Saturday, May 23, 2015

mysql - My server is sending spam

I have a dedicated server with CentOS+MySQL installed from godaddy.com. Recently I had some very weird problems: I installed a PHP application which has a thread that queries a MySQL database for email addresses and then sent out emails via sendmail command. Later I stopped that thread, deleted the program source file and also rebooted my server.



However, my server still sends out a lot of emails and works like a spam email server now. I also saw MySQL errors that says something like "too many connections" a couple of times when trying to open my website. My perception is that something is consuming up MySQL connections slowly but never disconnects, so eventually all the connections are occupied and my website stops functioning.



Here's what I did:





  1. I checked my cron jobs on the server, but didn't find anything related to this problem


  2. I checked /var/log/maillog and found the following typical fragment:



    Mar 30 18:25:57 ip- master[2501]: process 8739 exited, status 0
    Mar 30 18:34:40 ip- postfix/pickup[7556]: D44BCF280BE: uid=48 from=
    Mar 30 18:34:40 ip- postfix/cleanup[9426]: D44BCF280BE: message-id=<20110330223440.D44BCF280BE@ip-.ip.secureserver.net>
    Mar 30 18:34:40 ip- postfix/qmgr[29799]: D44BCF280BE: from=.ip.secureserver.net>, size=1661, nrcpt=1 (queue active)
    Mar 30 18:34:40 ip- postfix/pickup[7556]: EC91FF280C3: uid=48 from=
    Mar 30 18:34:40 ip- postfix/cleanup[9426]: EC91FF280C3: message-id=<20110330223440.EC91FF280C3@ip-.ip.secureserver.net>
    Mar 30 18:34:40 ip- postfix/qmgr[29799]: EC91FF280C3: from=.ip.secureserver.net>, size=1928, nrcpt=1 (queue active)

    Mar 30 18:34:41 ip- postfix/smtp[9428]: D44BCF280BE: to=, relay=p3smtpout.secureserver.net[208.109.80.54]:25, delay=0.34, delays=0.04/0.01/0.15/0.13, dsn=2.0.0, status=sent (250 Accepted message qp 12288 bytes 1821)
    Mar 30 18:34:41 ip- postfix/qmgr[29799]: D44BCF280BE: removed
    Mar 30 18:34:41 ip- postfix/smtp[9431]: EC91FF280C3: to=, relay=p3smtpout.secureserver.net[208.109.80.54]:25, delay=0.32, delays=0.01/0.01/0.08/0.22, dsn=2.0.0, status=sent (250 Accepted message qp 7308 bytes 2085)
    Mar 30 18:34:41 ip- postfix/qmgr[29799]: EC91FF280C3: removed

  3. I stopped postfix service. then there are a lot of files generated in /var/spool/postfix/maildrop like this:



       1BCBEF280BE  apache  postdrop    rwxr–r–  2 KB    8:01 PM




I checked the maillog file again and the log fragment described in #2 disppeared. However still receives the same emails everyday!



I also noticed the timestamp in maillong shows the emails were sent throughout the day, but always receives email at 5PM.



It feels like the PhH program I deleted is still running and something is sending out emails on a daily basis although postfix was stopped.



Now, I am suspecting one of the following possibilities:





  1. some cached files in my PHP application were not deleted succesfully and they still perform the old query->sendmail job and the sendmail was not handled by postfix


  2. It looks like apaches picked up sendmail requests from some place and then forward them to postfix. but where is that "some place"?




I got totally confused. don't know what to do but watch my server continue sending out stupid emails.



Please shed some light on me. All hints/ideas are highly appreciated!



=== update ===
I don't know why I even cannot comment on answers to my questions...

here's some update:



I flushed the mail queue as suggested by the answers. mailq returned empty, but my server still sent out emails!



also I have to keep the mailing service running. The rest part of the PHP application still needs it.



Any other directions that I should try?

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...