Loading ...
Sorry, an error occurred while loading the content.

Suspicious Email Logs...

Expand Messages
  • Conall O'Brien
    Hello, I ve just noticed that my 2 backup MX postfix servers appear to have sent more emails than I expect in a day, especially since my primary MX is running
    Message 1 of 5 , Apr 1, 2006
    • 0 Attachment
      Hello,


      I've just noticed that my 2 backup MX postfix servers appear to have
      sent more emails than I expect in a day, especially since my primary MX
      is running fine.


      Investigating my mail.logs, has produced some interesting logs which
      look like:

      Apr 1 04:33:19 castor postfix/cleanup[21583]: B9CE3775:
      message-id=<20060401043319.B9CE3775@...>
      Apr 1 04:33:19 castor postfix/qmgr[21148]: B9CE3775: from=<>,
      size=52034, nrcpt=1 (queue active)
      Apr 1 04:33:22 castor postfix/smtp[21586]: B9CE3775:
      to=<qvqls@...>, relay=mail13.webcontrolcent
      er.com[216.119.106.129], delay=3, status=sent (250 OK)
      Apr 1 04:33:22 castor postfix/qmgr[21148]: B9CE3775: removed


      The complete collection suspicious logs for both servers are available
      at http://icarus.asclepian.ie/~conall/suspicious.logs


      I've considered the possibility of scatterback, which is an issue I
      haven't specifically addressed previously, but grepping mail.log files
      on my other MX servers for mentioned domain names reveals that in most
      cases, this isn't scatterback (I did find 1 case). I'm also a little
      suspicious because the message ID looks a little bit too deterministic
      for my liking, looking at the least significant digits.

      Hence I'd like to know if anyone else has seen this before. Any help is
      appreciated...


      Both server's are almost identically configured, diffing the output of
      postconf -n shows only different values for $myhostname ,
      $smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
      postconf -n output for one server.


      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      home_mailbox = Maildir/
      inet_interfaces = all
      mailbox_command = procmail -a "$EXTENSION"
      mailbox_size_limit = 0
      myhostname = castor.asclepian.ie
      mynetworks = 127.0.0.0/8
      myorigin = $myhostname
      recipient_delimiter = +
      relay_domains = $mydestinations, $mx_backups
      smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
      smtpd_client_restrictions = permit_sasl_authenticated,
      reject_invalid_hostname,
      reject_unlisted_sender, reject_non_fqdn_sender,
      reject_non_fqdn_recipien
      t, reject_unknown_sender_domain, reject_unknown_recipient_domain,
      p
      ermit_mynetworks, reject_unauth_destination,
      reject_rbl_client blackh
      oles.mail-abuse.org, reject_rbl_client relays.ordb.org,
      reject_rbl_clien
      t sbl-xbl.spamhaus.org
      smtpd_recipient_restrictions = permit_sasl_authenticated,
      check_policy_ser
      vice inet:127.0.0.1:60000, check_relay_domains,
      reject_unauth_destinatio
      n, permit_mynetworks
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      smtpd_tls_cert_file = /etc/ssl/certs/castor.asclepian.ie.crt
      smtpd_tls_key_file = /etc/ssl/private/castor.asclepian.ie.key
      smtpd_use_tls = yes
      tls_daemon_random_source = dev:/dev/urandom
      tls_random_source = dev:/dev/urandom

      --

      Conall O'Brien

      http://www.conall.net

      GPG Key: http://www.conall.net/gpg/

      Eagles may soar, but weazels don't get sucked into jet engines.
    • Conall O'Brien
      On Sat, Apr 01, 2006 at 07:28:14PM IST, Conall O Brien ... s/message ids/queue ids/ /me mutters something about too much blood in his caffeine system... --
      Message 2 of 5 , Apr 1, 2006
      • 0 Attachment
        On Sat, Apr 01, 2006 at 07:28:14PM IST, Conall O'Brien
        <conall+postfix@...> incoherently babbled:

        > cases, this isn't scatterback (I did find 1 case). I'm also a little
        > suspicious because the message ID looks a little bit too deterministic
        > for my liking, looking at the least significant digits.

        s/message ids/queue ids/


        /me mutters something about too much blood in his caffeine system...

        --

        Conall O'Brien

        http://www.conall.net

        GPG Key: http://www.conall.net/gpg/

        "Hello, is this the hardware store? Yes, I'm wondering if you sell
        Catapults. No?? Well, I'm looking for something that can deliver a 50
        payload of snow on a small feminine target. Can you suggest something?
        Hello?"

        Bill Watterson - Calvin And Hobbes: The Days Are Just Packed
      • Matt Fretwell
        On Sat, 1 Apr 2006 19:28:14 +0100 ... $mydestination. You have what recipient validation in place? Matt
        Message 3 of 5 , Apr 1, 2006
        • 0 Attachment
          On Sat, 1 Apr 2006 19:28:14 +0100
          Conall O'Brien wrote:

          > relay_domains = $mydestinations, $mx_backups

          $mydestination.

          You have what recipient validation in place?


          Matt
        • mouss
          ... I see no relay_recipient_maps. so you re not validating relay recipients. PS. you have mydestinations with an s above.
          Message 4 of 5 , Apr 1, 2006
          • 0 Attachment
            Conall O'Brien wrote:
            > Hello,
            >
            >
            > I've just noticed that my 2 backup MX postfix servers appear to have
            > sent more emails than I expect in a day, especially since my primary MX
            > is running fine.
            >
            >
            > Investigating my mail.logs, has produced some interesting logs which
            > look like:
            >
            > Apr 1 04:33:19 castor postfix/cleanup[21583]: B9CE3775:
            > message-id=<20060401043319.B9CE3775@...>
            > Apr 1 04:33:19 castor postfix/qmgr[21148]: B9CE3775: from=<>,
            > size=52034, nrcpt=1 (queue active)
            > Apr 1 04:33:22 castor postfix/smtp[21586]: B9CE3775:
            > to=<qvqls@...>, relay=mail13.webcontrolcent
            > er.com[216.119.106.129], delay=3, status=sent (250 OK)
            > Apr 1 04:33:22 castor postfix/qmgr[21148]: B9CE3775: removed
            >
            >
            > The complete collection suspicious logs for both servers are available
            > at http://icarus.asclepian.ie/~conall/suspicious.logs
            >
            >
            > I've considered the possibility of scatterback, which is an issue I
            > haven't specifically addressed previously, but grepping mail.log files
            > on my other MX servers for mentioned domain names reveals that in most
            > cases, this isn't scatterback (I did find 1 case). I'm also a little
            > suspicious because the message ID looks a little bit too deterministic
            > for my liking, looking at the least significant digits.
            >
            > Hence I'd like to know if anyone else has seen this before. Any help is
            > appreciated...
            >
            >
            > Both server's are almost identically configured, diffing the output of
            > postconf -n shows only different values for $myhostname ,
            > $smtpd_tls_cert_file and $smtpd_tls_key_file . Hence, below is the
            > postconf -n output for one server.
            >
            >
            > alias_database = hash:/etc/aliases
            > alias_maps = hash:/etc/aliases
            > append_dot_mydomain = no
            > biff = no
            > broken_sasl_auth_clients = yes
            > config_directory = /etc/postfix
            > home_mailbox = Maildir/
            > inet_interfaces = all
            > mailbox_command = procmail -a "$EXTENSION"
            > mailbox_size_limit = 0
            > myhostname = castor.asclepian.ie
            > mynetworks = 127.0.0.0/8
            > myorigin = $myhostname
            > recipient_delimiter = +
            > relay_domains = $mydestinations, $mx_backups

            I see no relay_recipient_maps. so you're not validating relay recipients.

            PS. you have mydestinations with an 's' above.
          • Conall O'Brien
            On Sun, Apr 02, 2006 at 12:55:40AM IST, mouss ... Ack! I ve been maintaining one, and it was configured originally. ... Thanks, I didn t notice that. I still
            Message 5 of 5 , Apr 2, 2006
            • 0 Attachment
              On Sun, Apr 02, 2006 at 12:55:40AM IST, mouss
              <usebsd@...> incoherently babbled:

              > I see no relay_recipient_maps. so you're not validating relay recipients.

              Ack! I've been maintaining one, and it was configured originally.

              > PS. you have mydestinations with an 's' above.

              Thanks, I didn't notice that.


              I still can't explain the anomolies of the queue IDs being quite
              similar...

              --

              Conall O'Brien

              http://www.conall.net

              GPG Key: http://www.conall.net/gpg/

              "Hello, is this the hardware store? Yes, I'm wondering if you sell
              Catapults. No?? Well, I'm looking for something that can deliver a 50
              payload of snow on a small feminine target. Can you suggest something?
              Hello?"

              Bill Watterson - Calvin And Hobbes: The Days Are Just Packed
            Your message has been successfully submitted and would be delivered to recipients shortly.