Re: Log files this time! Small amount of spam still routed through server and another problem with spam

Noel Jones Thu, 25 Mar 2010 12:31:10 -0700

On 3/25/2010 12:22 PM, Josh Cason wrote:

Thanks for the help so far. I already posted my config file in the very
first post. However, I will repost it. Plus an additional log file of
the attack. Yes to me it seems like an open relay. As stated before when
I run tests they say closed relay. As for reading the howto's. I have
been through them over and over again. When I find a change or something
I need to add I apply the changes. Just two weeks ago I applied a
change. The week before that I cleaned up the config file for postfix.
This does help get rid of alot of spam. But I still get what is posted
below. A quick run down of the system again. Running, Mysql, postfix,
dovecot, postfixadmin, MailScanner (uses clamav and spamassasian),
postini, centos 5.X (Cannot remeber the exact version, and running this
virtual with multiple domains.
Posted the config file and the log file for all of you to admire my
horrible work. LOL. Like I said on another post the system worked great
for about 1 year then out of the blue. We get this. Yes We do have a
firewall but when we block the ip number. They just change ip number.
Plus as you can see this comes tthrough postini. I did run into one
other person who had this issue. The fix was to add all the users to the
postini database and tell postini not to accept aanything else. I don't
believe that is the only fix. But yes we can block Ip and addresses. But
when they spoof a valid address or ip and as said once before they
change ip. Don't do me any good.


This is what the attack looks like: (I have to use the -v in the main.cf
file)

Mar 24 00:01:50 primary postfix/qmgr[25306]: D13DE10D8837:
from=<drlarrype...@gmail.com>, size=2922, nrcpt=30 (queue active)
Mar 24 00:01:50 primary postfix/qmgr[25306]: C1EAA10D8187:
from=<drlarrype...@gmail.com>, size=2922, nrcpt=30 (queue active)
Mar 24 00:01:50 primary postfix/smtpd[2483]: D760910D8152:
client=exprod6mx284.postini.com[64.18.1.71]
Mar 24 00:01:51 primary postfix/smtp[2490]: C1EAA10D8187: host
canit01.muw.edu[192.231.29.105] said: 451 4.3.0 Message held $
Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152: hold:
header Received: from psmtp.com (exprod6mx284.postini.com$
Mar 24 00:01:51 primary postfix/cleanup[2489]: D760910D8152:
message-id=<201003240540.o2o5emi1002...@gw.npskskip.com>
Mar 24 00:01:52 primary postfix/smtpd[2483]: disconnect from
exprod6mx284.postini.com[64.18.1.71]
Mar 24 00:01:52 primary MailScanner[1930]: New Batch: Scanning 1
messages, 3236 bytes
Mar 24 00:01:52 primary MailScanner[1930]: Spam Checks: Starting
Mar 24 00:01:52 primary postfix/smtp[2490]: C1EAA10D8187:
to=<j...@muw.edu>, relay=canit02.muw.edu[192.231.29.106]:25, delay=$
Mar 24 00:01:53 primary postfix/smtpd[2610]: disconnect from
exprod6mx247.postini.com[64.18.1.147]
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<bengrins...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<btlresourcecen...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<cheryl0...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<dajatinkerb...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<dit...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]:25,$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<hollowd...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<jasonspence...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<jeff_pad...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<kimflip...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34]$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<lambnichola...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<mariomartescu...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.2$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<megan_steinm...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.23$
Mar 24 00:01:54 primary postfix/smtp[2617]: C1EAA10D8187:
to=<romackro...@yahoo.com>, relay=h.mx.mail.yahoo.com[66.94.236.34$
Mar 24 00:01:54 primary MailScanner[1930]: Virus and Content Scanning:
Starting
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<aztekgladia...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.16$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<damnshecansingbi...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.1$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<deniseandcendy4l...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.1$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<ejelia...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<foxesgir...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.3$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<j.taris...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<kali...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:2$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<kianibobt...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<kippy...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<lsb4a...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<marphel2...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.3$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<miguelrui...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<ruthzachar...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<scali...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31]:$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<skittlesgirl_2...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195$
Mar 24 00:01:55 primary postfix/smtp[2611]: D13DE10D8837:
to=<true4lu...@yahoo.com>, relay=a.mx.mail.yahoo.com[67.195.168.31$
Mar 24 00:01:55 primary postfix/qmgr[25306]: D13DE10D8837: removed
Mar


You're accepting mail addressed to domains that aren't yours.

You appear to be a partial open relay, likely related to mailarriving from postini IP space.


Some common errors to look for...

- postini is listed in $mynetworks.  Don't do that.

- you've whitelisted postini in a check_client_access mapBEFORE reject_unauth_destination. Don't do that.

- your sql lookup for relay_domains or virtual_* responds to"random" domains. Lookups for domains other than yours shouldfail (key not found).




  -- Noel Jones


This is my config file: (I used the -n option or what not to remove the
extra junk)

alias_maps = hash:/etc/aliases
allow_percent_hack = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.4.7-documentation/html
inet_interfaces = localhost, xxx.xx.x.xxx (removed for security)
invalid_hostname_reject_code = 554
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 25600000
minimal_backoff_time = 1000s
multi_recipient_bounce_reject_code = 554
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = $config_directory/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 554
notify_classes = resource,software
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.7-documentation/readme
recipient_delimiter =
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
relay_domains_reject_code = 554
relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipient_maps.cf
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 60s
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, check_client_access
hash:/etc/postfix/pop-before-smtp, reject_unknown_client,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org,
reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 20s
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
regexp:/etc/postfix/helo.regexp, permit
smtpd_junk_command_limit = 2
smtpd_recipient_limit = 30
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/pop-before-smtp, check_client_access
hash:/etc/postfix/access, reject_non_fqdn_recipient,
reject_unlisted_recipient, reject_unknown_sender_domain,
reject_unverified_sender, reject_multi_recipient_bounce,
reject_invalid_hostname, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client
dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
strict_rfc821_envelopes = yes
swap_bangpath = no
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 450
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_create_maildirsize = yes
virtual_gid_maps = static:12
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 25600000
virtual_mailbox_limit_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn
his diskspace quota,
virtual_minimum_uid = 150
virtual_uid_maps = static:150

Re: Log files this time! Small amount of spam still routed through server and another problem with spam

Reply via email to