Loading ...
Sorry, an error occurred while loading the content.

Re: blocked mail

Expand Messages
  • /dev/rob0
    ... [snip] ... If this is really Postfix 2.2.8, you have a seriously old system there. Has it been kept up with all security patches? OpenSSH and Apache httpd
    Message 1 of 22 , Jul 27, 2011
    • 0 Attachment
      On Wed, Jul 27, 2011 at 02:45:26PM +0200, Salvatore wrote:
      > "Ansgar Wiechers" wrote:
      >
      > > - output of "postconf -n"
      > > - log excerpt showing an entire mail transaction from the point where
      > > the spam mail enters Postfix to the point where Postfix attempts the
      > > delivery
      >
      >
      > [root@mail scripts]# postconf -n
      [snip]
      > readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
      > relay_domains = $mydestination
      > sample_directory = /usr/share/doc/postfix-2.2.8/samples

      If this is really Postfix 2.2.8, you have a seriously old system
      there. Has it been kept up with all security patches? OpenSSH and
      Apache httpd have had dozens of exploits in that period. Do you use
      either of those?

      [snip, nothing else noteworthy in postconf]

      > in log file I have this:
      >
      > Jul 27 13:45:50 mail postfix/qmgr[3472]: 65C4326ADB5:
      > from=<award@...>, size=601090, nrcpt=50 (queue active)
      > Jul 27 13:45:50 mail postfix/qmgr[3472]: 1AE0A26ADB0:
      > from=<award@...>, size=601090, nrcpt=50 (queue active)
      > Jul 27 13:45:50 mail postfix/qmgr[3472]: 12DDE26ADAB:
      > from=<award@...>, size=601090, nrcpt=50 (queue active)
      > Jul 27 13:45:50 mail postfix/qmgr[3472]: 90DF326ADB1:
      > from=<award@...>, size=601090, nrcpt=50 (queue active)
      > Jul 27 13:45:50 mail postfix/qmgr[3472]: 23A9E2D401C:
      > from=<award@...>, size=601792, nrcpt=50 (queue active)

      50 recipients each. This sure looks like what I thought originally,
      that you are being used as a platform for spamming.

      > Jul 27 13:45:51 mail postfix/smtp[18874]: 23A9E2D401C: host
      > mailin-01.mx.aol.com[205.188.159.42] refused to talk to me: 421 4.7.1 :
      > (RLY:B3)
      > http://postmaster.info.aol.com/errors/421rlyb3.html
      > Jul 27 13:45:51 mail postfix/smtp[18877]: 23A9E2D401C: host
      > mailin-03.mx.aol.com[205.188.190.2] refused to talk to me: 421 4.7.1 :
      > (RLY:B3)
      > http://postmaster.info.aol.com/errors/421rlyb3.html
      > Jul 27 13:45:51 mail postfix/smtp[18872]: 12DDE26ADAB: host
      > mailin-04.mx.aol.com[64.12.90.34] refused to talk to me: 421
      > mtain-mh06.r1000.mx.aol.com Service unavailable - try again later
      > Jul 27 13:45:51 mail postfix/smtp[18871]: 1AE0A26ADB0: host
      > mailin-04.mx.aol.com[64.12.90.66] refused to talk to me: 421
      > mtain-mb06.r1000.mx.aol.com Service unavailable -try again later
      >
      > I hope this information will help.

      No, because for the third time now: you must show us the ORIGIN of
      these spam suspects. Take for example, queue ID 1AE0A26ADB0: we know
      the size and that it has 50 recipients. We need to see how it got
      into your queue. And that means ORIGIN ... we have no interest in
      seeing it reinjected from the content_filter, except insofar as
      reinjection gives us the original queue ID.

      Most mail enters either through smtpd(8) or through sendmail(1). The
      former is logged by "postfix/smtpd"; the latter, typically the first
      log entry you would see is from "postfix/pickup".

      My guess is that you've been compromised, and that these spams came
      through local sendmail submission. Hope not, because it will be a
      mess to clean up!

      One thing you should consider doing NOW is to stop Postfix, because
      the more spam you relay, the more damage is done to your reputation
      and deliverability. (Not to mention the antisocial aspects of being
      accessory to a crime.)
      --
      Offlist mail to this address is discarded unless
      "/dev/rob0" or "not-spam" is in Subject: header
    Your message has been successfully submitted and would be delivered to recipients shortly.