Join 3,381 readers in helping fund MetaFilter (Hide)


Weird stuff in mail logs. Was my server hacked?
June 6, 2013 1:24 PM   Subscribe

I'm running the latest LTS version of Ubuntu on my hosting provider's cloud VPS service. I recently noticed a series of weird, spammy looking messages in my server's mail.log file. Tech support at my hosting provider says it does not appear to be compromised; are they wrong?

Here is a random example of what shows up when I run the command grep -v notification mail.log.4 | grep \ to\= | head -1:

May 10 09:36:18 mono postfix/smtp[16752]: 7FE39198497: to=[REMOVED EMAIL ADDRESS FOR WEBMASTER at SEO DOMAIN], relay=[REMOVED SPAMMY URL and IPv4 ADDRESS]:25, delay=1.4, delays=0.02/0.01/0.88/0.48, dsn=2.0.0, status=sent (250 OK id=1UajkQ-0000sB-4j)

I shouldn't actually copy/paste the email addresses and URLs here, but trust me that they are super sketchy looking: SEO, weight loss, "golf tips 4 u", and unrecognized hotmail/gmail accounts. Am I misreading my mail logs, or is my server sending out emails to these super sketchy-looking addresses?

These show up at a rate of only 5 to 10 a day; I would expect more outbound traffic if my machine was now moonlighting as an evil spam robot.
posted by compartment to Computers & Internet (2 answers total) 1 user marked this as a favorite
 
Your server did send an email to REMOVED EMAIL ADDRESS FOR WEBMASTER at SEO DOMAIN ("relay" here means that's the machine that receives email for that address, so it's expected for that to be spammy, too). Is postfix running as an open relay? Is it only open to internal apps?



These show up at a rate of only 5 to 10 a day; I would expect more outbound traffic if my machine was now moonlighting as an evil spam robot.

The weird thing is that it's sending to the spammy addresses. Not exactly a good way for spam to spread. Are you running Wordpress or something that might have led bots to register with those addresses, and these could just be your regular emails/newsletters that you're sending?
posted by Nonsteroidal Anti-Inflammatory Drug at 2:30 PM on June 6, 2013 [1 favorite]


If you grep for the queue ID (7FE39198497 in your example), you can find the line for where it was submitted from. Something like:

Jun 6 23:49:55 host postfix/smtpd[28755]: DB84720015: client=localhost.localdomain[127.0.0.1]

This can give you a better idea of where the mail is originating, your system or some remote system.

If it is coming from outside your machine, well, that means your machine is operating as a mail relay. You probably want to stop it from doing that. Either your machine is allowing other machines to send email through yours without authentication, or the sender has authentication credentials for your machine (which is not good).

Alternately, if it is coming from your machine, that means either your machine may be compromised, or someone may be abusing some web form or other way of sending a message through your machine.
posted by fings at 9:23 PM on June 6, 2013 [1 favorite]


« Older My husband has an old, broken ...   |  I was at lunch today and asked... Newer »
This thread is closed to new comments.