> -----Original Message----- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Noel Jones > Sent: Thursday, February 19, 2009 10:34 AM > To: Tait Grove; 'postfix users list' > Subject: Re: Hacking activity > > Tait Grove wrote: > > I did open a few of the messages. The user has taken over the dovecot > > account. So all the emails are coming from dove...@local.servername.net > > through postfix. I thought for sure an account had been compromised. > Dovecot > > is a local, unix user, with nologin and the account is locked out as far > as > > the OS is concerned. I looked at my webmail, thinking that could be the > > case, but they are not getting in through there. Somehow they are piping > > commands into my mail to get it send email out - tons of stuff to/from > > Brazil. > > You need to examine the logs related to one of the unwanted > messages. > > > > > > > > My CONF file: > > > > mynetworks = 127.0.0.0/8, {EXTERNAL_IP_RANGE}/8, {INTERNAL_IP_RANGE}/25, > > $myhostname > > I hope the /8 and /25 got reversed during your munging-fest. > > I don't see any other glaring errors. Your log will have the > interesting information. > > Pick a QUEUEID from a suspect message and grep the log for it. > > -- Noel Jones
Thanks Noel, after looking further into my issue it turned out to be a back scatter problem from some abnormal activity. I saw a few posts about that earlier so I will just apply that. > I hope the /8 and /25 got reversed during your munging-fest. You have sharp eyes, yes that is reversed. ---- Here is the post that I was going to follow to cure the back scatter problem. > On Thu, Feb 19, 2009 at 09:39:42AM -0600, Noel Jones wrote: >> You can use the ips.backscatterer.org to reject bounces (*NOT* all >> mail) from known backscatter sources. Do this in >> smtpd_data_restrictions for compatibility with sender address verification. >> # main.cf >> smtpd_data_restrictions = >> check_sender_access hash:/etc/postfix/backscatterer >> >> # backscatterer >> <> reject_rbl_client ips.backscatterer.org > > > > Just wondering; why do you apply this in smtpd_data_restrictions and > not in smtpd_sender_restrictions? > Some sender verification tools use the null sender address. > Some sites doing such verification are listed as backscatter sources - and > may be the reason they are listed. > At any rate, you must allow their probes if you want to communicate with > > them. Delaying the rbl check until the DATA stage allows address probes, > but blocks real mail.
