0

I have a server which doesn't have much activity. Today, suddenly server load went higher than 12 which compared to its normal value(0.5) is way too high. I checked and found out that postfix is being used by a program named smpt to send emails. Its full arguments:

 smtp -t unix -u

I use CentOS release 6.7 , I update my server on regular basis. netstat shows me something like this: netstat

I also checked /var/log/maillog which told me in last 10 hours hundreds of thousands of email has been sent.

How can I find out who is behind this? How can I find out if it's internal or external?

P.S: postfix is down.

Community
  • 1
Hassan Khodadadeh
  • 177

2 Answers2

1

To find out how this is happening, you need to look at postfix logs. Either your postfix is misconfigured or you have some authorized host that is compromised (usually a webserver). If the postfix logs say this is coming from your local host, an lsof -i -n can yield useful information.

Law29
  • 3,617
  • 1
  • 18
  • 30
1

Most probably you have open relay enabled and some bot/scanner has picked you up. See your postfix config file (/etc/postfix/main.cf) and look for something like:

mynetworks = 0.0.0.0/0

If it is the case here, you will have to decide which networks are allowed to relay mail, or even disable it altogether leaving just the localhost.

Konrad Gajewski
  • 1,608