Question : Spam attack

I have recently setup centos 5.3  for webserver (apache) with default settings for sendmail (which is pre installed with default settings)

for some reasons server was a bit slow so I logged in and typed 'top' which showed me that sendmail is using a lot memory so I checked maillog and found that someone is spamming the hell out of the server. Mail Logs are coded below.

I checked the mail queue  ls /var/spool/mqueue and it was filled with million of messages. I tried to rm -rf * but it was too much for the server to delete. Then I deleted them in chunks.

But I'm still getting these messages with 10 messages per second or may be my server is sending them 10 messages per second I dont know how can I find that where is it comming from who is triggering them.

I think some is trying to send them from my server but how to troubleshoot them ..

Please help me

Thanks
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:

Sep 17 12:54:55 mydomainsendmail[14212]: n8HBstwU014212: [email protected],"Juliane KIRPALANI" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60250, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBstAN014213 Message accepted for delivery)
Sep 17 12:54:55 mydomainsendmail[14215]: n8HBstAN014213: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:54:55 mydomainsendmail[14215]: n8HBstAN014213: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=zen'co.uk, dsn=5.1.2, stat=Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:54:55 mydomainsendmail[14215]: n8HBstAN014213: n8HBstAN014215: DSN: Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:54:55 mydomainsendmail[14215]: n8HBstAN014215: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31633, dsn=2.0.0, stat=Sent
Sep 17 12:54:58 mydomainsendmail[14222]: n8HBsw07014222: from=apache, size=250, class=0, nrcpts=2, msgid=<[email protected]>, relay=apache@localhost
Sep 17 12:54:58 mydomainsendmail[14223]: n8HBswrw014223: from=, size=435, class=0, nrcpts=2, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mydomain.local [127.0.0.1]
Sep 17 12:54:58 mydomainsendmail[14222]: n8HBsw07014222: [email protected],"Juliane KIRPALANI" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60250, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBswrw014223 Message accepted for delivery)
Sep 17 12:54:58 mydomainsendmail[14225]: n8HBswrw014223: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:54:58 mydomainsendmail[14225]: n8HBswrw014223: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=zen'co.uk, dsn=5.1.2, stat=Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:54:58 mydomainsendmail[14225]: n8HBswrw014223: n8HBswrw014225: DSN: Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:54:58 mydomainsendmail[14225]: n8HBswrw014225: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31633, dsn=2.0.0, stat=Sent
Sep 17 12:54:59 mydomainsendmail[14228]: n8HBsxvu014228: from=apache, size=639, class=0, nrcpts=2, msgid=<[email protected]>, relay=apache@localhost
Sep 17 12:54:59 mydomainsendmail[14229]: n8HBsxVg014229: from=, size=824, class=0, nrcpts=2, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mydomain.local [127.0.0.1]
Sep 17 12:54:59 mydomainsendmail[14228]: n8HBsxvu014228: [email protected],"Jon Puckey" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60639, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBsxVg014229 Message accepted for delivery)
Sep 17 12:55:00 mydomainsendmail[14231]: n8HBsxVg014229: to=, ctladdr= (48/48), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=150824, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:55:00 mydomainsendmail[14231]: n8HBsxVg014229: to=, ctladdr= (48/48), delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=150824, relay=mx2.mail.eu.yahoo.com. [77.238.177.142], dsn=2.0.0, stat=Sent (ok dirdel)
Sep 17 12:55:01 mydomainsendmail[14234]: n8HBt1Fm014234: from=apache, size=250, class=0, nrcpts=2, msgid=<[email protected]>, relay=apache@localhost
Sep 17 12:55:01 mydomainsendmail[14235]: n8HBt1oo014235: from=, size=435, class=0, nrcpts=2, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mydomain.local [127.0.0.1]
Sep 17 12:55:01 mydomainsendmail[14234]: n8HBt1Fm014234: [email protected],"Juliane KIRPALANI" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60250, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBt1oo014235 Message accepted for delivery)
Sep 17 12:55:01 mydomainsendmail[14237]: n8HBt1oo014235: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:55:01 mydomainsendmail[14237]: n8HBt1oo014235: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=zen'co.uk, dsn=5.1.2, stat=Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:01 mydomainsendmail[14237]: n8HBt1oo014235: n8HBt1oo014237: DSN: Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:01 mydomainsendmail[14237]: n8HBt1oo014237: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31633, dsn=2.0.0, stat=Sent
Sep 17 12:55:04 mydomainsendmail[14240]: n8HBt4ln014240: from=apache, size=250, class=0, nrcpts=2, msgid=<[email protected]>, relay=apache@localhost
Sep 17 12:55:04 mydomainsendmail[14241]: n8HBt4CN014241: from=, size=435, class=0, nrcpts=2, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mydomain.local [127.0.0.1]
Sep 17 12:55:04 mydomainsendmail[14240]: n8HBt4ln014240: [email protected],"Juliane KIRPALANI" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60250, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBt4CN014241 Message accepted for delivery)
Sep 17 12:55:04 mydomainsendmail[14243]: n8HBt4CN014241: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:55:04 mydomainsendmail[14243]: n8HBt4CN014241: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=zen'co.uk, dsn=5.1.2, stat=Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:04 mydomainsendmail[14243]: n8HBt4CN014241: n8HBt4CN014243: DSN: Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:04 mydomainsendmail[14243]: n8HBt4CN014243: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31633, dsn=2.0.0, stat=Sent
Sep 17 12:55:07 mydomainsendmail[14245]: n8HBt7Pw014245: from=apache, size=250, class=0, nrcpts=2, msgid=<[email protected]>, relay=apache@localhost
Sep 17 12:55:07 mydomainsendmail[14246]: n8HBt7OZ014246: from=, size=435, class=0, nrcpts=2, msgid=<[email protected]>, proto=ESMTP, daemon=MTA, relay=mydomain.local [127.0.0.1]
Sep 17 12:55:07 mydomainsendmail[14245]: n8HBt7Pw014245: [email protected],"Juliane KIRPALANI" , ctladdr=apache (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=60250, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (n8HBt7OZ014246 Message accepted for delivery)
Sep 17 12:55:07 mydomainsendmail[14249]: n8HBt7OZ014246: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=alt4.gmail-smtp-in.l.google.com. [216.239.59.27], dsn=4.0.0, stat=Deferred: 421-4.7.0 [217.8.243.199] Our system has detected an unusual amount of
Sep 17 12:55:07 mydomainsendmail[14249]: n8HBt7OZ014246: to=, ctladdr= (48/48), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=150435, relay=zen'co.uk, dsn=5.1.2, stat=Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:07 mydomainsendmail[14249]: n8HBt7OZ014246: n8HBt7OZ014249: DSN: Host unknown (Name server: zen'co.uk: host not found)
Sep 17 12:55:07 mydomainsendmail[14249]: n8HBt7OZ014249: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31633, dsn=2.0.0, stat=Sent
Open in New Window
Select All

Answer : Spam attack

Check if you't server is an open relay and install spamassasin.
or check this: http://www.howtoforge.com/the-perfect-spamsnake-ubuntu-jaunty-jackalope
Random Solutions  
 
programming4us programming4us