Jamie skrev den 2013-02-26 11:32:
We would appreciate your thoughts.
check that you have not external nameservers that can resolve localhost
into 127.0.0.1, but show logs on what postfix really did, even if sender
ip is localhost it should not allow relaying, unless you have
permit_mynetwo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/27/2013 8:37 PM, Jamie wrote:
The
useful information gained from your postconf is:
a) It's very unlikely postfix is an open relay
b) you're using a content_filter, so that may explain the "connect
from [127.0.0.1]" log snippit.
I was hoping
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2/27/2013 8:37 PM, Jamie wrote:
> The output of postconf -n was submitted in an earlier post (on
> Tuesday). it is archived here
> http://archives.neohapsis.com/archives/postfix/2013-02/0523.html.
The
>
>
useful information gained from your post
The output of postconf -n was submitted in an earlier post (on Tuesday).
it is archived here
http://archives.neohapsis.com/archives/postfix/2013-02/0523.html.
Its difficult to obtain more information now, since the spamming has
stopped after I blocked the offenders IP's. Re-enabling the IP's h
On Wed, Feb 27, 2013 at 03:10:38PM -0600, Noel Jones wrote:
> On 2/27/2013 2:33 PM, /dev/rob0 wrote:
> > I only saw main.cf and some largely irrelevant logs.
>
> I was trying to be polite. That's all I saw too.
I tried to be polite also, but perhaps putting a little less effort
into it than you
On 2/27/2013 2:33 PM, /dev/rob0 wrote:
> I only saw main.cf and some largely irrelevant logs.
I was trying to be polite. That's all I saw too.
> Do note that your system is ipso facto compromised. We know this
> because it is being used by a spammer to send spam. Stop saying
> you're not compr
On Wed, Feb 27, 2013 at 10:01:27PM +0200, Jamie wrote:
> On 2013/02/27 9:48 PM, Noel Jones wrote:
> >If you would send postfix logs and current "postconf -n" to the
> >list as requested several times, we could likely clear this all
> >up pretty quickly.
> If you look back earlier in the thread, y
On 2/27/2013 2:01 PM, Jamie wrote:
> Noel
>
> On 2013/02/27 9:48 PM, Noel Jones wrote:
>> If you would send postfix logs and current "postconf -n" to the list
>> as requested several times, we could likely clear this all up pretty
>> quickly.
> If you look back earlier in the thread, you will see
Noel
On 2013/02/27 9:48 PM, Noel Jones wrote:
If you would send postfix logs and current "postconf -n" to the list
as requested several times, we could likely clear this all up pretty
quickly.
If you look back earlier in the thread, you will see that I had posted
it already.
If you would send postfix logs and current "postconf -n" to the list
as requested several times, we could likely clear this all up pretty
quickly.
On 2/27/2013 1:43 PM, Jamie wrote:
> Thanks Lorens. I'll consider that.
>
> On 2013/02/27 9:29 PM, Lorens Kockum wrote:
>> On Tue, Feb 26, 2013 at 05
Thanks Lorens. I'll consider that.
On 2013/02/27 9:29 PM, Lorens Kockum wrote:
On Tue, Feb 26, 2013 at 05:16:20PM +0200, Jamie wrote:
I unblocked the IP and the problem came back.
In another mail you said you'd used tcpdump. Why don't you set
tcpdump to record everything from that IP address,
On Tue, Feb 26, 2013 at 05:16:20PM +0200, Jamie wrote:
> I unblocked the IP and the problem came back.
In another mail you said you'd used tcpdump. Why don't you set
tcpdump to record everything from that IP address, unblock the
IP address, wait faor a few spams to go through, block the
IP address
On Tue, 26 Feb 2013 17:16:20 +0200
Jamie articulated:
> On 2013/02/26 4:59 PM, Deeztek.com Support wrote:
> > in your /etc/hosts file if you were to change it to the actual
> > servername.domain.tld of your server, then the log should report
> > the actual server name vs. localhost.localdomain. I
On 2/26/2013 8:45 AM, Jamie wrote:
> I ran chkrootki with clean results.
>
> For kicks: I sent a test email to myself from a web mail client. It
> seems connect from localhost.localdomain[127.0.0.1] is outputted
> under normal circumstances. Thus, it must be something to do with
> the way in whic
On 2013/02/26 4:59 PM, Deeztek.com Support wrote:
in your /etc/hosts file if you were to change it to the actual
servername.domain.tld of your server, then the log should report the
actual server name vs. localhost.localdomain. I would unblock the IP
address and see if the same thing happens an
Jamie:
> For kicks: I sent a test email to myself from a web mail client. It
> seems connect from localhost.localdomain[127.0.0.1] is outputted under
> normal circumstances. Thus, it must be something to do with the way in
> which postfix passed mails along to the antivirus, antispam scaners. I
I ran chkrootki with clean results.
For kicks: I sent a test email to myself from a web mail client. It
seems connect from localhost.localdomain[127.0.0.1] is outputted under
normal circumstances. Thus, it must be something to do with the way in
which postfix passed mails along to the antivir
Noel Jones:
> > Earlier today I noticed a spammer using my Postfix server as a relay
> > to send out spam. This was puzzling because i had all requisite anti
> > relay host settings applied. Further, it was particularly alarming
> > that Postfix seemed to be receiving the spam messages from localho
On 2/26/2013 8:53 AM, Jamie wrote:
On 2013/02/26 3:32 PM, Deeztek.com Support wrote:
On 2/26/2013 7:52 AM, Eero Volotinen wrote:
Like I said, as soon as I blocked the troublesome IP's the problem
went
away. Thus, it cannot be a local script. Furthermore,
we are not even running Apache. We ar
Sure... the log entries are not altered in any way.
*** /etc/hostname ***
serve.stimulussoft.com
*** /etc/hosts ***
127.0.0.1localhost.localdomain localhost
71.6.200.51serve.stimulussoft.com serve.mailarchiva.com
*** postfix configuration ***
alias_database = hash:/etc/aliases
alias
On 2/26/2013 4:32 AM, Jamie wrote:
> Hi
>
> Earlier today I noticed a spammer using my Postfix server as a relay
> to send out spam. This was puzzling because i had all requisite anti
> relay host settings applied. Further, it was particularly alarming
> that Postfix seemed to be receiving the sp
On 2/26/2013 7:52 AM, Eero Volotinen wrote:
Like I said, as soon as I blocked the troublesome IP's the problem went
away. Thus, it cannot be a local script. Furthermore,
we are not even running Apache. We are running Tomcat with custom developed
Java apps.
I also ran tcpdump on localhost to see
> Like I said, as soon as I blocked the troublesome IP's the problem went
> away. Thus, it cannot be a local script. Furthermore,
> we are not even running Apache. We are running Tomcat with custom developed
> Java apps.
>
> I also ran tcpdump on localhost to see if there was traffic being received
Am 26.02.2013 13:04, schrieb Jamie:
>
> Robert
>
> Thanks for the ideas. I'll try out your recommendations.
>
> Like I said, as soon as I blocked the troublesome IP's the problem went
> away. Thus, it cannot be a local script. Furthermore,
> we are not even running Apache. We are running Tomcat
Robert
Thanks for the ideas. I'll try out your recommendations.
Like I said, as soon as I blocked the troublesome IP's the problem went away.
Thus, it cannot be a local script. Furthermore,
we are not even running Apache. We are running Tomcat with custom developed
Java apps.
I also ran tcpd
Am 26.02.2013 12:57, schrieb Jamie:
> As requested, here is our configuration. I added the helo restrictions after
> seeing the relay problem, but it
> didn't help.
>
> *** main.cf ***
>
> # Debian specific: Specifying a file name will cause the first
> # line of that file to be used
As requested, here is our configuration. I added the helo restrictions
after seeing the relay problem, but it didn't help.
*** main.cf ***
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
Am 26.02.2013 12:35, schrieb Jamie:
> Borja
>
> I am pretty sure of it. After I blocked the ip address, the spam stopped
> coming. It is no co-incidence that 113.167.239.162 resolves to localhost
> (see: http://remote.12dt.com/ for confirmation).
>
> I am fairly certain that our mail server has n
Borja
I am pretty sure of it. After I blocked the ip address, the spam stopped
coming. It is no co-incidence that 113.167.239.162 resolves to localhost
(see: http://remote.12dt.com/ for confirmation).
I am fairly certain that our mail server has not been hacked.
Regards
Jamie
On 2013/02/2
On Feb 26, 2013, at 11:32 AM, Jamie wrote:
> Hi
>
> Earlier today I noticed a spammer using my Postfix server as a relay to send
> out spam. This was puzzling because i had all requisite anti relay host
> settings applied. Further, it was particularly alarming that Postfix seemed
> to be rec
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/26/2013 11:32 AM, Jamie wrote:
> Hi
>
> Earlier today I noticed a spammer using my Postfix server as a
> relay to send out spam. This was puzzling because i had all
> requisite anti relay host settings applied. Further, it was
> particularly ala
Hi
Earlier today I noticed a spammer using my Postfix server as a relay to
send out spam. This was puzzling because i had all requisite anti relay
host settings applied. Further, it was particularly alarming that
Postfix seemed to be receiving the spam messages from localhost as
indicated:
32 matches
Mail list logo
