Loading ...
Sorry, an error occurred while loading the content.

RE: Spam - relay issue

Expand Messages
  • Papadopoulos Nikolaos
    Hello, I did the following and for the last 5 days there is no more spam. 1) The password of the users were very simple and maybe compromised. We changed all
    Message 1 of 6 , Oct 1, 2013
    • 0 Attachment
      Hello,

      I did the following and for the last 5 days there is no more spam.
      1) The password of the users were very simple and maybe compromised. We changed all the passwords to more complex ones
      2) We ran antivirus on the entire network and cleaned a lot of viruses, malware etc
      3) We blocked through the firewall a couple of IP addresses, that the logs showed suspicious
      4) We used sender_access and recipient_access to reject some emails

      The last 5 days it seems that we do not face problem with spam. Although, we are also currently looking for any anti-spam solution in order to prevent similar problems in the future.

      Thanks.

      -----Original Message-----
      From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Viktor Dukhovni
      Sent: Thursday, September 26, 2013 8:43 PM
      To: postfix-users@...
      Subject: Re: Spam - relay issue

      On Thu, Sep 26, 2013 at 08:17:51PM +0300, Papadopoulos Nikolaos wrote:

      > We have Postfix ver2.3.3 on RHEL5, which was working fine for several years.
      > Please find below the output of postconf -n
      >
      > smtpd_recipient_restrictions =
      > permit_sasl_authenticated,
      > permit_mynetworks,
      > check_relay_domains

      The "check_relay_domains" restriction is long deprecated, and no longer supported by current versions of Postfix. Strongly consider using "reject_unauth_destination" instead. The "check_relay_domains"
      legacy feature cannot be made reliable.

      You have no anti-spam controls beyond blocking unauthorized relaying, consider adding a suitable RBL (zen.spamhaus.org is a good start, possibly via a paid feed if your traffic volume is high enough).

      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_local_domain = $myhostname
      > smtpd_sasl_security_options = noanonymous

      One or more of your SASL accounts may be compromised.

      > During the last days we face huge problem by spam emails, as if our
      > server is open relay.

      Incoming spam or outgoing spam? Your configuration is not an open relay per-se, but it is possible that you relay mail from trusted sources (other machines in your domain, authenticated users, ...) or locally submitted via compromised web applications.

      > For example, the majority of spam emails in the mail queue show as sender:
      >
      > meng.edwn@...

      Sender addresses of spam are often forged, do not generally indicate where the spam is really from and filtering them is not by itself an effective defense against spam.

      > 1) how can I find out from which IP address do these emails come from?

      1. YOUR MAIL LOGS!

      2. If a spam message is still in the queue, use "postcat -q <queueid>"
      to see the message envelope records, headers and body. The envelope
      and topmost Received header will show the origin of the message.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.