Loading ...
Sorry, an error occurred while loading the content.

Re: Spammers abusing my postfix box

Expand Messages
  • mouss
    ... postfix rewrite is controlled by the admin (you for example), not by remote spammers nor users. your observation is flawed. if you show logs showing the
    Message 1 of 18 , Nov 2, 2008
    • 0 Attachment
      Jaap Westerbeek wrote:
      >
      >
      > Hi All,
      >
      > Lately some spammer has been able to relay spam through my server.
      > I think they use a valid (hacked) account and then rewrite the sender
      > e-mail address.
      >
      > My setup is :
      > Debian Etch server
      > postfix-mysql 2.3.8-2+etch1
      > amavisd-new-2.6.1
      > spamassassin
      > cyrus imap server (on a separate box)
      > mysql-server 5.0.32-7etch6
      > I use web-cyradm to create users and domains
      >
      > I see two possibilities to stop the spammer :
      >
      > 1) I'd like to set up mysql proxy maps so that either the sender OR
      > the recipient match a valid user in the mysql DB.
      > If none match, it should reject the mail.
      >
      > 2) Rewriting the sender address should not be possible
      >
      > The server hosts about 30 domains and has like 2000 active users.
      >
      > I don't know exactly how to write the mysql proxymaps, and I am not
      > sure if disabling the rewriting feature is at all possible.
      >
      > If you need more info or configs to help me , please let me know
      >


      postfix rewrite is controlled by the admin (you for example), not by
      remote spammers nor users. your observation is flawed.

      if you show logs showing the abuse, you'll get more help. It is unlikely
      that the spammers are abusing postfix.


      Regarding unlisted addresses, unlisted recipients are rejected by
      default. unlisted senders can be rejected with

      smtpd_reject_unlisted_sender = yes
    • Jaap Westerbeek
      Ok the (or some) spammer came back. For some reason everything seems to originate from localhost, which isn t telling me much. Where to look , what to do ?
      Message 2 of 18 , Nov 11, 2008
      • 0 Attachment
        Ok the (or some) spammer came back.

        For some reason everything seems to originate from localhost, which isn't
        telling me much.
        Where to look , what to do ?

        Postcat gives me this :
        *** ENVELOPE RECORDS deferred/6/6F38E5F4595 ***
        message_size: 2091 1231 9
        0
        message_arrival_time: Fri Nov 7 18:55:55 2008
        create_time: Fri Nov 7 18:55:55 2008
        named_attribute: rewrite_context=local
        sender: notice@...
        named_attribute: encoding=7bit
        named_attribute: log_client_name=localhost
        named_attribute: log_client_address=127.0.0.1
        named_attribute: log_message_origin=localhost[127.0.0.1]
        named_attribute: log_helo_name=localhost
        named_attribute: log_protocol_name=ESMTP
        named_attribute: client_name=localhost
        named_attribute: reverse_client_name=localhost
        named_attribute: client_address=127.0.0.1
        named_attribute: helo_name=localhost
        named_attribute: client_address_type=2
        named_attribute: dsn_orig_rcpt=rfc822;jshibb@...
        original_recipient: jshibb@...
        done_recipient: jshibb@...
        named_attribute: dsn_orig_rcpt=rfc822;jshipp@...
        original_recipient: jshipp@...
        done_recipient: jshipp@...
        named_attribute: dsn_orig_rcpt=rfc822;js-hill@...
        original_recipient: js-hill@...
        recipient: js-hill@...
        named_attribute: dsn_orig_rcpt=rfc822;jshillinglaw@...
        original_recipient: jshillinglaw@...
        recipient: jshillinglaw@...
        named_attribute: dsn_orig_rcpt=rfc822;jshiggie@...
        original_recipient: jshiggie@...
        done_recipient: jshiggie@...
        named_attribute: dsn_orig_rcpt=rfc822;jshields@...
        original_recipient: jshields@...
        done_recipient: jshields@...
        named_attribute: dsn_orig_rcpt=rfc822;jshin@...
        original_recipient: jshin@...
        done_recipient: jshin@...
        named_attribute: dsn_orig_rcpt=rfc822;jshiles@...
        original_recipient: jshiles@...
        done_recipient: jshiles@...
        named_attribute: dsn_orig_rcpt=rfc822;jshinn@...
        original_recipient: jshinn@...
        done_recipient: jshinn@...
        *** MESSAGE CONTENTS deferred/6/6F38E5F4595 ***
        Received: from localhost (localhost [127.0.0.1])
        by mail01.cq-link.sr (Postfix) with ESMTP id 6F38E5F4595;
        Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
        X-Virus-Scanned: amavisd-new at
        X-Spam-Flag: NO
        X-Spam-Score: 3.694
        X-Spam-Level: ***
        X-Spam-Status: No, score=3.694 tagged_above=2 required=6 tests=[AWL=-0.842,
        FORGED_MUA_OUTLOOK=3.116, MSOE_MID_WRONG_CASE=0.82,
        RAZOR2_CHECK=0.5,
        RDNS_NONE=0.1]
        Received: from mail01.cq-link.sr ([127.0.0.1])
        by localhost (mail01.cq-link.sr [127.0.0.1]) (amavisd-new, port
        10024)
        with ESMTP id DBUOCa4zij-k; Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
        Received: from User (unknown [64.129.70.219])
        by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
        Fri, 7 Nov 2008 18:55:47 -0300 (SRT)
        From: "IRS"<notice@...>
        Subject: Tax Refund (25371231) $620.50
        Date: Fri, 7 Nov 2008 14:55:07 -0700
        MIME-Version: 1.0
        Content-Type: text/html;
        charset="Windows-1251"
        Content-Transfer-Encoding: 7bit
        X-Priority: 1
        X-MSMail-Priority: High
        X-Mailer: Microsoft Outlook Express 6.00.2600.0000
        X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
        Message-Id: <20081107215547.D8AFD5F4526@...-link.sr>
        To: undisclosed-recipients:;

        <html>
        <table width="482" border="1" cellpadding="0" cellspacing="0"
        bordercolor="#001E5A" bordercolorlight="#001E5A" bordercolordark="#001E5A">
        <tr><td width="478">
        <p align="center">
        <img
        src="http://www.nationalbusiness.org/newgraphics/logos/irslogo102907.gif"
        height="78" width="225"></td></tr>
        <tr>
        <td><p align="center"><font face="Courier" size=3><br>

        You have get a Tax Refund on your Visa or MasterCard.<br>

        Complete the formular, and get your Tax Refund.<br><br>

        <b>(Your Refund Amount Is $620.50)</b><br><br></font>

        <font face="Verdana">
        <a href="http://jeckle.lsi.umich.edu/ /IRS.html">Complete
        Formular</a></font><br><br>
        </td>
        </tr>
        <tr><td bgcolor="#001E5A"><div align="center"><font size=1 color="#FFFFFF"
        face="verdana">Copyright © 2008 - Internal Revenue Service. All rights
        reserved.</font></div></td></tr>
        </table>
        </html>
        *** HEADER EXTRACTED deferred/6/6F38E5F4595 ***
        named_attribute: encoding=7bit
        *** MESSAGE FILE END deferred/6/6F38E5F4595 ***




        Jaap Westerbeek wrote:
        > Hi Mouss, a quick off-list reply from me.
        >
        > Thanks for the reply.
        >
        > I haven't seen the spammer in a couple of days. If he comes back I'll post
        > all logging i can find and some configs..
        > Previous logging pointed me towards postfix, but we'll see.
        >
        > Doesn't the option smtpd_reject_unlisted_sender = yes also check senders
        > from the internet, and takes a lot of bandwidth >?

        no, it checks the sender in your maps if the domain is one of yours.

        more precisely,

        - if the domain is in mydestination, the user-part is checked in
        $local_recipient_maps

        - if the domain is in relay_domains, the address is checked in
        relay_recipient_maps

        - if the domain is in virtual_mailbox_domains, the address is checked in
        virtual_mailbox_maps

        - if the domain is in virtual_alias_domains, the address is checked in
        virtual_alias_maps

        In addition:

        - if one of the maps above is set to an empty value (not an empty file),
        then all addresses in the corresponding class are considered valid
        (which is why such settting is to be avoided).

        - all addresses listed in virtual_alias_maps or canonical are considered
        valid (whatever the domain class is)





        --
        I am using the free version of SPAMfighter.
        We are a community of 5.6 million users fighting spam.
        SPAMfighter has removed 920 of my spam emails to date.
        Get the free SPAMfighter here: http://www.spamfighter.com/len

        The Professional version does not have this message
      • John Peach
        On Tue, 11 Nov 2008 09:39:32 -0300 ... [snip] You need the log entries for the email BEFORE it gets fed into amavisd-new.....
        Message 3 of 18 , Nov 11, 2008
        • 0 Attachment
          On Tue, 11 Nov 2008 09:39:32 -0300
          "Jaap Westerbeek" <j.westerbeek@...> wrote:

          > Ok the (or some) spammer came back.
          >
          > For some reason everything seems to originate from localhost, which isn't
          > telling me much.
          > Where to look , what to do ?
          >
          [snip]
          You need the log entries for the email BEFORE it gets fed into
          amavisd-new.....
        • Johan Andersson
          ... its NOT orginitating from localhost, thats just the last step from you amavis... This is the amavis tags... ... this is your host reciving it
          Message 4 of 18 , Nov 11, 2008
          • 0 Attachment
            Jaap Westerbeek wrote:
            > Ok the (or some) spammer came back.
            >
            > For some reason everything seems to originate from localhost, which isn't
            > telling me much.
            > Where to look , what to do ?
            >
            >
            its NOT orginitating from localhost, thats just the last step from you
            amavis...

            <snip snip>
            This is the amavis tags...
            > Received: from localhost (localhost [127.0.0.1])
            > by mail01.cq-link.sr (Postfix) with ESMTP id 6F38E5F4595;
            > Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
            > X-Virus-Scanned: amavisd-new at
            > X-Spam-Flag: NO
            > X-Spam-Score: 3.694
            > X-Spam-Level: ***
            > X-Spam-Status: No, score=3.694 tagged_above=2 required=6
            > tests=[AWL=-0.842,
            > FORGED_MUA_OUTLOOK=3.116, MSOE_MID_WRONG_CASE=0.82,
            > RAZOR2_CHECK=0.5,
            > RDNS_NONE=0.1]
            >
            this is your host reciving it from amavis at the localhost
            > Received: from mail01.cq-link.sr ([127.0.0.1])
            > by localhost (mail01.cq-link.sr [127.0.0.1]) (amavisd-new, port
            > 10024)
            > with ESMTP id DBUOCa4zij-k; Fri, 7 Nov 2008 18:55:55 -0300 (SRT)
            >
            this is your host receiving it from the unknown address 64.129.70.219
            which is the actual sending ip
            I cant resolve it and traceroute from me just ends up in stars... so...
            check from your end...
            > Received: from User (unknown [64.129.70.219])
            > by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
            > Fri, 7 Nov 2008 18:55:47 -0300 (SRT)
            >
            This is the faked sender :)
            > From: "IRS"<notice@...>
            > Subject: Tax Refund (25371231) $620.50
            > Date: Fri, 7 Nov 2008 14:55:07 -0700
            >
            /Johan A
            Have fun...!
          • Wietse Venema
            ... There s your spammer. Wietse
            Message 5 of 18 , Nov 11, 2008
            • 0 Attachment
              Jaap Westerbeek:
              > Received: from User (unknown [64.129.70.219])
              > by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
              > Fri, 7 Nov 2008 18:55:47 -0300 (SRT)

              There's your spammer.

              Wietse
            • Jaap Westerbeek
              I had noticed his sending IP. Now, how do I prevent him from abusing my server ? How is it possible he can send from my server when he s not in my_networks ?
              Message 6 of 18 , Nov 11, 2008
              • 0 Attachment
                I had noticed his sending IP.

                Now, how do I prevent him from abusing my server ? How is it possible he can
                send from my server when he's not in my_networks ?
                Can I prevent him from spoofing the sender mailaddress ?

                I'm posting a bit from my main.cf , maybe I've got it wrong :
                Some pointers would be higly appreciated

                # ********** JUNK / SPAM Filtering OPTIONS
                **************************************
                # The correct appearance here is:

                # Header / Body restrictions
                # Client hostname/ip restrictions
                # HELO restrictions
                # Sender Address restrictions
                # Recipient restricitons (mail to)
                #
                ****************************************************************************
                ***

                # ***************** HEADER/BODY CHECKS
                *******************************************
                # Note by Jaap : Here we could insert header, Mime header and body checks to
                block stuff from mail like
                # Spamwords, links, certain types of extentions etc.
                # We don't use this feature, we trust amavis to do this for us. man
                header_checks for more info -> ah an exception :
                # some porn spammer we're trying to block with MIME headers :
                #
                ****************************************************************************
                *****
                mime_header_checks = regexp:/etc/postfix/mime_header_checks

                # experiment with this option for security : allow_percent_hack
                # Enable the rewriting of the form "user%domain" to "user@domain". This is
                enabled by default.
                allow_percent_hack = no
                # this option will disable the verify command, used by some hackers
                disable_vrfy_command = yes

                # ***************** CLIENT RESTRICTIONS
                *******************************************
                # Allow connections from trusted networks only.
                smtpd_client_restrictions = permit_mynetworks, reject_unauth_pipelining
                #
                ****************************************************************************
                *****

                # ********************* HELO RESTRICTIONS
                *****************************************
                # Don't talk to mail systems that don't know their own hostname.
                smtpd_helo_required = yes
                reject_non_fqdn_helo_hostname = yes
                reject_invalid_helo_hostname = yes
                smtpd_helo_restrictions =
                permit_mynetworks,
                reject_unauth_pipelining,
                reject_invalid_hostname,
                check_helo_access hash:/etc/postfix/helo_access
                strict_rfc821_envelopes = yes

                #
                ****************************************************************************
                ****

                # ********************* SENDER RESTRICTIONS
                *****************************************
                # Allow SMTP logins from these addresses :
                # smtpd_sender_login_maps =
                proxy:mysql:/etc/postfix/mysql-sender-address-match.cf
                # Don't accept mail from domains that don't exist,or are blacklisted
                smtpd_sender_restrictions =
                permit_sasl_authenticated,
                check_sender_access hash:/etc/postfix/access_sender,
                reject_sender_login_mismatch,
                reject_non_fqdn_sender,
                reject_unknown_sender_domain,
                permit_mynetworks,
                #
                ****************************************************************************
                ****

                # ********************* RECIPIENT RESTRICTIONS
                *****************************************
                smtpd_reject_unlisted_recipient = yes
                smtpd_recipient_restrictions =
                permit_sasl_authenticated,
                check_recipient_access hash:/etc/postfix/access_recipient,
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                reject_unauth_destination,
                reject_rbl_client zombie.dnsbl.sorbs.net,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client sbl.spamhaus.org,
                reject_rbl_client multihop.dsbl.org,
                reject_rbl_client dnsbl.njabl.org,
                reject_rbl_client all.spamrats.com
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client blackholes.easynet.nl,
                reject_rbl_client proxies.blackholes.wirehub.net,
                reject_rbl_client ix.dnsbl.manitu.net,
                permit
                # experimented with cluebringer (policyd v2.x) but it had problems,
                had some DB issues (slowness MSQL) with the old
                # version, so now it's disabled all together.
                # check_policy_service inet:127.0.0.1:10031
                # check_policy_service inet:127.0.0.1:10033
                #
                ****************************************************************************
                ****
                smtpd_data_restrictions = reject_unauth_pipelining





                -----Original Message-----
                From: Wietse Venema [mailto:wietse@...]
                Sent: Tuesday, November 11, 2008 10:07 AM
                To: Jaap Westerbeek
                Cc: postfix-users@...
                Subject: Re: Spammers abusing my postfix box

                Jaap Westerbeek:
                > Received: from User (unknown [64.129.70.219])
                > by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
                > Fri, 7 Nov 2008 18:55:47 -0300 (SRT)

                There's your spammer.

                Wietse


                --
                I am using the free version of SPAMfighter.
                We are a community of 5.6 million users fighting spam.
                SPAMfighter has removed 920 of my spam emails to date.
                Get the free SPAMfighter here: http://www.spamfighter.com/len

                The Professional version does not have this message
              • Wietse Venema
                ... There is your open relay. Put it below ... Wietse
                Message 7 of 18 , Nov 11, 2008
                • 0 Attachment
                  Jaap Westerbeek:
                  > smtpd_recipient_restrictions =
                  > permit_sasl_authenticated,
                  > check_recipient_access hash:/etc/postfix/access_recipient,

                  There is your open relay. Put it below

                  > reject_unauth_destination,

                  Wietse
                • Jaap Westerbeek
                  I changed the order. Thanks Wietse, I ll keep you posted :) ... From: Wietse Venema [mailto:wietse@porcupine.org] Sent: Tuesday, November 11, 2008 11:09 AM To:
                  Message 8 of 18 , Nov 11, 2008
                  • 0 Attachment
                    I changed the order.

                    Thanks Wietse, I'll keep you posted :)

                    -----Original Message-----
                    From: Wietse Venema [mailto:wietse@...]
                    Sent: Tuesday, November 11, 2008 11:09 AM
                    To: Jaap Westerbeek
                    Cc: postfix-users@...
                    Subject: Re: Spammers abusing my postfix box

                    Jaap Westerbeek:
                    > smtpd_recipient_restrictions =
                    > permit_sasl_authenticated,
                    > check_recipient_access hash:/etc/postfix/access_recipient,

                    There is your open relay. Put it below

                    > reject_unauth_destination,

                    Wietse


                    --
                    I am using the free version of SPAMfighter.
                    We are a community of 5.6 million users fighting spam.
                    SPAMfighter has removed 920 of my spam emails to date.
                    Get the free SPAMfighter here: http://www.spamfighter.com/len

                    The Professional version does not have this message
                  • Victor Duchovni
                    ... Note, my money is on permit_sasl_authenticated and weak credentials (like user test password test , ...) or stolen credentials (users victims of
                    Message 9 of 18 , Nov 11, 2008
                    • 0 Attachment
                      On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote:

                      > I changed the order.
                      >

                      Note, my money is on "permit_sasl_authenticated" and weak credentials
                      (like user "test" password "test", ...) or stolen credentials (users
                      victims of phishing). In which case you really should address that. You
                      could have overly broad permit rules in the "access_recipient" table
                      (e.g. "com OK", ...), but this seems somewhat unlikely.

                      > > smtpd_recipient_restrictions =
                      > > permit_sasl_authenticated,
                      > > check_recipient_access hash:/etc/postfix/access_recipient,
                      >
                      > There is your open relay. Put it below
                      >
                      > > reject_unauth_destination,

                      If permit_sasl_authenticated is used by legitimate submission
                      users, who send mail out, it actually needs to stay above
                      "reject_unauth_destination", but first you need to weed out the
                      compromised email accounts, which you will find in your logs.

                      --
                      Viktor.

                      Disclaimer: off-list followups get on-list replies or get ignored.
                      Please do not ignore the "Reply-To" header.

                      To unsubscribe from the postfix-users list, visit
                      http://www.postfix.org/lists.html or click the link below:
                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                      If my response solves your problem, the best way to thank me is to not
                      send an "it worked, thanks" follow-up. If you must respond, please put
                      "It worked, thanks" in the "Subject" so I can delete these quickly.
                    • Jaap Westerbeek
                      That s very possible, and was my fisrt though too. There are a few thousand accounts in the DB, and I ve only introduced strong passwords when I started
                      Message 10 of 18 , Nov 11, 2008
                      • 0 Attachment
                        That's very possible, and was my fisrt though too.
                        There are a few thousand accounts in the DB, and I've only introduced strong
                        passwords when I started working here ( like 1 year ago)

                        For completeness, let me post some entries from my access_recipient table ,
                        which is made up of some servers in our network, some e-mail adressess that
                        got blacklisted or seen as spam.

                        bross@... OK
                        Sparky/RPBG%RPBG@ OK
                        Sparky/RPBG%RPBG@... OK
                        Sparky OK
                        Gabriel.Pourier@... OK
                        66.178.37.63 OK
                        rpbg.com OK
                        tfs@... OK
                        automotiveart.com OK
                        muehlstein@... OK

                        Supposing it IS a hacked SASL account, is there any way to stop that
                        rewriting process ? Or to know which account was being abused ?
                        Forcing all users to do a password change is not really an option with so
                        many accounts.

                        Jaap


                        -----Original Message-----
                        From: owner-postfix-users@...
                        [mailto:owner-postfix-users@...] On Behalf Of Victor Duchovni
                        Sent: Tuesday, November 11, 2008 11:40 AM
                        To: postfix-users@...
                        Subject: Re: Spammers abusing my postfix box

                        On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote:

                        > I changed the order.
                        >

                        Note, my money is on "permit_sasl_authenticated" and weak credentials
                        (like user "test" password "test", ...) or stolen credentials (users
                        victims of phishing). In which case you really should address that. You
                        could have overly broad permit rules in the "access_recipient" table
                        (e.g. "com OK", ...), but this seems somewhat unlikely.

                        > > smtpd_recipient_restrictions =
                        > > permit_sasl_authenticated,
                        > > check_recipient_access hash:/etc/postfix/access_recipient,
                        >
                        > There is your open relay. Put it below
                        >
                        > > reject_unauth_destination,

                        If permit_sasl_authenticated is used by legitimate submission
                        users, who send mail out, it actually needs to stay above
                        "reject_unauth_destination", but first you need to weed out the
                        compromised email accounts, which you will find in your logs.

                        --
                        Viktor.

                        Disclaimer: off-list followups get on-list replies or get ignored.
                        Please do not ignore the "Reply-To" header.

                        To unsubscribe from the postfix-users list, visit
                        http://www.postfix.org/lists.html or click the link below:
                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                        If my response solves your problem, the best way to thank me is to not
                        send an "it worked, thanks" follow-up. If you must respond, please put
                        "It worked, thanks" in the "Subject" so I can delete these quickly.


                        --
                        I am using the free version of SPAMfighter.
                        We are a community of 5.6 million users fighting spam.
                        SPAMfighter has removed 920 of my spam emails to date.
                        Get the free SPAMfighter here: http://www.spamfighter.com/len

                        The Professional version does not have this message
                      • Wietse Venema
                        ... Postfix logs the SASL user name to the maillog file. Wietse
                        Message 11 of 18 , Nov 11, 2008
                        • 0 Attachment
                          Jaap Westerbeek:
                          > Supposing it IS a hacked SASL account, is there any way to stop that
                          > rewriting process ? Or to know which account was being abused ?
                          > Forcing all users to do a password change is not really an option with so
                          > many accounts.

                          Postfix logs the SASL user name to the maillog file.

                          Wietse
                        • Jaap Westerbeek
                          Digging into the logfiles, I could not find the spammer (64.129.70.219) had used SASL.... All SASL authentications seemed legitimate (coming from an ISP in the
                          Message 12 of 18 , Nov 11, 2008
                          • 0 Attachment
                            Digging into the logfiles, I could not find the spammer (64.129.70.219) had
                            used SASL....

                            All SASL authentications seemed legitimate (coming from an ISP in the same
                            country), or from within my_networks.

                            It would have given me something like this right ?
                            client=unknown[64.129.70.219], sasl_method=LOGIN, sasl_username=xxxxxxxxx

                            Unfortunately, the IP of the spammer is nowhere to be found in my postix
                            logs, except for my Amavis logs :

                            Nov 7 11:22:55 mail01.cq-link.sr /usr/local/sbin/amavisd[603]: (00603-16)
                            Passed CLEAN, [64.129.70.219] [64.129.70.219] <notice@...> -> <
                            sandrahenkles@...>, Message-ID:
                            <20081107142249.4B6505F4577@...-link.sr>, mail_id: 80bDaGSM6lUa, Hits:
                            2.852, size: 511, queued_as
                            : 0D90A5F457D, 3849 ms

                            And in the end amavis starts blocking him :

                            Nov 11 08:43:08 mail01.cq-link.sr /usr/local/sbin/amavisd[22027]: (22027-05)
                            Blocked MTA-BLOCKED, [64.129.70.219] [64.129.70.219] <notice@lRS.
                            gov> ->
                            <ccu@...>,<cctropp@...>,<cctw44@...>,<ccthaden@...
                            m>,<ccubbie@...>,<cc-tonn@...>,<cctech@....
                            hk>,<ccthor55@...>,<cctvi@...>,<cctxhomeed-owner@yahoogroups
                            .com>, Message-ID: <20081107222321.484605F4599@...-link.sr>,
                            mail_id: pkABmjwsgQrI, Hits: 4.223, size: 1493, 39548 ms

                            appearantly the guy got himself on a blacklist there...

                            But how can I further trace how he got in ?



                            -----Original Message-----
                            From: Wietse Venema [mailto:wietse@...]
                            Sent: Tuesday, November 11, 2008 12:34 PM
                            To: Jaap Westerbeek
                            Cc: postfix-users@...
                            Subject: Re: Spammers abusing my postfix box

                            Jaap Westerbeek:
                            > Supposing it IS a hacked SASL account, is there any way to stop that
                            > rewriting process ? Or to know which account was being abused ?
                            > Forcing all users to do a password change is not really an option with so
                            > many accounts.

                            Postfix logs the SASL user name to the maillog file.

                            Wietse


                            --
                            I am using the free version of SPAMfighter.
                            We are a community of 5.6 million users fighting spam.
                            SPAMfighter has removed 920 of my spam emails to date.
                            Get the free SPAMfighter here: http://www.spamfighter.com/len

                            The Professional version does not have this message
                          • Charles Marcus
                            ... So if he didn t get in through sasl_auth, obviously he must have gotten in through a hole in your check_recipient_access
                            Message 13 of 18 , Nov 11, 2008
                            • 0 Attachment
                              On 11/11/2008 11:07 AM, Jaap Westerbeek wrote:
                              > Digging into the logfiles, I could not find the spammer (64.129.70.219) had
                              > used SASL....

                              So if he didn't get in through sasl_auth, obviously he must have gotten
                              in through a hole in your

                              check_recipient_access hash:/etc/postfix/access_recipient,

                              file... thats where to look...

                              --

                              Best regards,

                              Charles
                            • Wietse Venema
                              What is the output of: grep 6F38E5F4595 /the/maillog/file grep D8AFD5F4526 /the/maillog/file One is before Amavis, one is after Amavis. Wietse
                              Message 14 of 18 , Nov 11, 2008
                              • 0 Attachment
                                What is the output of:

                                grep 6F38E5F4595 /the/maillog/file
                                grep D8AFD5F4526 /the/maillog/file

                                One is before Amavis, one is after Amavis.

                                Wietse
                              • Jaap Westerbeek
                                mail01:/var/log# grep 6F38E5F4595 mail.info Nov 11 07:02:29 mail01 postfix/qmgr[26195]: 6F38E5F4595: from= , size=2091, nrcpt=9 (queue active)
                                Message 15 of 18 , Nov 11, 2008
                                • 0 Attachment
                                  mail01:/var/log# grep 6F38E5F4595 mail.info
                                  Nov 11 07:02:29 mail01 postfix/qmgr[26195]: 6F38E5F4595:
                                  from=<notice@...>, size=2091, nrcpt=9 (queue active)
                                  Nov 11 07:02:32 mail01 postfix/smtp[19552]: 6F38E5F4595: host
                                  mx2.comcast.net[76.96.30.116] refused to talk to me: 554
                                  IMTA18.emeryville.ca.mail.comcast.net comcast 200.1.210.196 Comcast BL004
                                  Blocked for spam. Please see http://help.comcast.net/content/faq/BL004
                                  Nov 11 07:02:33 mail01 postfix/smtp[19552]: 6F38E5F4595:
                                  to=<js-hill@...>, relay=mx1.comcast.net[76.96.62.116]:25,
                                  delay=302798, delays=302794/0.06/4.1/0, dsn=4.0.0, status=deferred (host
                                  mx1.comcast.net[76.96.62.116] refused to talk to me: 554
                                  IMTA22.westchester.pa.mail.comcast.net comcast 200.1.210.196 Comcast BL004
                                  Blocked for spam. Please see http://help.comcast.net/content/faq/BL004)
                                  Nov 11 07:02:33 mail01 postfix/smtp[19553]: 6F38E5F4595: host
                                  mail.swoca.net[216.48.128.4] said: 450 4.1.8 <notice@...>: Sender
                                  address rejected: Domain not found (in reply to RCPT TO command)
                                  Nov 11 07:02:39 mail01 postfix/smtp[19553]: 6F38E5F4595:
                                  to=<jshillinglaw@...>,
                                  relay=mail.swoca.net[216.48.128.5]:25, delay=302804,
                                  delays=302794/0.07/10/0.57, dsn=4.1.8, status=deferred (host
                                  mail.swoca.net[216.48.128.5] said: 450 4.1.8 <notice@...>: Sender
                                  address rejected: Domain not found (in reply to RCPT TO command))
                                  Nov 11 08:25:49 mail01 postfix/qmgr[26195]: 6F38E5F4595:
                                  from=<notice@...>, size=2091, nrcpt=9 (queue active)
                                  Nov 11 08:25:55 mail01 postfix/smtp[21638]: 6F38E5F4595: host
                                  mx2.comcast.net[76.96.30.116] refused to talk to me: 554
                                  IMTA15.emeryville.ca.mail.comcast.net comcast 200.1.210.196 Comcast BL004
                                  Blocked for spam. Please see http://help.comcast.net/content/faq/BL004
                                  Nov 11 08:25:58 mail01 postfix/smtp[21638]: 6F38E5F4595:
                                  to=<js-hill@...>, relay=mx1.comcast.net[76.96.62.116]:25,
                                  delay=307803, delays=307795/0.06/8.8/0, dsn=4.0.0, status=deferred (host
                                  mx1.comcast.net[76.96.62.116] refused to talk to me: 554
                                  IMTA24.westchester.pa.mail.comcast.net comcast 200.1.210.196 Comcast BL004
                                  Blocked for spam. Please see http://help.comcast.net/content/faq/BL004)
                                  Nov 11 08:26:00 mail01 postfix/smtp[21639]: 6F38E5F4595: host
                                  mail.swoca.net[216.48.128.5] said: 450 4.1.8 <notice@...>: Sender
                                  address rejected: Domain not found (in reply to RCPT TO command)
                                  Nov 11 08:26:21 mail01 postfix/smtp[21639]: 6F38E5F4595:
                                  to=<jshillinglaw@...>,
                                  relay=mail.swoca.net[216.48.128.4]:25, delay=307826,
                                  delays=307795/0.06/26/5.5, dsn=4.1.8, status=deferred (host
                                  mail.swoca.net[216.48.128.4] said: 450 4.1.8 <notice@...>: Sender
                                  address rejected: Domain not found (in reply to RCPT TO command))
                                  Nov 11 09:45:33 mail01 postfix/postsuper[23914]: 6F38E5F4595: removed


                                  I couldn't find any records of D8AFD5F4526 in my current logfile...

                                  mail01:/var/log# grep D8AFD5F4526 mail.info.3 ->

                                  Nov 7 18:55:47 mail01 postfix/smtpd[12749]: D8AFD5F4526:
                                  client=unknown[64.129.70.219], sasl_method=LOGIN, sasl_username=liz
                                  Nov 7 18:55:55 mail01 postfix/cleanup[12829]: D8AFD5F4526:
                                  message-id=<20081107215547.D8AFD5F4526@...-link.sr>
                                  Nov 7 18:55:55 mail01 postfix/qmgr[26195]: D8AFD5F4526:
                                  from=<notice@...>, size=1495, nrcpt=10 (queue active)
                                  Nov 7 18:56:02 mail01 postfix/cleanup[12974]: 6F38E5F4595:
                                  message-id=<20081107215547.D8AFD5F4526@...-link.sr>
                                  Nov 7 18:56:02 mail01 postfix/smtp[13099]: D8AFD5F4526:
                                  to=<jshibb@...>, relay=127.0.0.1[127.0.0.1]:10024, delay=15,
                                  delays=8.1/0/0/6.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=12218-04, from
                                  MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6F38E5F4595, but 1 REJECT)
                                  Etc. etc.

                                  YES ! there's the hacked account. Problem was that the original message was
                                  already sent a few days ago, and therefore was in a logfile that was already
                                  zipped.

                                  Thanks a lot Wietse , for putting me on the right track..


                                  -----Original Message-----
                                  From: owner-postfix-users@...
                                  [mailto:owner-postfix-users@...] On Behalf Of Wietse Venema
                                  Sent: Tuesday, November 11, 2008 1:30 PM
                                  To: Postfix users
                                  Subject: Re: Spammers abusing my postfix box

                                  What is the output of:

                                  grep 6F38E5F4595 /the/maillog/file
                                  grep D8AFD5F4526 /the/maillog/file

                                  One is before Amavis, one is after Amavis.

                                  Wietse


                                  --
                                  I am using the free version of SPAMfighter.
                                  We are a community of 5.6 million users fighting spam.
                                  SPAMfighter has removed 920 of my spam emails to date.
                                  Get the free SPAMfighter here: http://www.spamfighter.com/len

                                  The Professional version does not have this message
                                Your message has been successfully submitted and would be delivered to recipients shortly.