I am running a server with Ubuntu 12.04 and three wordpress installations, some ftp server and a basic postfix to send mails with wordpress. additionally I am using webmin to administrate this system.
Now I checked my munin side and saw some major postfix activity.
The queue entries look like this:
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
AF9AC11A03D9 2489 Sun Dec 22 04:29:26 [email protected]
(host alt1.gmail-smtp-in.l.google.com[173.194.79.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 pi8si9408127pac.88 - gsmtp (in reply to RCPT TO command))
[email protected]
passwd files were changed only by myself, no suspoicious logins. We do have ssh with passwords enabled.
I think my system is compromised But I would like to know who is the troublemaker: Wordpress, postfix, or the system itself?
To me it looks like wordpress and some hard mail-function in the php of wordpress.
strange signs, simple explanation: we are using a plugin that asks the commentator of a post to verify his comment. This means: each commentator receives an email. After upgrading wordpress to 3.8 some bots are able to set a comment without answering the needed captcha in the blog post. That means: a lot of comments which results in a lot of mails. We are hoping to get an update for the re-captcha plugin soon.
the queue was filled by emails to heavy-usage gmail spam accounts (the receiver gets to much messages in a given time...)
So it is a result of wanted mail-traffic and no "spamming" from our server seems to be involved.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments