So, my server seems to be sending a ton of spam:


Apr 21 22:28:07 wiggins postfix/smtp[26636]: BFF6CF2401: to=<tgonzalez@nefflorida.com>, relay=mail2.metbp.com[216.163.240.103]:25, delay=88504, delays=88473/0.33/31/0, dsn=4.0.0, status=deferred (host mail2.metbp.com[216.163.240.103] refused to talk to me: 450 Requested action not taken - The client IP was present in the following DNSBL: bl.spamcop.net)
Apr 21 22:28:07 wiggins postfix/smtp[26667]: connect to mindspring.net[209.86.62.44]:25: Connection timed out
Apr 21 22:28:07 wiggins postfix/smtp[26667]: 83C6CF263B: to=<terriphotography@mindspring.net>, relay=none, delay=47244, delays=47213/0.88/30/0, dsn=4.4.1, status=deferred (connect to mindspring.net[209.86.62.44]:25: Connection timed out)
Apr 21 22:28:08 wiggins postfix/smtp[26679]: connect to mail.homelite.com[64.213.55.3]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26679]: 4A150F263F: to=<ennett@homelite.com>, relay=none, delay=47238, delays=47207/0.4/31/0, dsn=4.4.1, status=deferred (connect to mail.homelite.com[64.213.55.3]:25: Connection timed out)
Apr 21 22:28:08 wiggins postfix/smtp[26678]: connect to forgreer.com[82.98.86.167]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26678]: D7732F2828: to=<ichriskof81@forgreer.com>, relay=none, delay=38436, delays=38404/1.3/30/0, dsn=4.4.1, status=deferred (connect to forgreer.com[82.98.86.167]:25: Connection timed out)
Apr 21 22:28:08 wiggins postfix/smtp[26290]: connect to netants.net[70.39.99.88]:25: No route to host
Apr 21 22:28:08 wiggins postfix/smtp[26290]: 88274F281D: to=<john@netants.net>, relay=none, delay=38458, delays=38427/1.2/30/0, dsn=4.4.1, status=deferred (connect to netants.net[70.39.99.88]:25: No route to host)
Apr 21 22:28:08 wiggins postfix/smtp[26694]: connect to mx3.pt.lu[195.46.255.249]:25: Connection timed out
Apr 21 22:28:08 wiggins postfix/smtp[26694]: 87C1FF2431: to=<steve77@pt.lu>, relay=none, delay=84754, delays=84722/1.2/31/0, dsn=4.4.1, status=deferred (connect to mx3.pt.lu[195.46.255.249]:25: Connection timed out)
Apr 21 22:28:09 wiggins postfix/smtp[26652]: connect to postoffice03.mail-hub.dodo.com.au[202.136.40.236]:25: Connection timed out



I have no idea how to stop this. Is anyone willing to help me out if I pay you?

I'm sure it's a simple config thing, but I don't know enough to be able to sort it out. As you can see, my linode is getting blacklisted by everyone.

Post the contents of your /etc/postfix/main.cf and your ip address

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

wiggins:/srv/www/wagorn.com/logs# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version



# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = synthgear.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = synthgear.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps



IP address is : 173.230.149.162

By the way, I watched my apache logs for some time, and don't really see anything that stuck out as me as possible web script exploits. Also changed the password for the user (me) that seemed to be sending the email

You don't have an open relay which is good, your postfix conf looks fine, run this

grep sasl /var/log/mail.log

and post the output (if any) that will see if these are being sent remotely or locally, they look local from what you've posted so far.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Many thanks. Here's what it looks like, a whole ton of this (email obfuscated):

Apr 22 07:06:38 wiggins postfix/smtpd[9975]: E219BD2BC: client=unknown[92.47.76.39], sasl_method=LOGIN, sasl_username=paul@xxxxxxxxxxxx
Apr 22 07:06:48 wiggins postfix/smtpd[9952]: 5CD25D2BE: client=unknown[151.16.147.99], sasl_method=LOGIN, sasl_username=paul@xxxxxxxxxxx
Apr 22 07:06:51 wiggins postfix/smtpd[9966]: C9FE8D2BF: client=m90-131-123-167.cust.tele2.se[90.131.123.167], sasl_method=LOGIN, sasl_username=paul@xxxxxxxxxxx
Apr 22 07:06:55 wiggins postfix/smtpd[10287]: 1C1DED2C0: client=unknown[112.134.219.100], sasl_method=LOGIN, sasl_username=paul@xxxxxxxxxxxxxx

Since you have a host of different ip addresses connecting with the account paul@xxxx looks like that accounts been compromised.

So do this
1) Reset the password for the user paul
2) Purge your mail que (this will delete anything pending) using sudo postsuper -d ALL
3) See if it stops
4) Find out how they got the password for the account.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

thanks - your help is very appreciated.

This is what I tried yesterday - I use postfix/mysql, so i did this:

update users set password=encrypt("xxxxxxxx") where email="paul@xxxxxxxxxx";

then deleted the queue

it didn't seem to help. I just tried it again, perhaps I did something wrong last time.

well, so far, so good. I will watch it carefully.

So, as far as how this password was compromised, there really aren't too many ways this can happen, are there?

It seems unlikely that this particular password could have been brute-forced, and I've never actually logged in with this account (it automatically forwards to another email address), so I cannot imagine how someone would have found the password out, as it never gets typed in.

Does this leave a compromised vps? yuk.

If you've never logged in with that account then that eliminates password sniffing.
That leaves you with things such as:
Brute force
Software bug in postfix/sasl (unlikely especially if your software's up to date)
Compromised database someone reset the password
Compromised vps (worse case)

You don't allow any web scripts on your server to connect to mysql as root do you? That would be a great way to get in.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

I'm guessing you're using mysql to serve virtual domains?