No pude ver el principio de la conversacion, por alguna razon me llego empezada.
Capas que repito. Personalmente cuando configuro, uso todos los checker que pueda. http://mxtoolbox.com/diagnostic.aspx Capas que eso, realmente quita la duda de la mala configuracion o no. Saludos. El día 4 de mayo de 2015, 15:15, Salvador - Salman PSL <listascor...@salman.net> escribió: > > *::Para mi que tienes el servidor de correo muy mal configurado. > > Tienes un exceso de informacion en el log, que no te deja ver claro. > > Si tuvieses bien configurado todo, sabrias cual es el origen del correo. > > Una cosa que no entiendo es que envies un correo de rechazo por un > HELO rechazado, estas comprobandolo despues de haber recibido el > correo, y eso tienes que comprobarlo antes de recibir todo el correo. > > Lo dicho, para mi que ese Postfix, no esta bien configurado. > > * > >>>>>>>>>>>>>>> ******* Fin del mensaje ******* <<<<<<<<<<<<<< > ------------------------------------------------------------------------ > Saludos > Salvador Guzman > Salman PSL > Vigo, Galicia, España > +34 986.21.30.27 > +34 679-725-626 > Salman.EU <http://salman.es/> > El 04/05/2015 a las 15:59, David González Romero escribió: >> >> Hola Lista!! >> >> Una vez mas el tema del SPAM me tienen en jaque mate... >> >> Esta vez la verdad es que no tiene ni pies, ni cabezas. Es posible que >> tenga pueda ser una PC de mi red o que sea mi servidor, yo mi inclino >> por la segunda opción. >> >> La configuración de Postfix está lo más restricta posible para >> enviar-recibir. Pero lo cierto es que estoy teniendo cada fin de >> semana un problema serio con los SPAM ya que llego y tengo miles de >> mail en cola que no se despachan porque los servidores receptores no >> permiten y me bloquean como SPAM. >> >> Tengo también las herramientas para buscar rootkit en el server, lo >> mismo el Clamav que no encuentra virus. También configuré Fail2ban, >> para la mayoría de los servicios que tengo. Sin embargo viendo los log >> de correo hay algunas cosas raras. >> >> Les transfiero un parte del log que considero extraño: >> >> ---------------------------------------------------------------------------------------- >> Amavis-new >> >> **Unmatched Entries** >> INFO: truncating long header field (len=1318): X-Envelope-To: >> <c...@163.com>, <c043...@amco.co.kr>, <c...@bpr.gov.my>, >> <c02_...@ccc.ae>, <c02_r05@ccc(28594-06) Passed SPAM, [196.46.245.153] >> [196.46.245.153] <authenticat...@stellawalker.co.uk> -> >> >> <c...@163.com>,<c043...@amco.co.kr>,<c...@bpr.gov.my>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c02_...@ccc.ae>,<c05_...@ccc.com.om>,<c05_...@ccc.com.om>,<c05_...@ccc.com.om>,<c04_...@ccc.com.qa>,<c04_...@ccc.com.qa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c03_...@ccc.com.sa>,<c...@chsteel.com.tw>,<c0...@dmu.ac.uk>,<c0218...@dongbuchem.com>,<c12...@email.mot.com>,<c13...@email.mot.com>,<c14...@email.mot.com>,<c14...@email.mot.com>,<c14...@email.mot.com>,<c00lw...@gmail.com>,<c15...@gscaltex.co.kr>,<c00l...@hotmail.com>,<c0...@manhorope.com>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.chen"@molcn.com.cn>,<"\347\256\261\357\274\232celian.huang"@m >> >> olcn.com.cn>,<"\347\256\261\357\274\232hr"@molcn.com.cn>,<c06_...@morganti.com.jo>,<c14...@motorola.com>,<c14...@motorola.com>,<c15...@motorola.com>,<c17...@motorola.com>,<c058...@narwhal.cc.metu.edu.tr>,<c107...@narwhal.cc.metu.edu.tr>,<c12hockg...@nexgen.com.my>,<c015...@pc.jaring.my>,<c10...@qq.com>,<c...@tm.net.my>,<c...@tm.net.my>,<c...@tm.net.my>,<c00lw...@yahoo.com>,<c0untry...@yahoo.com>,<c16...@yahoo.com.hk>, >> Message-ID: <20150502214852.043e95768...@mail.timbo.com.py>, mail_id: >> dN-ces7fv0ZT, Hits: 40.253, queued_as: E0AE257688D7, 224 ms: 1 Time(s) >> WARN: address modified (recip): >> >> <\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy....@molcn.com.cn> >> -> >> <"\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy.guo"@molcn.com.cn>: >> 1 Time(s) >> WARN: address modified (recip): >> >> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.hu...@molcn.com.cn> >> -> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.huang"@molcn.com.cn>: >> 1 Time(s) >> WARN: address modified (recip): >> <\347\256\261\357\274\23...@molcn.com.cn> -> >> <"\347\256\261\357\274\232hr"@molcn.com.cn>: 1 Time(s) >> INFO: truncating long header field (len=2242): X-Envelope-To: >> =?iso-8859-1?Q?=3C=22=E7=94=B5=E5=AD=90=E9=82=AE=E7=AE=B1=EF=BC=9Ahr=22?= >> =?iso-8859-(28518-11) Passed SPAM, [196.46.245.152] [196.46.245.152] >> <authenticat...@stellawalker.co.uk> -> >> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232hr"@51job.com>,<c_paul_dehusijar...@bankmandiri.co.id>,<c_paul_pehusijar...@bankmandiri.co.id>,<c_paul_tehusijar...@bankmandiri.co.id>,<c_sakam...@botlfp.com>,<c_w...@buckman.com>,<c_taspasc...@bworldonline.com>,<c_s_...@colpal.com>,<c_sanit...@cvdgroup.com>,<c_pei...@hotmail.com>,<c_prajakw...@hotmail.com>,<c_pras...@hotmail.com>,<c_ram...@hotmail.com>,<c_sarun...@hotmail.com>,<c_senthilvelmuru...@hotmail.com>,<c_sim...@hotmail.com>,<c_sp...@hotmail.com>,<c_ta...@hotmail.com>,<c_te...@hotmail.com>,<c_var...@hotmail.com>,<c_w_sutherl...@hotmail.com>,<c_went...@hotmail.com>,<c_...@hotmail.com>,<c_yl2...@hotmail.com>,<c_yuan_m...@hotmail.com>,<c_y...@hotmail.com>,<"\347\224 >> >> \265\345\255\220\351\202\256\347\256\261\357\274\232lee.liang"@molasia.com>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232celian.huang"@molcn.com.cn>,<"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.huang"@molocb.com>,<c_somc...@nawarat.co.th>,<c_ram...@qp.com.qa>,<c_pa...@rediffmail.com>,<c_rom...@statefarm.com>,<c_vi...@streamyx.com>,<c_s...@tm.net.my>,<c...@tm.net.my>,<c_pigz...@yahoo.com>,<c_pod...@yahoo.com>,<c_q...@yahoo.com>,<c_raffyx_ventur...@yahoo.com>,<c_ram...@yahoo.com>,<c_ro...@yahoo.com>,<c_sah...@yahoo.com>,<c...@yahoo.com>,<c_t_c...@yahoo.com>,<c_t...@yahoo.com>,<c_wa...@yahoo.com>,<c_yoke...@yahoo.com>,<c_y...@yahoo.com>, >> Message-ID: <20150502214849.4ad1b5768...@mail.timbo.com.py>, mail_id: >> XBbs+KM6FQwt, Hits: 40.253, queued_as: 0FD6857688D6, 218 ms: 1 Time(s) >> WARN: address modified (recip): >> >> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.c...@molcn.com.cn> >> -> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232olivia.chen"@molcn.com.cn>: >> 1 Time(s) >> WARN: address modified (recip): >> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\23...@51job.com> >> -> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232hr"@51job.com>: >> 1 Time(s) >> WARN: address modified (recip): >> >> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.hu...@molocb.com> >> -> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232catherine.huang"@molocb.com>: >> 1 Time(s) >> WARN: address modified (recip): >> <\347\256\261\357\274\232celian.hu...@molcn.com.cn> -> >> <"\347\256\261\357\274\232celian.huang"@molcn.com.cn>: 1 Time(s) >> INFO: truncating long header field (len=1254): X-Envelope-To: >> <a...@bpr.gov.my>, <a058...@cht.com.tw>, <a...@cht.com.tw>, >> <a...@cych.org.tw>, <a17830(11858-17) Passed SPAM, [196.46.246.183] >> [196.46.246.183] <we...@mail.ymps.ntpc.edu.tw> -> >> >> <a...@bpr.gov.my>,<a058...@cht.com.tw>,<a...@cht.com.tw>,<a...@cych.org.tw>,<a1783...@dgb.co.kr>,<a10...@email.mot.com>,<a10...@email.mot.com>,<a11...@email.mot.com>,<a11...@email.mot.com>,<a13...@email.mot.com>,<a16...@email.mot.com>,<a17...@email.mot.com>,<a18...@email.mot.com>,<a19...@email.mot.com>,<a19...@email.mot.com>,<a21...@email.mot.com>,<a19...@freescale.com>,<a09...@gmail.com>,<a1an...@gmail.com>,<a20...@gmail.com>,<a...@hotmail.com>,<a...@hotmail.com>,<"\344\274\232\350\256\241\346\226\207\345\221\230\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232ivy.guo"@molcn.com.cn>,<a12...@motorola.com>,<a16...@motorola.com>,<a17...@motorola.com>,<a17...@motorola.com>,<a17...@motorola.com>,<a19...@motorola.com>,<a20581@motorola >> >> .com>,<a22...@motorola.com>,<a22...@motorola.com>,<a20...@motorolla.com>,<a1780...@ms24.hinet.net>,<a1790...@ms24.hinet.net>,<a15....@msa.hinet.net>,<a1943.a1...@msa.hinet.net>,<a2...@n-koei.co.jp>,<a12...@tm.com.my>,<a12...@tm.com.my>,<a13...@tm.com.my>,<a15...@tm.com.my>,<a1582...@tm.com.my>,<a16...@tm.com.my>,<a12s...@um.edu.my>,<a1-m2...@yahoo.com>,<a1alaqu...@yahoo.com>,<a178...@yahoo.com.tw>, >> Message-ID: <20150502134124.2c1681ce0...@mail.timbo.com.py>, mail_id: >> yQPSPzzglZ-5, Hits: 35.918, queued_as: 895771CE0358, 213 ms: 1 Time(s) >> WARN: address modified (recip): >> >> <\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232lee.li...@molasia.com> >> -> >> <"\347\224\265\345\255\220\351\202\256\347\256\261\357\274\232lee.liang"@molasia.com>: >> 1 Time(s) >> >> ---------------------------------------------------------------------------------------- >> Postfix >> (De estas lineas hay cientos iguales) >> Unrecognized warning: >> TLS library problem: 13238:error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure:s23_clnt.c:586: : 1 Time(s) >> TLS library problem: 13256:error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure:s23_clnt.c:586: : 1 Time(s) >> TLS library problem: 13334:error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure:s23_clnt.c:586: : 1 Time(s) >> ....... >> host 0.0.0.0[0.0.0.0]:25 replied to HELO/EHLO with my own hostname >> mail.timbo.com.py : 9 Time(s) >> host akerkvaener.com[127.0.0.4]:25 replied to HELO/EHLO with my >> own hostname mail.timbo.com.py : 1 Time(s) >> host blackhole.superlink.net[127.0.0.3]:25 replied to HELO/EHLO >> with my own hostname mail.timbo.com.py : 1 Time(s) >> host blackhole.theglobe.com[127.0.0.2]:25 replied to HELO/EHLO >> with my own hostname mail.timbo.com.py : 2 Time(s) >> host fch.in[0.0.0.0]:25 replied to HELO/EHLO with my own hostname >> mail.timbo.com.py : 1 Time(s) >> host mail.airport.com[127.0.0.6]:25 replied to HELO/EHLO with my >> own hostname mail.timbo.com.py : 1 Time(s) >> host your-dns-needs-immediate-attention.sony[127.0.53.53]:25 >> replied to HELO/EHLO with my own hostname mail.timbo.com.py : 1 >> Time(s) >> network_biopair_interop: error reading 5 bytes from the network: >> Connection reset by peer : 36 Time(s) >> network_biopair_interop: error reading 7 bytes from the network: >> Connection reset by peer : 6 Time(s) >> network_biopair_interop: error writing 37 bytes to the network: >> Broken pipe : 4 Time(s) >> network_biopair_interop: error writing 37 bytes to the network: >> Connection reset by peer : 5 Time(s) >> no MX host for 265.com has a valid address record : 1 Time(s) >> no MX host for 3com.com has a valid address record : 8 Time(s) >> no MX host for aboutvoyeur.com has a valid address record : 1 >> Time(s) >> no MX host for accu-find.com has a valid address record : 1 Time(s) >> no MX host for amd.com.sg has a valid address record : 1 Time(s) >> no MX host for ap.altria.com has a valid address record : 1 Time(s) >> no MX host for apm-automotive.com.my has a valid address record : 1 >> Time(s) >> no MX host for arabianbemco.com has a valid address record : 1 >> Time(s) >> no MX host for arcsight.com has a valid address record : 2 Time(s) >> no MX host for arrow-dynamic.com has a valid address record : 1 >> Time(s) >> no MX host for asiabrandscorp.com has a valid address record : 4 >> Time(s) >> no MX host for asiapulppaper.com has a valid address record : 1 >> Time(s) >> no MX host for astral.ro has a valid address record : 4 Time(s) >> no MX host for banco.com.sv has a valid address record : 1 Time(s) >> no MX host for baoshan.sh.cn has a valid address record : 1 Time(s) >> ............. >> Aqui empieza la parte del SPAM: >> >> NOQUEUE: reject: RCPT from >> 118-161-241-219.dynamic.hinet.net[118.161.241.219]: 554 5.7.1 >> <201.217.51.105>: Helo command rejected: Access denied; >> from=<z200...@yahoo.com.tw> to=<vkihw...@yahoo.com.tw> proto=SMTP >> helo=<201.217.51.105> >> A5E641CE0188: to=<braimahs...@gmail.com>, >> relay=gmail-smtp-in.l.google.com[74.125.21.26]:25, delay=8.1, >> delays=0.05/0.01/1.4/6.6, dsn=5.7.1, status=bounced (host >> gmail-smtp-in.l.google.com[74.125.21.26] said: 550-5.7.1 >> [201.217.51.105 12] Our system has detected that this message is >> 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent >> to Gmail, 550-5.7.1 this message has been blocked. Please visit >> 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 >> for 550 5.7.1 more information. f67si4365709yho.125 - gsmtp (in reply >> to end of DATA command)) >> A5E641CE0188: sender non-delivery notification: BBD821CE018E >> 09F8F1CE0171: reject: RCPT from unknown[41.138.175.226]: 554 5.1.2 >> <da...@damex.com.br>: Recipient address rejected: Domain not found; >> from=<frederickfer...@yahoo.co.uk> to=<da...@damex.com.br> proto=ESMTP >> helo=<User> >> 0DD601CE0171: host gateway-f2.isp.att.net[207.115.11.16] refused to >> talk to me: 550-201.217.51.105 blocked by ldap:ou=rblmx,dc=att,dc=net >> 550 Error - Blocked for abuse. See http://att.net/blocks >> E9A9A1CE0188: to=<dame...@itelefonica.com.br>, >> relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=1.3, >> delays=0.06/0.03/1/0.16, dsn=5.2.1, status=bounced (host >> vip-us-br-mx.terra.com[208.84.244.133] said: 550 5.2.1 Mailbox >> disabled for this recipient (in reply to RCPT TO command)) >> 0DD601CE0171: host mx1.comcast.net[96.114.157.80] refused to talk to >> me: 554 resimta-po-04v.sys.comcast.net comcast 201.217.51.105 Comcast >> block for spam. Please see >> http://postmaster.comcast.net/smtp-error-codes.php#BL000000 >> >> >> ---------------------------------------------------------------------------------------- >> Y así como ese miles de líneas iguales. >> Pero hice una búsqueda más exaustiva en el log y veo esto en >> diferentes momentos del log que tuve que seguir por le ID del correo >> >> Apr 18 01:08:10 mail postfix/qmgr[23567]: CC59E1CE0171: >> from=<i...@treasury.gov>, size=3120, nrcpt=1 (queue acti >> ve) >> Apr 18 01:08:15 mail postfix/qmgr[23567]: 75DCF1CE0188: >> from=<i...@treasury.gov>, size=3589, nrcpt=1 (queue active) >> Apr 18 01:08:15 mail postfix/smtpd[31026]: disconnect from >> mail.timbo.com.py[127.0.0.1] >> Apr 18 01:08:15 mail amavis[27844]: (27844-05) Passed SPAM, >> [68.15.32.120] [68.15.32.120] <i...@treasury.gov> -> >> <harrisonworld2l...@yahoo.co.uk>, Message-ID: >> <20150418050809.cc59e1ce0...@mail.timbo.com.py>, mail_id: >> 9bkgsnbCoNNP, Hits: 28.805, queued_as: 75DCF1CE0188, 5061 ms >> Apr 18 01:08:15 mail postfix/lmtp[31023]: CC59E1CE0171: >> to=<harrisonworld2l...@yahoo.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, >> delay=5.9, delays=0.85/0.01/0/5.1, dsn=2.6.0, status=sent (250 2.6.0 >> Ok, id=27844-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as >> 75DCF1CE0188) >> Apr 18 01:08:15 mail postfix/qmgr[23567]: CC59E1CE0171: removed >> Apr 18 01:08:16 mail postfix/smtp[31027]: certificate verification >> failed for mx-eu.mail.am0.yahoodns.net: num=20:unable to get local >> issuer certificate >> Apr 18 01:08:16 mail postfix/smtp[31027]: certificate verification >> failed for mx-eu.mail.am0.yahoodns.net: num=27:certificate not trusted >> Apr 18 01:08:19 mail postfix/smtp[31027]: 75DCF1CE0188: >> to=<harrisonworld2l...@yahoo.co.uk>, >> relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=3.9, >> delays=0.04/0.01/1.9/1.9, dsn=2.0.0, status=sent (250 ok dirdel) >> Apr 18 01:08:19 mail postfix/qmgr[23567]: 75DCF1CE0188: removed >> >> Como ven aquí es donde mi problema entra. >> El From: es claro que no es mio y el To: tampoco; sin embargo pasa por >> mi servidor como perro por su casa. Lo que me deja que pensar en dos >> posibles opciones: >> 1- Una cuenta real del sistema está comprometida >> 2- En el server hay un bot. >> >> La primera voy a resolver de a poco; quizá tengo una pequeña sospecha. >> Pero necesitaría ayuda para verificar la dos. Ya he corrido rkhunter >> varias veces y no me da problemas salvo que uso el puerto 465 para >> SASL y tengo activo un rsync para sincronizar archivos compartidos con >> el NAS, pero es todo local. Entonces precisaría alguna idea de como >> buscar este posible bots o algun otro soft que esté haciendo de las >> suyas. >> >> Existe algun metodo de búsqueda más intensivo que no sea solo con >> rkhunter? >> >> Saludos, >> David >> _______________________________________________ >> CentOS-es mailing list >> CentOS-es@centos.org >> http://lists.centos.org/mailman/listinfo/centos-es >> > > > _______________________________________________ > CentOS-es mailing list > CentOS-es@centos.org > http://lists.centos.org/mailman/listinfo/centos-es _______________________________________________ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
