Gaston Dassieu Blanchet wrote:
Dear All,
I have found the below in my Postfix logs. I believe I have a backscatter
problem, which seems to have gotten me in some SPAM black lists out there:
[EMAIL PROTECTED]:/home/root# cat /var/log/maillog* | grep 54EF0453B
Aug 18 18:26:19 Natsumi postfix/smtpd[12950]: 54EF0453B: client=
c-68-44-19-67.hsd1.nj.comcast.net[68.44.19.67]
Aug 18 18:26:20 Natsumi postfix/cleanup[12954]: 54EF0453B:
[EMAIL PROTECTED]
Aug 18 18:26:20 Natsumi postfix/qmgr[2661]: 54EF0453B: from=<
[EMAIL PROTECTED]>, size=1009, nrcpt=5 (queue
active)
Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<
[EMAIL PROTECTED]>, relay=local, delay=2.3, delays=1.8/0.42/0/0.02,
dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<
[EMAIL PROTECTED]>, relay=local, delay=2.3, delays=1.8/0.27/0/0.2,
dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
//Maildir/tmp/1219094781.P12958.Natsumi: Permission denied)
Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<
[EMAIL PROTECTED]>, relay=local, delay=2.3, delays=1.8/0.47/0/0.01,
dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
/var/spool/uucppublic/Maildir/tmp/1219094781.P12958.Natsumi: Permission
denied)
Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<
[EMAIL PROTECTED]>, relay=local, delay=2.3, delays=1.8/0.45/0/0.03,
dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/local[12955]: 54EF0453B: to=<
[EMAIL PROTECTED]>, relay=local, delay=2.3, delays=1.8/0.07/0/0.45,
dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender
non-delivery notification: 6B26F4544
Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 54EF0453B: removed
If my understanding is correct, I am receiving SPAM with a forged source
address. This SPAM is accepted by my valid mailboxes (
[EMAIL PROTECTED] above), and *bounced* (not not rejected!) by my
invalid mailboxes (mail, uucp, ... above)
This bounce notification is then sent to the forged source address:
[EMAIL PROTECTED]:/home/root# cat /var/log/maillog* | grep 6B26F4544
Aug 18 18:26:21 Natsumi postfix/cleanup[12962]: 6B26F4544: message-id=<
[EMAIL PROTECTED]>
Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 6B26F4544: from=<>, size=3502,
nrcpt=1 (queue active)
Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender
non-delivery notification: 6B26F4544
Aug 18 18:26:25 Natsumi postfix/smtp[12944]: 6B26F4544: to=<
[EMAIL PROTECTED]>, relay=
networkworld.com.s6a1.psmtp.com[64.18.5.10]:25, delay=4.1,
delays=0.09/0/3.4/0.58, dsn=5.0.0, status=bounced (host
networkworld.com.s6a1.psmtp.com[64.18.5.10] said: 550 No such user - psmtp
(in reply to RCPT TO command))
Aug 18 18:26:26 Natsumi postfix/qmgr[2661]: 6B26F4544: removed
I am quite worried about this. Could anyone kindly help me figure out which
postfix 2.5.1 configuration parameters can I use to prevent this type of
abuse?
Thank you very much in advance,
spammer is targetting well-known unix accounts. use
check_recipient_access to reject mail sent to "mail", "uucp", "apache",
"www", "ftp", ... (all unix accounts that are not supposed to receive
mail).
PS. be careful with accounts that are used to run cron jobs. in case of
errors, cron will send mail on bahalf of these users. if such mail is
sent to the mail server, it should not be rejected.
