On Wed, Feb 27, 2013 at 10:01:27PM +0200, Jamie wrote: > On 2013/02/27 9:48 PM, Noel Jones wrote: > >If you would send postfix logs and current "postconf -n" to the > >list as requested several times, we could likely clear this all > >up pretty quickly.
> If you look back earlier in the thread, you will see that I had > posted it already. I only saw main.cf and some largely irrelevant logs. Do note that your system is ipso facto compromised. We know this because it is being used by a spammer to send spam. Stop saying you're not compromised, when we know that you are. Here is what you need to do. Please pay attention. Find one or two of the spams in your logs. Trace all references therein to that queue ID. Trace it further back through the content_filter, to the original queue ID. Find how and where that original queue ID was first submitted. grep(1) won't do. Use less(1) or other pager, because the initial connection likely won't show up in a grep for the queue ID. Show all those logs, at least through the initial round of smtp(8) rejections and deferrals. Include "postconf -n" and master.cf (all comments removed) in the same post. I can offer a WAG here, which would explain why blocking some seemingly random IP address would stop the spamming: perhaps that's the IP address of the command and control node of your malware. I can also repeat what others have told you: the Subject: is wrong; this is not a localhost dns spoof attack. This is some other, more mundane and ordinary, attack. You're going to have to cooperate if you want help in solving it. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
