/var/spool/postfix/ full

I have been running this suse server for over a year with no issues till a few days ago, vnc locked down as did my web server. Thanks to your members here we found out what was happening.

412M    /var/spool/postfix/deferred/8425M    /var/spool/postfix/deferred/A
543M    /var/spool/postfix/deferred/D
586M    /var/spool/postfix/deferred/6
584M    /var/spool/postfix/deferred/B
584M    /var/spool/postfix/deferred/2
du: cannot access `/var/spool/postfix/deferred/3/36BDC1D3A2': No such file or directory
du: cannot access `/var/spool/postfix/deferred/3/34E6344C36': No such file or directory
555M    /var/spool/postfix/deferred/3
562M    /var/spool/postfix/deferred/E
557M    /var/spool/postfix/deferred/9
482M    /var/spool/postfix/deferred/7
494M    /var/spool/postfix/deferred/C
573M    /var/spool/postfix/deferred/4
548M    /var/spool/postfix/deferred/0
153M    /var/spool/postfix/deferred/F
7.8G    /var/spool/postfix/deferred
4.0K    /var/spool/postfix/trace

These big files filling up, no it took over a year for it to full up and after I ran the code below it deleted almost 63k messages.

ws-19476:/home/administrator # postsuper -d ALL deferred postsuper: Deleted: 62925 messages

That free’d up 14 gigs of space for me. Less than 24hrs the exact same folders have filled up and locked the server down. What can I do to disable these messages or find out why its happening ? Should I disable them ? Can it be limited to only important things ?

On 2013-09-29 04:26, originalhandy wrote:

> That free’d up 14 gigs of space for me. Less than 24hrs the exact same
> folders have filled up and locked the server down. What can I do to
> disable these messages or find out why its happening ? Should I disable
> them ? Can it be limited to only important things ?

They will also be listed in the log with the exact reason for each one.
The output of the command “mailq” can be useful.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-09-29 04:26, originalhandy wrote:

> That free’d up 14 gigs of space for me. Less than 24hrs the exact same
> folders have filled up and locked the server down. What can I do to
> disable these messages or find out why its happening ? Should I disable
> them ? Can it be limited to only important things ?

You can post the output of “mailq” here, or part of it. If there is
private information, obfuscate it, but say so.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

This is the end of the file. It went by fast but that seemed to be it.


3869918566*   70184 Sat Sep 28 06:18:35  administrator@ws-19476.site
                                         guera52912@gmail.com

B7D9575910*   21269 Sat Sep 28 17:13:07  administrator@ws-19476.site
                                         jfz1959@gmail.com

3293278FB9*   61937 Sat Sep 28 17:51:45  administrator@ws-19476.site
                                         darkstartr@gmail.com

B0D062EE25*   21441 Sat Sep 28 19:07:41  administrator@ws-19476.site
                                         jamessutphin14@gmail.com

342B748986*   30821 Sat Sep 28 06:50:43  administrator@ws-19476.site
                                         andreadave1988@gmail.com

D76C256E46*   39032 Sat Sep 28 14:28:17  administrator@ws-19476.site
                                         cawbjosh@gmail.com

012CA8BBF9*   21437 Sat Sep 28 19:06:57  administrator@ws-19476.site
                                         pinkangels00@gmail.com

DC39E75A3E*   21273 Sat Sep 28 17:13:00  administrator@ws-19476.site
                                         jonesmd47@gmail.com

992A871B8F*   21269 Sat Sep 28 16:30:23  administrator@ws-19476.site
                                         dave098@gmail.com

32D11491BA*   30819 Sat Sep 28 06:56:06  administrator@ws-19476.site
                                         partyfriendza@gmail.com

9CCB68AFF*    21323 Sat Sep 28 04:15:27  administrator@ws-19476.site
                                         surajghosi@gmail.com

316016D5EE*  147601 Sat Sep 28 08:48:46  administrator@ws-19476.site
                                         cheri.dowd@gmail.com

227A955D8F*   39044 Sat Sep 28 14:11:35  administrator@ws-19476.site
                                         phillip.e.hand@gmail.com

CA5F056009*   39046 Sat Sep 28 14:10:50  administrator@ws-19476.site
                                         dragondroid2416@gmail.com

841618B949*   21437 Sat Sep 28 19:00:56  administrator@ws-19476.site
                                         dannyjsworld@gmail.com

AC3924EC95*   39040 Sat Sep 28 13:23:51  administrator@ws-19476.site
                                         rodricusrich@gmail.com

6084F5525F*   39036 Sat Sep 28 13:59:34  administrator@ws-19476.site
                                         timbug6.tb@gmail.com

647E04F98C*   39032 Sat Sep 28 13:24:29  administrator@ws-19476.site
                                         rjadberg@gmail.com

C032557DBA*   39050 Sat Sep 28 14:35:14  administrator@ws-19476.site
                                         derek.eichholz243@gmail.com

56B1B1E890*   25391 Sat Sep 28 12:14:17  administrator@ws-19476.site
                                         phillmcmurtrie@gmail.com
-- 497636 Kbytes in 12735 Requests.



On 2013-09-29 07:16, originalhandy wrote:
>
> This is the end of the file. It went by fast but that seemed to be it.
>

(it is best to obfuscate real emails)

> Code:
> --------------------
>
> 3869918566* 70184 Sat Sep 28 06:18:35 administrator@ws-19476.site
> NAME_1@gmail.com
>
> B7D9575910* 21269 Sat Sep 28 17:13:07 administrator@ws-19476.site
> NAME_2@gmail.com

> – 497636 Kbytes in 12735 Requests.
> --------------------

There is some information missing: the status of each mail. Maybe it is
just trying to send, or waiting.

I expected things like this:


-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
2CE978241CE      984 Thu Dec 13 17:25:42  name@domain.com
(host c.mx.mail.yahoo.com[68.142.237.182] refused to talk to me: 421
Message from (165.98.138.52) temporarily deferred - 4.16.50. Please
refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html)
othername@yahoo.com

Ok, what it seems is that your system is trying to send emails with a
from address that DOES NOT EXIST to gmail, and gmail will reject them.
This may take time to be rejected, and in that time more are generated.

And each email is sent to a different gmail user. By the hundreds. So…
the question is, either you are sending spam, you have been hacked, or
you have a mail list badly configured. Or, if you act as server for some
people, some one is abusing.

I would consider taking your machine off the internet, or your IP will
be blacklisted and blocked soon, if it is not already. And worse.

Then pick any one of those emails, by the “Queue ID”. Find log entries
for it in the log, track it back and forth. The string to search for may
change on each line.

Or, try to read one of those emails.


postcat -q queue_id | less

Find the message ID in the text and track it in the log.

What you have to find out is who is sending those emails on your system.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)


postcat: fatal: open queue file queue_id: No such file or directory


The server is only used to host Joomla and Teamspeak. I dont have any mailing lists at all, I cant find any suspicious files in Joomla either. I am the only one that hosts on that server.
Is there a way to disable mail sending to stop it shooting out ? I do use Joomla to send mail to users, but I use SMTP from a different host. Would I be able to disable my servers mail sending and still use joomla with my other hosts SMTP ?

Any other ideas on finding out the source to stop it ?

Google webmaster and AVG both spot no spyware, as does sucuri.

On 2013-09-29 17:46, originalhandy wrote:
>
> Code:
> --------------------
>
> postcat: fatal: open queue file queue_id: No such file or directory
>
>
> --------------------

Well, you have to replace queue_id with the queue id number. It was not
supposed you would type that verbatim.

> Is there a way to disable mail sending to stop it shooting out ?

They would still be queued.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I replaced queue_id with 32D11491BA* and and got an error message, I never did write it down. My cron cleared the mail q so I have none to check now.

I ran rkhunter -c

[14:17:50]   /usr/bin/ldd                                     Warning ]
Checking for passwd file changes                          Warning ]
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text
[14:17:53]   /sbin/chkconfig                                  Warning ]
[14:17:53] Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text
[14:17:54]   /sbin/ifup                                       Warning ]
[14:17:54] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text
[14:19:19]   Checking if SSH root access is allowed           Warning ]
[14:19:19] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.
[14:19:19]   Checking if SSH protocol v1 is allowed           Warning ]
[14:19:19] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[14:19:19]   Checking for running syslog daemon               Found ]
[14:19:19] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[14:19:19]   Checking for syslog configuration file           Found ]


[14:20:08] System checks summary
[14:20:08] =====================
[14:20:08]
[14:20:08] File properties checks...
[14:20:08] Required commands check failed
[14:20:08] Files checked: 149
**[14:20:08] Suspect files: 3**
[14:20:08]
[14:20:08] Rootkit checks...
[14:20:08] Rootkits checked : 245
[14:20:08] Possible rootkits: 0
[14:20:08]
[14:20:08] Applications checks...
[14:20:08] Applications checked: 4
[14:20:08] Suspect applications: 0
[14:20:08]
[14:20:08] The system checks took: 2 minutes and 24 seconds
[14:20:08]
[14:20:08] Info: End date is Sun Sep 29 14:20:08 CDT 2013

/user/bin/ldd
/sbin/chkconfig
/sbin/ifup

I guess the three above are the suspicious files, I looked at them and didnt see anything in there.

These three **are ** (symlinks to) scripts, nothing suspicious about that. Could it be you have one of the Joomla sites configured to use postfix (instead of sendmail, which AFAIK is the default), without a proper postfix configuration?

On 2013-09-29 14:13, Carlos E. R. wrote:
> On 2013-09-29 07:16, originalhandy wrote:
>>
>> This is the end of the file. It went by fast but that seemed to be it.
>>
>
> (it is best to obfuscate real emails)
>
>> Code:
>> --------------------
>>
>> 3869918566* 70184 Sat Sep 28 06:18:35 administrator@ws-19476.site
>> NAME_1@gmail.com
>>
>> B7D9575910* 21269 Sat Sep 28 17:13:07 administrator@ws-19476.site
>> NAME_2@gmail.com
>
> …
>
>> – 497636 Kbytes in 12735 Requests.
>> --------------------

You can edit “/etc/postfix/access”:


administrator@ws-19476.site  REJECT  20130929 Unknown!

and run


postmap access

But it will probably cause problems somewhere else.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

Joomla is set to use SMTP, I use my email from another host to send it.

What exactly would that do ?

On 2013-09-30 03:36, originalhandy wrote:

> What exactly would that do ?

Reject any email sent by that person.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I might suggest a solution that could be simpler than what I see happening here.

  1. Since the queue filled up immediately (within 24hrs) after purging, then the cause is relatively recent and not a simple internal mis-configuration or User error accessing Server services… Assuming you’re not using your Server services inordinately over that same period of time. This highly suggests that your server is exposed somehow to someone trying to either spam you or use you as an SMTP open relay.

  2. The simplest way to address this then is <not> to try to block individual mail addresses, you need to block on a more basic, larger scale. The first step to determining the best option is to consider filtering your INBOUND to Postfix… eg, Does it have to be exposed externally? Is it being used for anything but other services running on the same server or in your site? Is this server naked to the Internet or behind a firewall? Do you have firewalling on this server enabled?

Once you answer those questions,
a. If the Server doesn’t have to serve mail Users or Services on the Internet, then the solution should be simple. Block all inbound SMTP access, typically port 25. Just shut off access using a firewall somewhere.
b. If the Server does need access to the Internet and requires inbound SMTP, then decide how best to filter and control inbound SMTP, and that can be done numerous ways with your SUSE Firewall and an external firewall, and can be done by numerous authentication methods, eg mail domains, ip address, network authentication, certificates, etc, etc. You can also consider using a Spam filtering service, which is usually just a fancy name for an SMTP relay with its own sophisticated filtering.

This approach avoids all those issues which might require knowing how to configure Postfix and other services on your server.

HtH,
TSU

[QUOTE=robin_listas;2588414]On 2013-09-29 17:46, originalhandy wrote:
>
> Code:
> --------------------
>
> postcat: fatal: open queue file queue_id: No such file or directory
>
>
> --------------------

Well, you have to replace queue_id with the queue id number. It was not
supposed you would type that verbatim.
OK I got back from a work trip

postcat -q 53BD0ACE74 | less
*** ENVELOPE RECORDS deferred/5/53BD0ACE74 ***
message_size:           25397             210               1               0           25397
message_arrival_time: Sat Oct  5 12:34:08 2013
create_time: Sat Oct  5 12:34:09 2013
named_attribute: rewrite_context=local
sender_fullname: administrator
sender: administrator@ws-19476.site
warning_message_time: Sat Oct  5 13:34:08 2013
*** MESSAGE CONTENTS deferred/5/53BD0ACE74 ***
Received: by ws-19476.site (Postfix, from userid 1000)
        id 53BD0ACE74; Sat,  5 Oct 2013 12:34:08 -0500 (CDT)
From: =?UTF-8?B?QnJpZ2lkIE1hZQ==?= <brigid_mae@brigid-mae.us>
To: wawangzuhrianto@ymail.com
Subject: =?UTF-8?B?SGkgaXQncyBCcmlnaWQsIHdhbm5hIGJlIG15IEZVQ0tCVUREWT8=?=
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="=_416ca26e7ae3e6956b51ba0f65fa0cc6"
Message-Id: <20131005173409.53BD0ACE74@ws-19476.site>
Date: Sat,  5 Oct 2013 12:34:08 -0500 (CDT)

--=_416ca26e7ae3e6956b51ba0f65fa0cc6
Content-Type: multipart/alternative;
        boundary="=_528bf0543b7c64db7d613576bb5971ad"

--=_528bf0543b7c64db7d613576bb5971ad
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

Brigid Mae sent you a private message:


"I love casual dating, quickies in the park and pool sex ;)
I'm not too picky about guys so just message me and lets have some fun!"

View My Profile Here: http://www.brigid-mae.us/

--=_528bf0543b7c64db7d613576bb5971ad
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body>
<br>
<strong><a href=3D"http://www.brigid-mae.us/">Brigid Mae</a></strong><span =
style=3D"font-family:arial,helvetica,sans-serif;"><span style=3D"font-size:=
 15px;"> <strong>sent you a private message: </strong></span></span><br />
<br />
<a href=3D"http://www.brigid-mae.us/"> <img alt=3D"" border=3D"0" height=3D=
"255" src=3D"cid:26e292b86819b3e9aa520876abd3d288" width=3D"190" /></a><br =
/>
<br />
<span style=3D"font-family: arial,helvetica,sans-serif;"><span style=3D"fon=
t-size: 13px;">I love casual dating, quickies in the park and pool sex ;)</=
span></span><br />
<span style=3D"font-family: arial,helvetica,sans-serif;"><span style=3D"fon=
t-size: 13px;">I'm not too picky about guys so just message me and lets hav=
e some fun!</span></span><br />
<br />
View My Profile Here: <strong><span style=3D"font-size:18px;"><a href=3D"ht=
tp://www.brigid-mae.us/">http://www.brigid-mae.us/</a></span></strong></spa=
n></span></span></p>
<br />
<strong><a href=3D"http://www.brigid-mae.us/">Brigid Mae</a></strong><span =
style=3D"font-family:arial,helvetica,sans-serif;"><span style=3D"font-size:=
 15px;"> <strong>sent you a private message: </strong></span></span><br />
<br />
<a href=3D"http://www.brigid-mae.us/"> <img alt=3D"" border=3D"0" height=3D=
"255" src=3D"cid:26e292b86819b3e9aa520876abd3d288" width=3D"190" /></a><br =
/>
<br />
<span style=3D"font-family: arial,helvetica,sans-serif;"><span style=3D"fon=
t-size: 13px;">I love casual dating, quickies in the park and pool sex ;)</=
span></span><br />
<span style=3D"font-family: arial,helvetica,sans-serif;"><span style=3D"fon=
t-size: 13px;">I'm not too picky about guys so just message me and lets hav=
e some fun!</span></span><br />
<br />
View My Profile Here: <strong><span style=3D"font-size:18px;"><a href=3D"ht=
tp://www.brigid-mae.us/">http://www.brigid-mae.us/</a></span></strong></spa=
n></span></span></p>
<br />
<br />
<img src=3D"http://brigid-mae.us/stat.php?m=3Dwawangzuhrianto@ymail.com&mid=3D121315" width=3D=
"1" />
<p>
</body></html>

--=_528bf0543b7c64db7d613576bb5971ad--
--=_416ca26e7ae3e6956b51ba0f65fa0cc6
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="mesweet9.jpg"
Content-ID: <26e292b86819b3e9aa520876abd3d288>
/ak4jfVHPawqPF4wLHnIhtNMn3ZeZ/8AFq8d0IzPjtk4/HVCvaZqPH423sHtDTUcX/8AOj/49WlQ
5yHkqgnPYSumbC6KtnqIdviQ9fGqZG6DtgIv92hKoYcumBteFaaw0ETANmLxT083Jf8AxY+Wnzfi
QW5f/9k=
--=_416ca26e7ae3e6956b51ba0f65fa0cc6--

*** HEADER EXTRACTED deferred/5/53BD0ACE74 ***
original_recipient: wawangzuhrianto@ymail.com
recipient: wawangzuhrianto@ymail.com
*** MESSAGE FILE END deferred/5/53BD0ACE74 ***




On 2013-10-05 20:36, originalhandy wrote:

>> OK I got back from a work trip

Er… is that email a valid one that should have been sent by your
system? Read it carefully - and please do not post here the real email
adress of people! You have a DUTY to protect them!

(I told you that twice already)

> Code:
> --------------------
> > > postcat -q 53BD0ACE74 | less
> > *** ENVELOPE RECORDS deferred/5/53BD0ACE74 ***
> > message_size: 25397 210 1 0 25397

> > *** MESSAGE CONTENTS deferred/5/53BD0ACE74 ***
> > Received: by ws-19476.site (Postfix, from userid 1000)
> > id 53BD0ACE74; Sat, 5 Oct 2013 12:34:08 -0500 (CDT)
> > From: =? <.....@brigid-mae.us>
> > To: .....@ymail.com

> > Brigid Mae sent you a private message:
> >
> >
> > “I love casual dating, quickies in the park and pool sex :wink:
> > I’m not too picky about guys so just message me and lets have some fun!”

> > *** HEADER EXTRACTED deferred/5/53BD0ACE74 ***
> > original_recipient: ...........@ymail.com
> > recipient: .............@ymail.com
> > *** MESSAGE FILE END deferred/5/53BD0ACE74 ***

> --------------------

Did you really read that text before posting it here? Do you really have
a site for sex dating, or is that a SPAM email that attempted to send
via your system?

IF that email IS NOT valid and proper, someone found out that you have
an OPEN RELAY and is using it - in which case I highly advise to remove
your server from internet, and either learn yourself how to properly
handle an email server, or hire someone that does.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Its a gaming clan :expressionless: I don’t run an email service on it & these are not legit emails, my forum sends out email using SMTP from a different host so my server isn’t working as a mail server, it was obviously hacked. I ran rcpostfix stop and all has since stopped. I realise its a bandaid. I am going to be taking the server offline for a day to start from scratch with the latest suse install.

On 2013-10-11 18:06, originalhandy wrote:
>
> Its a gaming clan :expressionless: I don’t run an email service on it & these are not
> legit emails, my forum sends out email using SMTP from a different host
> so my server isn’t working as a mail server, it was obviously hacked. I
> ran rcpostfix stop and all has since stopped. I realise its a bandaid.
> I am going to be taking the server offline for a day to start from
> scratch with the latest suse install.

It could have been broken into, or simply postfix is not correctly
configured and serves as an open relay. Dunno.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))