Loading ...
Sorry, an error occurred while loading the content.

263223Re: Spam Attack on Postmaster

Expand Messages
  • Noel Jones
    Mar 1, 2010
      On 3/1/2010 10:50 AM, Carlos Williams wrote:
      > On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones<njones@...> wrote:
      >> That parameter doesn't prevent spammers from sending junk to postmaster, it
      >> prevents mail to postmaster from bypassing your existing anti-spam controls.
      >> Big difference.
      >
      > It looks like it does pass my 'anti-spam' controls however& I am not
      > sure why or how I can determine what is allowing this particular
      > example to slip past.

      It "slips past" because there are no rules to block it.

      > Below is straight from my Postfix logs and in
      > the end of this email you can see my postconf -n shows
      > '$double_bounce_sender':
      >
      > Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
      > hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
      > service not known
      > Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
      > Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
      > client=unknown[89.204.40.160]
      > Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
      > message-id=<20100227200549.179C477ADB5@...>
      > Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
      > from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
      > Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
      > Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
      > client=localhost.localdomain[127.0.0.1]
      > Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
      > message-id=<20100227200549.179C477ADB5@...>
      > Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
      > localhost.localdomain[127.0.0.1]
      > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
      > from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
      > Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
      > [89.204.40.160] [89.204.40.160]<postmaster@...> ->
      > <postmaster@...>, Message-ID:
      > <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
      > Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
      > Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
      > to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
      > delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
      > Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
      > EC5B277ADD6)
      > Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
      > Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
      > to=<carlos@...>, orig_to=<postmaster@...>,
      > relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
      > status=sent (delivered to maildir)
      > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed
      >
      >> No. Apparently you have no controls that would otherwise reject this spam.
      >
      > I guess I didn't really understand fully the full meaning of
      > '$double_bounce_sender'.
      >
      >> Yes, looks as if the spammer forged your postmaster as the envelope sender.
      >> You can reject mail FROM postmaster@ your domain with a check_sender_access
      >> map.
      >
      > I do have a 'sender_access' map in /etc/postfix and in main.cf:
      >
      > [root@mail postfix]# postconf -n | grep 'sender_access'
      > smtpd_recipient_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, reject_unauth_pipelining,
      > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
      > reject_unauth_destination, reject_unlisted_recipient,
      > check_policy_service unix:postgrey/socket, check_sender_access
      > hash:/etc/postfix/sender_access,
      > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
      > check_client_access hash:/etc/postfix/client_access,
      > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
      >
      > Inside the file however I have domains and specific email addresses.
      > Is this wrong formatting for the 'sender_access' file?
      >
      > # /etc/postfix/sender_access
      > #
      > # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
      > #
      > lmco.com OK
      > saic.com OK
      > se-core.net OK
      > army.mil OK
      > us.army.mil OK
      > rayhtheonvtc.com OK
      > sting_ray1@... OK
      >
      > aol.com REJECT
      > craigslist.org REJECT
      > facebookmail.com REJECT
      > gmail.com REJECT
      > hotmail.com REJECT
      > yahoo.com REJECT
      > youtube.com REJECT

      You can add "postmaster@your_domain REJECT" to this list if
      you want.


      >
      > Noel or anyone. If you can please help me understand the following:
      >
      > 1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
      > my main.cf when it appeared in my logs above it didn't have a proper
      > formatted fqdn and or hostname?

      You have no rules to reject based on this.

      > 2. Was it passed because it was spoofed to come from
      > 'postmaster@...'& I need to add a rule for this in
      > 'sender_access'?

      No, that doesn't appear to have any bearing.


      > 3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
      > to 'Postmaster' run through checks?
      > 4. Based on my postconf -n (below) and my contents above showing
      > '/etc/postfix/sender_access', do I have the correct values in the
      > 'sender_access' file or is it improperly formatted?

      >
      > ***Postconf -n***
      >
      > [root@mail postfix]# postconf -n
      > address_verify_sender = $double_bounce_sender
      > alias_database = hash:/etc/aliases
      > alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
      > broken_sasl_auth_clients = yes
      > command_directory = /usr/sbin
      > config_directory = /etc/postfix
      > content_filter = amavisfeed:[127.0.0.1]:10024
      > daemon_directory = /usr/libexec/postfix
      > home_mailbox = Maildir/
      > html_directory = no
      > inet_interfaces = all
      > mail_owner = postfix
      > mailq_path = /usr/bin/mailq.postfix
      > manpage_directory = /usr/share/man
      > message_size_limit = 20480000
      > mydestination = $myhostname, $mydomain, mail.$mydomain
      > mydomain = iamghost.com
      > myhostname = mail.iamghost.com
      > mynetworks = $config_directory/mynetworks
      > myorigin = $mydomain
      > newaliases_path = /usr/bin/newaliases.postfix
      > queue_directory = /var/spool/postfix
      > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      > recipient_delimiter = +
      > relay_domains =
      > sample_directory = /usr/share/doc/postfix-2.3.3/samples
      > sendmail_path = /usr/sbin/sendmail.postfix
      > setgid_group = postdrop
      > smtp_tls_security_level = may
      > smtpd_banner = $myhostname ESMTP
      > smtpd_data_restrictions = reject_unauth_pipelining, permit
      > smtpd_delay_reject = yes
      > smtpd_helo_required = yes
      > smtpd_helo_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
      > reject_invalid_helo_hostname, permit
      > smtpd_recipient_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, reject_unauth_pipelining,
      > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
      > reject_unauth_destination, reject_unlisted_recipient,
      > check_policy_service unix:postgrey/socket, check_sender_access
      > hash:/etc/postfix/sender_access,
      > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
      > check_client_access hash:/etc/postfix/client_access,
      > reject_rbl_client zen.spamhaus.org, reject_rbl_client
      > bl.spamcop.net, permit


      No glaring errors, although you might want to remove
      reject_unknown_recipient_domain as the only thing it's likely
      to block is your own domain.


      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_path = private/auth
      > smtpd_sasl_security_options = noanonymous
      > smtpd_sasl_type = dovecot
      > smtpd_sender_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, reject_non_fqdn_sender,
      > reject_unknown_sender_domain,
      > reject_unknown_reverse_client_hostname, permit
      > smtpd_tls_CAfile = /etc/ssl/intermediate.crt
      > smtpd_tls_auth_only = yes
      > smtpd_tls_cert_file = /srv/ssl/mail.crt
      > smtpd_tls_key_file = /srv/ssl/mail.key
      > smtpd_tls_loglevel = 1
      > smtpd_tls_security_level = may
      > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
      > smtpd_tls_session_cache_timeout = 3600s
      > tls_random_source = dev:/dev/urandom
      > unknown_local_recipient_reject_code = 550

      -- Noel Jones
    • Show all 18 messages in this topic