>De: owner-postfix-us...@postfix.org [mailto:owner-postfix->us...@postfix.org] >En nombre de /dev/rob0 >Enviado el: lunes, 11 de enero de 2010 16:50 >Para: postfix-users@postfix.org >Asunto: Re: Spam Attack on my outgoing server
>>On Mon, Jan 11, 2010 at 03:27:05PM -0300, Damian Rivas wrote: >> I have a Postfix box basically configured to send mail from my >> organization to the Internet. Today I received a warning message >> telling me that the mail queue was full. >Who/what sent you that warning? My apologies, I haven't expressed myself correctly. What I received was a Postfix message telling me that the hard disk was full (it is a small 4GB disk). When I checked a bit the queue, I was bombarded by this t...@963.net's guy, I had thousands of deferred mails from this address. There were also some mails like "thismailisnotchec...@gmail.com", the guy has some nice humour after all, he he. Other messages where from the null sender <>, just bounces to t...@963.net. Now the address has changed to t...@citsclub.cn. >> It seems that some Spammer is using my server as an Open Relay, so >> I used the "check_sender_access" function to only allow my domains >> to send mail to the outside, but it is not working and I don't know >> what to do, perhaps you can give me some tips. >No evidence below suggests that you might be an open relay. LOGS! >> Postconf -n output: >> mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29 >These are the hosts allowed to relay. Don't mung the IP addresses. >They can probably be looked up anyway, using the domain names that >weren't hidden (good). Yeah you are totally right, I'm a bit silly today, sorry about that. >> relay_domains = cht.com.ar, skalbue.com.ar, ci-educ.com.ar, >> hispanoamericana.com.ar, aaovyt.com.ar, consulthouse.travel, >> consul.travel >If this is outgoing only, why are there relay_domains? That's because I was copying a config file from another postfix server (for relaying incoming mail) to rewrite this one, but I was in a rush because of the situation and I forgot to remove that line. Same as before, I'm totally dumb today. >> smtpd_sender_restrictions = permit_mynetworks, check_sender_access >> = hash :/etc/postfix/sender_map, reject_non_fqdn_sender, >> reject_unknown_sender_domain, permit >The second "=" is not correct syntax. Except for the two reject_* >restrictions, this stage does nothing. And as documented, it CANNOT >permit relaying; this is controlled only in >smtpd_recipient_restrictions . I took a very quick and bad guess of what really was happening, I knew it was impossible to be an Open Relay, but when I found no clues I didn't know what to think. Probably it's because is Monday and I'm taking vacations next week, so, my mind is in another place. Noel suggested a problem with the web server, a vulnerable form. I talked with the webmaster and he told me that the forms are possibly unsecure but I also was reported that the web was down during the weekend AND the mailing issue started during weekend. Well it could be a coincidence or not, gotta check. I started to search in the web access logs, there was no trace of the spammer IP during the weekend. So, there was no evidence pointing a problem on the web server. Time to get back to Postfix. I have corrected the main.cf to adapt to what Noel suggested. Until that moment I was not receiving any postfix/stmpd message in the logs, but after that they started to appear "magically" and I discover something interesting. All mailing incomes seem to come from ns1.cht.com.ar, which is a gateway for the internal mail server, this is by the way, where they are normally sent. There were no smtpd outputs before because the Spam was cycling and there was no room for any new mail. (I deleted all the spammer mails, of course they keep coming). I have checked the internal mail server today and there were no clues to point out that spam was generated inside and sent to the Postfix box. But now, at this precise moment, I'm watching a lot of junk being generated on the server so, there is the source of the problem, I have a worm on my internal web server, no postfix issue. Thank you all for your help I'm going to solve this now. Regards.- Damián
