1

Topic: Am my iRedMail server being hack?

Today my iRedMail server is running very slow and most of the time mysqld is taking a lot of CPU resources........then I nothing my www account have receive 2000+ undelivered email from no where......and got 1000+ mail queue.....am my server being hack?

http://img101.imageshack.us/img101/5387/iredmail1.jpg
http://img32.imageshack.us/img32/269/iredmail.jpg

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Am my iRedMail server being hack?

This is part of my /var/log/maillog

Mar 18 09:30:21 mail postfix/smtp[3523]: 6715CAFF4B: to=<tcavanaugh@qwest.net>, relay=mx2.qwest.net[207.109.18.198]:25, delay=14332, delays=14328/1/1.8/1.3, dsn=4.7.1, status=deferred (host mx2.qwest.net[207.109.18.198] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [60.52.246.125] (in reply to RCPT TO command))
Mar 18 09:30:21 mail postfix/error[4263]: CF23AB007D: to=<rsherman@rochester.rr.com>, relay=none, delay=19888, delays=19793/89/0/5.9, dsn=4.7.1, status=deferred (delivery temporarily suspended: host hrndva-smtpin02.mail.rr.com[71.74.56.244] refused to talk to me: 554 5.7.1 - Connection refused. IP name lookup failed for 60.52.246.125)
Mar 18 09:30:21 mail postfix/error[4260]: 6525FB0330: to=<tlandscape@netzero.net>, relay=none, delay=21836, delays=21744/91/0/0.92, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...39978aeee76e5e5ef76fb36ffe0a6f476f2b4ebb7e3a13aa5e4a7eaaba2e431f3b2e4b3b9b3fe39b87ef...)
Mar 18 09:30:21 mail postfix/bounce[4341]: 41AC7B0348: sender non-delivery notification: 74347AFF10
Mar 18 09:30:21 mail postfix/smtp[3856]: 5CAC5AFD17: host mailin-01.mx.aol.com[205.188.59.194] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html
Mar 18 09:30:21 mail postfix/qmgr[3802]: 1D2A7B0277: from=<>, size=12118, nrcpt=1 (queue active)
Mar 18 09:30:21 mail postfix/smtp[4378]: E406EB0129: host b.mx.mail.yahoo.com[74.6.136.65] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:21 mail postfix/smtp[3828]: 5CAC5AFD17: host a.mx.mail.yahoo.com[67.195.168.31] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:22 mail postfix/smtp[3518]: CFC6BAFD0B: host mx3.qwest.net[207.109.18.202] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [60.52.246.125] (in reply to RCPT TO command)
Mar 18 09:30:22 mail postfix/qmgr[3802]: 786BFB0071: from=<>, size=10206, nrcpt=1 (queue active)
Mar 18 09:30:22 mail postfix/error[4273]: 78EEAAFF6B: to=<llokosky@aol.com>, relay=none, delay=19225, delays=19130/90/0/4.5, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html)
Mar 18 09:30:22 mail postfix/error[4020]: A00C4B0194: to=<weizhong.liu@yahoo.com>, relay=none, delay=22005, delays=21908/85/0/12, dsn=4.7.0, status=deferred (delivery temporarily suspended: host b.mx.mail.yahoo.com[74.6.136.65] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Mar 18 09:30:22 mail postfix/smtp[3567]: CFC6BAFD0B: to=<alaprade@elmore.rr.com>, relay=cdptpa-smtpin02.mail.rr.com[75.180.132.244]:25, delay=30911, delays=30904/2.1/5.4/0, dsn=4.7.1, status=deferred (host cdptpa-smtpin02.mail.rr.com[75.180.132.244] refused to talk to me: 554 5.7.1 - Connection refused. IP name lookup failed for 60.52.246.125)
Mar 18 09:30:22 mail postfix/smtp[3827]: 5CAC5AFD17: to=<amanning@localnet.com>, relay=inbound.localnet.com[207.251.194.26]:25, delay=30826, delays=30823/1.2/0.92/1.2, dsn=4.7.1, status=deferred (host inbound.localnet.com[207.251.194.26] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [60.52.246.125] (in reply to RCPT TO command))
Mar 18 09:30:22 mail postfix/smtp[3856]: 5CAC5AFD17: host mailin-03.mx.aol.com[205.188.190.2] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html
Mar 18 09:30:22 mail postfix/smtp[3828]: 5CAC5AFD17: host c.mx.mail.yahoo.com[206.190.54.127] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:22 mail postfix/smtp[3828]: 5CAC5AFD17: host g.mx.mail.yahoo.com[98.137.54.238] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:22 mail postfix/smtp[4378]: E406EB0129: host c.mx.mail.yahoo.com[206.190.54.127] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:23 mail postfix/smtp[4378]: E406EB0129: host g.mx.mail.yahoo.com[98.137.54.238] refused to talk to me: 421 4.7.0 [TS01] Messages from 60.52.246.125 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
Mar 18 09:30:24 mail postfix/qmgr[3802]: 6494BB021E: from=<>, size=10144, nrcpt=1 (queue active)

3

Re: Am my iRedMail server being hack?

Did you read it yourself?

Mar 18 09:30:21 mail postfix/error[4263]: CF23AB007D: to=<rsherman@rochester.rr.com>, relay=none, delay=19888, delays=19793/89/0/5.9, dsn=4.7.1, status=deferred (delivery temporarily suspended: host hrndva-smtpin02.mail.rr.com[71.74.56.244] refused to talk to me: 554 5.7.1 - Connection refused. IP name lookup failed for 60.52.246.125)

Mar 18 09:30:21 mail postfix/error[4260]: 6525FB0330: to=<tlandscape@netzero.net>, relay=none, delay=21836, delays=21744/91/0/0.92, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...39978aeee76e5e5ef76fb36ffe0a6f476f2b4ebb7e3a13aa5e4a7eaaba2e431f3b2e4b3b9b3fe39b87ef...)

Mar 18 09:30:22 mail postfix/error[4273]: 78EEAAFF6B: to=<llokosky@aol.com>, relay=none, delay=19225, delays=19130/90/0/4.5, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DNS:NR) http://postmaster.info.aol.com/errors/421dnsnr.html)

4

Re: Am my iRedMail server being hack?

But I don't know all the To address in my mail queue.....and I can send and receive mail from my hotmail account...

5

Re: Am my iRedMail server being hack?

Can you confirm whether your user sent mails to them or not?

6 (edited by hata_ph 2010-03-18 10:19:42)

Re: Am my iRedMail server being hack?

100% confirm cause no one is using the www account.....

PS: This is my first time running a mail server so you can consider me a newbie....not very sure about security...

7

Re: Am my iRedMail server being hack?

Password of this account was cracked?

8

Re: Am my iRedMail server being hack?

It could be...cause I am using a simple password....is there a way of finding the root cause?

9

Re: Am my iRedMail server being hack?

Change its password first, if no more spam emails, that's the root cause.

10

Re: Am my iRedMail server being hack?

Done....will let u all know the result.
BTW, I am not using DKIM and SPF. Could that be one of the root cause?

11

Re: Am my iRedMail server being hack?

Read the introduction of DKIM/SPF first, and you will know what they used for.