I am running a server with Ubuntu 12.04 and three wordpress installations, some ftp server and a basic postfix to send mails with wordpress. additionally I am using webmin to administrate this system.

Now I checked my munin side and saw some major postfix activity.

The queue entries look like this:

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

AF9AC11A03D9     2489 Sun Dec 22 04:29:26  [email protected]

(host alt1.gmail-smtp-in.l.google.com[173.194.79.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450 4.2.1 visit http://support.google.com/mail/bin/answer.py?answer=6592 pi8si9408127pac.88 - gsmtp (in reply to RCPT TO command))

                                         [email protected]

passwd files were changed only by myself, no suspoicious logins. We do have ssh with passwords enabled.

I think my system is compromised But I would like to know who is the troublemaker: Wordpress, postfix, or the system itself?

To me it looks like wordpress and some hard mail-function in the php of wordpress.