Re: Log files this time! Small amount of spam still routed through server and another problem with spam

[Josh Cason]

Thanks for the help so far. I already posted my config file in the  
very first post. However, I will repost it. Plus an additional log  
file of the attack. Yes to me it seems like an open relay. As stated  
before when I run tests they say closed relay. As for reading the  
howto's. I have been through them over and over again. When I find a  
change or something I need to add I apply the changes. Just two weeks  
ago I applied a change. The week before that I cleaned up the config  
file for postfix. This does help get rid of alot of spam. But I still  
get what is posted below. A quick run down of the system again.  
Running, Mysql, postfix, dovecot, postfixadmin, MailScanner (uses  
clamav and spamassasian), postini, centos 5.X (Cannot remeber the  
exact version, and running this virtual with multiple domains.
Posted the config file and the log file for all of you to admire my  
horrible work. LOL. Like I said on another post the system worked  
great for about 1 year then out of the blue. We get this. Yes We do  
have a firewall but when we block the ip number. They just change ip  
number. Plus as you can see this comes tthrough postini. I did run  
into one other person who had this issue. The fix was to add all the  
users to the postini database and tell postini not to accept aanything  
else. I don't believe that is the only fix. But yes we can block Ip  
and addresses. But when they spoof a valid address or ip and as said  
once before they change ip. Don't do me any good.

This is what the attack looks like: (I have to use the -v in the main.cf file)
 Mar 24 00:01:50 primary postfix/qmgr[25306]: D13DE10D8837:  
from=<drlarrype...@gmail.com>, size=2922, nrcpt=30 (queue active)
Mar 24 00:01:50 primary postfix/qmgr[25306]: C1EAA10D8187:  
from=<drlarrype...@gmail.com>, size=2922, nrcpt=30 (queue active)
Mar 24 00:01:50 primary postfix/smtpd[2483]: D760910D8152:  
client=exprod6mx284.postini.com[64.18.1.71]
Mar 24 00:01:51 primary postfix/smtp[2490]: C1EAA10D8187: host  
canit01.muw.edu[192.231.29.105] said: 451 4.3.0 Message held $
Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: hold:  
header Received: from psmtp.com (exprod6mx284.postini.com$
Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152:  
message-id=<201003240540.o2o5emi1002...@gw.npskskip.com>
Mar 24 00:01:52 primary postfix/smtpd[2483]: disconnect from  
exprod6mx284.postini.com[64.18.1.71]
Mar 24 00:01:52 primary MailScanner[1930]: New Batch: Scanning 1  
messages, 3236 bytes
Mar 24 00:01:52 primary MailScanner[1930]: Spam Checks: Starting
Mar 24 00:01:52 primary postfix/smtp[2490]: C1EAA10D8187:  
to=<j...@muw.edu>, relay=canit02.muw.edu[192.231.29.106]:25, delay=$
Mar 24 00:01:53 primary postfix/smtpd[2610]: disconnect from  
exprod6mx247.postini.com[64.18.1.147]
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<bengrins...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<btlresourcecen...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<cheryl0...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<dajatinkerb...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<dit...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<hollowd...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<jasonspence...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<jeff_pad...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<kimflip...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<lambnichola...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<mariomartescu...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.2$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<megan_steinm...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.23$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:  
to=<romackro...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary MailScanner[1930]: Virus and Content Scanning:  
Starting
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<aztekgladia...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.16$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<damnshecansingbi...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.1$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<deniseandcendy4l...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.1$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<ejelia...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<foxesgir...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.3$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<j.taris...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<kali...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:2$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<kianibobt...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<kippy...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<lsb4a...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<marphel2...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.3$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<miguelrui...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<ruthzachar...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<scali...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<skittlesgirl_2...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:  
to=<true4lu...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31$
Mar 24 00:01:55 primary postfix/qmgr[25306]: D13DE10D8837: removed
Mar

This is my config file: (I used the -n option or what not to remove  
the extra junk)

alias_maps = hash:/etc/aliases
allow_percent_hack = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.4.7-documentation/html
inet_interfaces = localhost, xxx.xx.x.xxx (removed for security)
invalid_hostname_reject_code = 554
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 25600000
minimal_backoff_time = 1000s
multi_recipient_bounce_reject_code = 554
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = $config_directory/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 554
notify_classes = resource,software
proxy_read_maps = $local_recipient_maps                      
$mydestination                     $virtual_alias_maps                  
    $virtual_alias_domains                     $virtual_mailbox_maps   
                   $virtual_mailbox_domains                      
$relay_recipient_maps                     $relay_domains                
      $canonical_maps                     $sender_canonical_maps       
               $recipient_canonical_maps                      
$relocated_maps                     $transport_maps                     
 $mynetworks                     $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.7-documentation/readme
recipient_delimiter =
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
relay_domains_reject_code = 554
relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipient_maps.cf
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 60s
smtpd_client_restrictions = permit_mynetworks,	check_client_access  
hash:/etc/postfix/access,	check_client_access  
hash:/etc/postfix/pop-before-smtp,	reject_unknown_client,	reject_rbl_client  
sbl.spamhaus.org, 	reject_rbl_client  
dnsbl.njabl.org,	reject_unauth_destination
smtpd_data_restrictions =  
reject_unauth_pipelining,	reject_multi_recipient_bounce,	permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 20s
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions =  
permit_mynetworks,		regexp:/etc/postfix/helo.regexp,		permit
smtpd_junk_command_limit = 2
smtpd_recipient_limit = 30
smtpd_recipient_restrictions = check_client_access  
hash:/etc/postfix/pop-before-smtp,	check_client_access  
hash:/etc/postfix/access,	reject_non_fqdn_recipient,	reject_unlisted_recipient,	reject_unknown_sender_domain,	reject_unverified_sender,	reject_multi_recipient_bounce, 	reject_invalid_hostname,        reject_unknown_recipient_domain,        reject_unauth_pipelining,        permit_mynetworks,        permit_sasl_authenticated,        reject_unauth_destination,        reject_rbl_client multi.uribl.com,        reject_rbl_client dsn.rfc-ignorant.org,        reject_rbl_client dul.dnsbl.sorbs.net,        reject_rbl_client sbl-xbl.spamhaus.org,        reject_rbl_client bl.spamcop.net,        reject_rbl_client dnsbl.sorbs.net,        reject_rbl_client cbl.abuseat.org,        reject_rbl_client ix.dnsbl.manitu.net,        reject_rbl_client combined.rbl.msrbl.net,        reject_rbl_client  
rabl.nuclearelephant.com
smtpd_sender_restrictions = permit_mynetworks,	check_sender_access  
hash:/etc/postfix/sender_access,	reject_non_fqdn_sender,  
	reject_unknown_sender_domain,	reject_unauth_pipelining,	permit
smtpd_soft_error_limit = 3
strict_rfc821_envelopes = yes
swap_bangpath = no
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 450
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_create_maildirsize = yes
virtual_gid_maps = static:12
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =  
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 25600000
virtual_mailbox_limit_maps =  
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_maildir_limit_message = Sorry, the user's maildir has  
overdrawn his diskspace quota,
virtual_minimum_uid = 150
virtual_uid_maps = static:150





--
This message has been scanned for viruses and
dangerous content by Mychoice, and is
believed to be clean.