Loading ...
Sorry, an error occurred while loading the content.

Can Anyone Make Sense of This Log Entry?

Expand Messages
  • Asai
    Greetings. I ve got this log entry over the past few days at the same time I ve been getting this really strange spam from worldswidedomainnames.com . This
    Message 1 of 16 , Oct 31, 2008
    • 0 Attachment
      Greetings.  I've got this log entry over the past few days at the same time I've been getting this really strange spam from "worldswidedomainnames.com".  This entry is appearing 50 or 60 times per day in the logs:

      1   Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refused to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages
      I don't know if the two are related.  Does anyone have any insight they'd be willing to share?
      -- 
      asai
    • Duane Hill
      ... That s a message going OUT and it states the host mx.wmint.net is refusing your connection. Are you accepting messages destined for unknown accounts? Post
      Message 2 of 16 , Oct 31, 2008
      • 0 Attachment
        On Fri, 31 Oct 2008, Asai wrote:

        > Greetings. I've got this log entry over the past few days at the same time I've been getting this
        > really strange spam from "worldswidedomainnames.com". This entry is appearing 50 or 60 times per day
        > in the logs:
        >
        > 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse
        > d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages
        > I don't know if the two are related. Does anyone have any insight they'd be willing to share?

        That's a message going OUT and it states the host mx.wmint.net is refusing
        your connection. Are you accepting messages destined for unknown accounts?
        Post the results of 'postconf -n'.
      • Brian Evans - Postfix List
        ... You are sending to mx.wmint.net. They may be having issues or you may be on their private blacklist. I don t have an issue: grknight@mx1 ~ $ telnet
        Message 3 of 16 , Oct 31, 2008
        • 0 Attachment
          Asai wrote:
          > Greetings. I've got this log entry over the past few days at the same
          > time I've been getting this really strange spam from
          > "worldswidedomainnames.com". This entry is appearing 50 or 60 times
          > per day in the logs:
          >
          > 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refused to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages
          > I don't know if the two are related. Does anyone have any insight
          > they'd be willing to share?
          You are sending to mx.wmint.net.

          They may be having issues or you may be on their private blacklist.

          I don't have an issue:
          grknight@mx1 ~ $ telnet 80.247.227.180 25
          Trying 80.247.227.180...
          Connected to 80.247.227.180.
          Escape character is '^]'.
          220 mx4.fr.wmint.net ESMTP Sendmail; Fri, 31 Oct 2008 17:09:53 +0100
          EHLO scent-team.com
          250-mx4.fr.wmint.net Hello mx1.scent-team.com [69.48.33.25], pleased to
          meet you
          250-ENHANCEDSTATUSCODES
          250-PIPELINING
          250-8BITMIME
          250-SIZE 11048576
          250-DSN
          250-ETRN
          250-DELIVERBY
          250 HELP
          quit
        • Asai
          ... Thanks Duane. Here s postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory =
          Message 4 of 16 , Oct 31, 2008
          • 0 Attachment
            Duane Hill wrote:
            On Fri, 31 Oct 2008, Asai wrote:

            Greetings.  I've got this log entry over the past few days at the same time I've been getting this
            really strange spam from "worldswidedomainnames.com".  This entry is appearing 50 or 60 times per day
            in the logs:

            1   Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse
            d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages
            I don't know if the two are related.  Does anyone have any insight they'd be willing to share?

            That's a message going OUT and it states the host mx.wmint.net is refusing your connection. Are you accepting messages destined for unknown accounts? Post the results of 'postconf -n'.

            Thanks Duane.  Here's postconf -n:

            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            broken_sasl_auth_clients = yes
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            content_filter = smtp-amavis:[127.0.0.1]:10024
            daemon_directory = /usr/libexec/postfix
            debug_peer_level = 2
            html_directory = no
            inet_interfaces = all
            mail_owner = postfix
            mailbox_size_limit = 0
            mailq_path = /usr/bin/mailq.postfix
            manpage_directory = /usr/share/man
            maximal_backoff_time = 600s
            message_size_limit = 0
            minimal_backoff_time = 300s
            mydestination = $myhostname, localhost.$mydomain, localhost
            mydomain = globalchangemultimedia.net
            myhostname = triata.globalchangemultimedia.net
            newaliases_path = /usr/bin/newaliases.postfix
            queue_directory = /var/spool/postfix
            queue_run_delay = 300s
            readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
            sample_directory = /usr/share/doc/postfix-2.3.3/samples
            sendmail_path = /usr/sbin/sendmail.postfix
            setgid_group = postdrop
            show_user_unknown_table_name = no
            smtpd_delay_reject = yes
            smtpd_helo_required = yes
            smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname,reject_non_fqdn_hostname, permit
            smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, check_policy_service inet:127.0.0.1:2501, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, permit
            smtpd_sasl_auth_enable = yes
            smtpd_sasl_exceptions_networks = $mynetworks
            smtpd_sasl_path = private/auth
            smtpd_sasl_security_options = noanonymous
            smtpd_sasl_type = dovecot
            smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
            smtpd_tls_cert_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/mail-cert.pem
            smtpd_tls_key_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/mail-key.pem
            smtpd_tls_loglevel = 0
            smtpd_tls_received_header = no
            smtpd_tls_security_level = may
            smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
            tls_random_source = dev:/dev/urandom
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps = hash:/etc/postfix/virtual_aliases, mysql:/etc/postfix/mysql_virtual_alias_maps.cf
            virtual_gid_maps = static:1001
            virtual_mailbox_base = /vmail
            virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
            virtual_mailbox_limit = 0
            virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            virtual_minimum_uid = 1001
            virtual_uid_maps = static:1001

            -- 
            asai
          • Charles Marcus
            ... I do believe this makes you an open relay... -- Best regards, Charles
            Message 5 of 16 , Oct 31, 2008
            • 0 Attachment
              On 10/31/2008, Asai (asai@...) wrote:
              > smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

              I do believe this makes you an open relay...

              --

              Best regards,

              Charles
            • Charles Marcus
              ... Oh... add reject_unauth_destination BEFORE the permit... -- Best regards, Charles
              Message 6 of 16 , Oct 31, 2008
              • 0 Attachment
                On 10/31/2008 12:37 PM, Charles Marcus wrote:
                > On 10/31/2008, Asai (asai@...) wrote:
                >> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

                > I do believe this makes you an open relay...

                Oh...

                add 'reject_unauth_destination BEFORE the permit...

                --

                Best regards,

                Charles
              • Asai
                ... I was afraid of this. Thank you so much, Charles. -- asai
                Message 7 of 16 , Oct 31, 2008
                • 0 Attachment
                  Charles Marcus wrote:
                  On 10/31/2008 12:37 PM, Charles Marcus wrote:
                    
                  On 10/31/2008, Asai (asai@...) wrote:
                      
                  smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
                        
                    
                  I do believe this makes you an open relay...
                      
                  Oh...
                  
                  add 'reject_unauth_destination BEFORE the permit...
                  
                    
                  I was afraid of this.  Thank you so much, Charles.
                  -- 
                  asai
                • Brian Evans - Postfix List
                  ... No... smtpd_sender_restrictions cannot make you an open relay omitting unauth_destination. OP has reject_unauth_destination in smtpd_recipient_restrictions
                  Message 8 of 16 , Oct 31, 2008
                  • 0 Attachment
                    Charles Marcus wrote:
                    > On 10/31/2008, Asai (asai@...) wrote:
                    >
                    >> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
                    >>
                    > I do believe this makes you an open relay...
                    >
                    No... smtpd_sender_restrictions cannot make you an open relay omitting
                    unauth_destination.
                    OP has reject_unauth_destination in smtpd_recipient_restrictions which
                    is correct.

                    Brian
                  • Charles Marcus
                    ... Ack... I was in a hurry and jumped the gun... Sorry Asai... -- Best regards, Charles
                    Message 9 of 16 , Oct 31, 2008
                    • 0 Attachment
                      On 10/31/2008 12:54 PM, Brian Evans - Postfix List wrote:
                      > Charles Marcus wrote:
                      >> On 10/31/2008, Asai (asai@...) wrote:
                      >>
                      >>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit

                      >> I do believe this makes you an open relay...

                      > No... smtpd_sender_restrictions cannot make you an open relay omitting
                      > unauth_destination.
                      > OP has reject_unauth_destination in smtpd_recipient_restrictions which
                      > is correct.

                      Ack... I was in a hurry and jumped the gun...

                      Sorry Asai...
                      --

                      Best regards,

                      Charles
                    • Asai
                      ... Ok, well thanks anyway, Charles. Even so, do you guys have any other ideas about the log entry? -- asai
                      Message 10 of 16 , Oct 31, 2008
                      • 0 Attachment
                        Brian Evans - Postfix List wrote:
                        Charles Marcus wrote:
                          
                        On 10/31/2008, Asai (asai@...) wrote:
                          
                            
                        smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
                            
                              
                        I do believe this makes you an open relay...
                          
                            
                        No... smtpd_sender_restrictions cannot make you an open relay omitting
                        unauth_destination.
                        OP has reject_unauth_destination in smtpd_recipient_restrictions which
                        is correct.
                        
                        Brian
                          

                        Ok, well thanks anyway, Charles. 

                        Even so, do you guys have any other ideas about the log entry?
                        -- 
                        asai
                      • Duane Hill
                        Responding to the original message... ... As Brian has already pointed out: They may be having issues or you may be on their private blacklist.
                        Message 11 of 16 , Oct 31, 2008
                        • 0 Attachment
                          Responding to the original message...

                          On Fri, 31 Oct 2008, Asai wrote:

                          > Greetings. I've got this log entry over the past few days at the same time I've been getting this
                          > really strange spam from "worldswidedomainnames.com". This entry is appearing 50 or 60 times per day
                          > in the logs:
                          >
                          > 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse
                          > d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages
                          > I don't know if the two are related. Does anyone have any insight they'd be willing to share?

                          As Brian has already pointed out:

                          "They may be having issues or you may be on their private blacklist."

                          worldswidedomainnames.com isn't even a registered domain name.
                        • Noel Jones
                          ... Please don t post html to the list. The log entry says the recipient mail system rejected your mail. For any further information, you will need to contact
                          Message 12 of 16 , Oct 31, 2008
                          • 0 Attachment
                            Asai wrote:
                            > Brian Evans - Postfix List wrote:
                            >> Charles Marcus wrote:
                            >>
                            >>> On 10/31/2008, Asai (asai@...) wrote:
                            >>>
                            >>>
                            >>>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
                            >>>>
                            >>>>
                            >>> I do believe this makes you an open relay...
                            >>>
                            >>>
                            >> No... smtpd_sender_restrictions cannot make you an open relay omitting
                            >> unauth_destination.
                            >> OP has reject_unauth_destination in smtpd_recipient_restrictions which
                            >> is correct.
                            >>
                            >> Brian
                            >>
                            >
                            > Ok, well thanks anyway, Charles.
                            >
                            > Even so, do you guys have any other ideas about the log entry?
                            >
                            > --
                            > asai
                            >

                            Please don't post html to the list.

                            The log entry says the recipient mail system rejected your
                            mail. For any further information, you will need to contact
                            their postmaster.

                            We don't have enough information to say for sure if this is
                            related to your "odd spam" or not, but it seems unlikely.



                            --
                            Noel Jones
                          • John Peach
                            On Fri, 31 Oct 2008 18:09:37 +0000 (UTC) ... [snip] ... worldwidedomainnames.com *is* and I would want to blackhole them....
                            Message 13 of 16 , Oct 31, 2008
                            • 0 Attachment
                              On Fri, 31 Oct 2008 18:09:37 +0000 (UTC)
                              Duane Hill <d.hill@...> wrote:

                              > Responding to the original message...
                              >
                              > On Fri, 31 Oct 2008, Asai wrote:
                              >
                              [snip]
                              > "They may be having issues or you may be on their private blacklist."
                              >
                              > worldswidedomainnames.com isn't even a registered domain name.

                              worldwidedomainnames.com *is* and I would want to blackhole them....
                            • Asai
                              ... Ok, thanks guys. John, when you say blackhole them what do you mean? I ve been looking for a way to blacklist conveniently using MySQL. Do you know of
                              Message 14 of 16 , Oct 31, 2008
                              • 0 Attachment
                                John Peach wrote:
                                > On Fri, 31 Oct 2008 18:09:37 +0000 (UTC)
                                > Duane Hill <d.hill@...> wrote:
                                >
                                >
                                >> Responding to the original message...
                                >>
                                >> On Fri, 31 Oct 2008, Asai wrote:
                                >>
                                >>
                                > [snip]
                                >
                                >> "They may be having issues or you may be on their private blacklist."
                                >>
                                >> worldswidedomainnames.com isn't even a registered domain name.
                                >>
                                >
                                > worldwidedomainnames.com *is* and I would want to blackhole them....
                                >
                                >
                                >
                                Ok, thanks guys. John, when you say "blackhole them" what do you mean?
                                I've been looking for a way to blacklist conveniently using MySQL. Do
                                you know of a way?

                                --
                                asai
                              • John Peach
                                On Fri, 31 Oct 2008 11:29:04 -0700 ... Not with my*sql, per se, but you can reject them based on all sorts of criteria. host -t mx worldwidedomainnames.com
                                Message 15 of 16 , Oct 31, 2008
                                • 0 Attachment
                                  On Fri, 31 Oct 2008 11:29:04 -0700
                                  Asai <asai@...> wrote:

                                  > John Peach wrote:
                                  > > On Fri, 31 Oct 2008 18:09:37 +0000 (UTC)
                                  > > Duane Hill <d.hill@...> wrote:
                                  > >
                                  > >
                                  > >> Responding to the original message...
                                  > >>
                                  > >> On Fri, 31 Oct 2008, Asai wrote:
                                  > >>
                                  > >>
                                  > > [snip]
                                  > >
                                  > >> "They may be having issues or you may be on their private blacklist."
                                  > >>
                                  > >> worldswidedomainnames.com isn't even a registered domain name.
                                  > >>
                                  > >
                                  > > worldwidedomainnames.com *is* and I would want to blackhole them....
                                  > >
                                  > >
                                  > >
                                  > Ok, thanks guys. John, when you say "blackhole them" what do you mean?
                                  > I've been looking for a way to blacklist conveniently using MySQL. Do
                                  > you know of a way?

                                  Not with my*sql, per se, but you can reject them based on all sorts of
                                  criteria.

                                  host -t mx worldwidedomainnames.com
                                  worldwidedomainnames.com mail is handled by 0 dev.null.

                                  That would block them at a lot of sites...

                                  check_sender_mx_access hash:/etc/postfix/mx_access

                                  dev.null REJECT

                                  host -t ns worldwidedomainnames.com
                                  worldwidedomainnames.com name server this-domain-for-sale.com.
                                  worldwidedomainnames.com name server ns.buydomains.com.

                                  check_sender_ns_access hash:/etc/postfix/ns_access

                                  this-domain-for-sale.com REJECT
                                  buydomains.com REJECT

                                  etc...



                                  >
                                • Asai
                                  ... Thanks, John. I ll see if I can figure out how to convert those directives to a MySQL table. -- asai
                                  Message 16 of 16 , Oct 31, 2008
                                  • 0 Attachment
                                    > Asai <asai@...> wrote:
                                    >
                                    >
                                    >> John Peach wrote:
                                    >>
                                    >>> On Fri, 31 Oct 2008 18:09:37 +0000 (UTC)
                                    >>> Duane Hill <d.hill@...> wrote:
                                    >>>
                                    >>>
                                    >>>
                                    >>>> Responding to the original message...
                                    >>>>
                                    >>>> On Fri, 31 Oct 2008, Asai wrote:
                                    >>>>
                                    >>>>
                                    >>>>
                                    >>> [snip]
                                    >>>
                                    >>>
                                    >>>> "They may be having issues or you may be on their private blacklist."
                                    >>>>
                                    >>>> worldswidedomainnames.com isn't even a registered domain name.
                                    >>>>
                                    >>>>
                                    >>> worldwidedomainnames.com *is* and I would want to blackhole them....
                                    >>>
                                    >>>
                                    >>>
                                    >>>
                                    >> Ok, thanks guys. John, when you say "blackhole them" what do you mean?
                                    >> I've been looking for a way to blacklist conveniently using MySQL. Do
                                    >> you know of a way?
                                    >>
                                    >
                                    > Not with my*sql, per se, but you can reject them based on all sorts of
                                    > criteria.
                                    >
                                    > host -t mx worldwidedomainnames.com
                                    > worldwidedomainnames.com mail is handled by 0 dev.null.
                                    >
                                    > That would block them at a lot of sites...
                                    >
                                    > check_sender_mx_access hash:/etc/postfix/mx_access
                                    >
                                    > dev.null REJECT
                                    >
                                    > host -t ns worldwidedomainnames.com
                                    > worldwidedomainnames.com name server this-domain-for-sale.com.
                                    > worldwidedomainnames.com name server ns.buydomains.com.
                                    >
                                    > check_sender_ns_access hash:/etc/postfix/ns_access
                                    >
                                    > this-domain-for-sale.com REJECT
                                    > buydomains.com REJECT
                                    >
                                    > etc...
                                    >
                                    Thanks, John. I'll see if I can figure out how to convert those
                                    directives to a MySQL table.

                                    --
                                    asai
                                  Your message has been successfully submitted and would be delivered to recipients shortly.