Hi all,
I'm sure many of you are battling this issue.
Our mailserver is being blacklisted so often it's getting painful.
I don't believe this is a postfix issue, but most of the brilliant mail
server admins are here :)
I'm pretty sure the following is happening, here's the news from the
squirrelmail site.
--
SECURITY: Spam Alert
Feb 23, 2009 by Paul Lesniewski
The spammer that has been sullying our good name for the past
year continues to send out huge amounts of spam encouraging people to
supposedly upgrade to what they claim is our newest version, 1.4.15.
That is in fact not our newest version, but moreover, they provide a
link in their spam that sends the victim to a login page that looks like
the normal SquirrelMail login page - if you input any credentials on
this page, of course, the spammer takes them and most likely uses them
to send spam from your email account. You can NEVER upgrade SquirrelMail
by simply "logging in" somewhere. The SquirrelMail team NEVER sends out
unsolicited email, especially any that require your personal email
username and password!
--
It's easy to spot the users who have been compromised, for example, the
headers:
Received: from 41.205.169.109
(SquirrelMail authenticated user
runningcreekcas...@fearmail.com.au)
by webmail.fearmail.com.au with HTTP;
Just change the users password and slap them for clicking on the link.
Easy.
However, my question (finally) is :)
Received: from 217.21.80.109
(SquirrelMail authenticated user
redac...@fearmail.com.au
by webmail.fearmail.com.au with HTTP;
I have no user called 'redacted' in our email user auth database, I've
checked and rechecked, and the bulk of these messages all have the same
headers;
(SquirrelMail authenticated user
redac...@fearmail.com.au
by webmail.fearmail.com.au with HTTP;
Can anyone shed some light on this ?
--
fearmail01:~# postconf -n
body_checks = pcre:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 31457280
message_size_limit = 10240000
mydestination =
myhostname = mail.fearmail.com.au
mynetworks = <all our ips>
receive_override_options = no_address_mappings
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access,
permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 0
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/access
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unverified_recipient, check_sender_access
hash:/etc/postfix/access, check_policy_service inet:127.0.0.1:60000
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_client_access
hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access,
permit_mynetworks
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_forwardings.cf
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_create_maildirsize = yes
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_limit = 31457280
virtual_mailbox_limit_inbox = yes
virtual_mailbox_limit_maps = static:31457280
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_maildir_limit_message = Sorry, the user's mailbox has gone over
quota, please try again later.
virtual_transport = virtual
virtual_uid_maps = static:5000
Thanks very much for your time :)
Regards,
Ross
DISCLAIMER:
This e-mail and any files transmitted with it may be privileged and
confidential, and are intended only for the use of the intended recipient. If
you are not the intended recipient or responsible for delivering this e-mail to
the intended recipient, any use, dissemination, forwarding, printing or copying
of this e-mail and any attachments is strictly prohibited.
If you have received this e-mail in error, please REPLY TO the SENDER to advise
the error AND then DELETE the e-mail from your system.
Any views expressed in this e-mail and any files transmitted with it are those
of the individual sender, except where the sender specifically states them to
be the views of our organisation.
Our organisation does not represent or warrant that the attached files are free
from computer viruses or other defects.
27/3/2009
The user assumes all responsibility for any loss or damage resulting directly
or indirectly from the use of the attached files. In any event, the liability
to our organisation is limited to either the resupply of the attached files or
the cost of having the attached files resupplied.
