in that list, like the "from" address, or the message subject should appear different from the normal 2.5K messages your system normally handles.
Until you look at those messages, and then figure out why your system was sending them, and who in your network (or perhaps outside your network) send them through your box, you are going to continue to have a problem.
If my system suddenly starts sending 60x the normal amount of mail, I'd immediately suspect that I've got either an open mail relay somehow, or someone on my network is running a spam zombie and now my system is flooding the internet with junk.
Look through that message history and find the messages, look at the message details and figure it out, or post the information here so someone can actually tell you what's going on.
Just because the system only quarantined 995 messages, it doesn't mean your system sent out 165K messages that day. The two things are unrelated. Forget the quarantine report, it's irrelevant for now.
Can you look at the Message Listing and just scroll few a through pages. I suspect you will find those messages in the message listing. Something in that list, like the "from" address, or the message subject should appear different from the normal 2.5K messages your system normally handles.
Until you look at those messages, and then figure out why your system was sending them, and who in your network (or perhaps outside your network) send them through your box, you are going to continue to have a problem.
If my system suddenly starts sending 60x the normal amount of mail, I'd immediately suspect that I've got either an open mail relay somehow, or someone on my network is running a spam zombie and now my system is flooding the internet with junk.
Look through that message history and find the messages, look at the message details and figure it out, or post the information here so someone can actually tell you what's going on.
Re: Help - hacked may be ?
Thank you for looking at my replies
I realise you are working Blind to help me. Much appreciated.
Went through the 1st 400 of 330x pages yesterday looking for something obvious
Also jumpped about a bit - ie. 3303, 3250, 3230 ie backwards
(1) the very 1st thing we did was check Workstations for Malware
(2) Most email is addressed to the "domains" on the EFA and majority are addressed to live mailboxes
ocassionally there are emails to non-existing users but only occasionally
there are people who have left - but these would be FWD'd to someone
This would mean if someone had 500+ messages in 1 day - they would have let me know!
[unless they are all lagitimate / non-spam]
What I havn't done is ASK if anyone had received unusual amount of emails !
(3) EFA is NOT setup to SEND emails out
(4) I have checked ALL Mail Servers and EFA for OPEN RELAY
I realise you are working Blind to help me. Much appreciated.
Went through the 1st 400 of 330x pages yesterday looking for something obvious
Also jumpped about a bit - ie. 3303, 3250, 3230 ie backwards
(1) the very 1st thing we did was check Workstations for Malware
(2) Most email is addressed to the "domains" on the EFA and majority are addressed to live mailboxes
ocassionally there are emails to non-existing users but only occasionally
there are people who have left - but these would be FWD'd to someone
This would mean if someone had 500+ messages in 1 day - they would have let me know!
[unless they are all lagitimate / non-spam]
What I havn't done is ASK if anyone had received unusual amount of emails !
(3) EFA is NOT setup to SEND emails out
(4) I have checked ALL Mail Servers and EFA for OPEN RELAY
Re: Help - hacked may be ?
You have to look at the message details for these messages.
The message details will tell you where the messages actually came from and where they really went. It'll all be there in the headers. Once you know that, you'll know what your problem is and how to fix it.
The message details will tell you where the messages actually came from and where they really went. It'll all be there in the headers. Once you know that, you'll know what your problem is and how to fix it.
-
- Posts: 97
- Joined: 01 Jul 2017 02:32
Re: Help - hacked may be ?
Since efa isnt an outbound relay, you can edit this file
/etc/postfix/main.cf
Look for "my networks" and remove the entry for your subnet, and just leaving the 127.0.0.1 entry. By default efa will allow your entire subnet to relay against the box.
You can then log into webmin and look at the postfix server, and remove all messages from the queue there as well.
/etc/postfix/main.cf
Look for "my networks" and remove the entry for your subnet, and just leaving the 127.0.0.1 entry. By default efa will allow your entire subnet to relay against the box.
You can then log into webmin and look at the postfix server, and remove all messages from the queue there as well.