pickup/maildrop being used to spam through my machine.

Tue, 13 Jun 2017 01:29:34 -0700 


    Running postfix 2.3.3 CentOS 5.x

    This is a simple apache 2 web server running postfix for
incoming mail for shell users on the same server.  Very low key,
almost no traffic, outside is not allowed to connect to the
postfix on this machine.

     This machine's only handles shell users on the its own domain,
adore.lightlink.com and mail addressed or forward to it from our other
real mail servers that talk to the outside world.
Suddenly I am find adore's mailq queue filled with spam, each having a pickup line in the logs, but no indication where it comes from, probably the web server as the from username is apache, but so far no corellation between web logs and time stamp on pickup line. 

     This machine is also running an innd news server if it makes
any difference, innd 2.x

    Can someone tell me about possible injection routes into the
maildrop directory and how to stop it if I can't
find the web page doing it.

    Thanks  Homer

Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 from=<apache>
Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48 from=<apache>
... on and on and on thousands etc.

Reply via email to