Spampd proxy bypassed by some mails
in [Postfix]
|
From: =?iso-8859-1?Q?Jan-Kaspar_M=FCnnich?= on 26 May 2010 15:34 Hello, I've setup Postfix 2.7.0 to relay all mails to the local proxy spampd: smtp inet n - n - 25 smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_proxy_options=speed_adjust 127.0.0.1:10026 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks -o smtpd_client_connection_count_limit=25 This works well for ~10.000 mails a day, but not for one kind of spam that occured first two weeks ago. It is always very similar (one line, just varying URL and spam bot): http://pastebin.com/4arTzeRu These mails are just delivered to the mailbox, without any other log entry. Unfortunately it's not really possible to run Postfix in debug mode, since I can't reproduce the problem and would have to wait for the next occurance. It's not a big problem since there are max. 5 of these spams getting through on the whole server per day. But I really want to investigate it and would be happy if anybody had an idea. Jan-Kaspar
From: Ansgar Wiechers on 26 May 2010 15:58 On 2010-05-26 Jan-Kaspar M�nnich wrote: > I've setup Postfix 2.7.0 to relay all mails to the local proxy spampd: > > smtp inet n - n - 25 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_proxy_options=speed_adjust > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions= > -o mynetworks=127.0.0.0/8 > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_client_connection_count_limit=25 > > This works well for ~10.000 mails a day, but not for one kind of spam > that occured first two weeks ago. It is always very similar (one line, > just varying URL and spam bot): http://pastebin.com/4arTzeRu > > These mails are just delivered to the mailbox, without any other log > entry. Unfortunately it's not really possible to run Postfix in debug > mode, since I can't reproduce the problem and would have to wait for > the next occurance. You could "replay" those messages from some host outside Postfix' $mynetworks, either manually (via telnet) or with some script. Also you should post an excerpt from mail.log demonstrating the full delivery of one such mail. > It's not a big problem since there are max. 5 of these spams getting > through on the whole server per day. But I really want to investigate > it and would be happy if anybody had an idea. If those spam mails are sent to just that one address, maybe body_checks will do the trick: /etc/postfix/main.cf: body_checks = regexp:/etc/postfix/body_checks /etc/postfix/body_checks: /^http:\/\/.+\..+\/\?email=jan\.muennich(a)dotplex\.de/ REJECT Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
From: mouss on 27 May 2010 18:12 Jan-Kaspar M�nnich a �crit : > Hello, > > I've setup Postfix 2.7.0 to relay all mails to the local proxy spampd: > > smtp inet n - n - 25 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_proxy_options=speed_adjust > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions= > -o mynetworks=127.0.0.0/8 > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_client_connection_count_limit=25 > > This works well for ~10.000 mails a day, but not for one kind of spam that occured first two weeks ago. It is always very similar (one line, just varying URL and spam bot): http://pastebin.com/4arTzeRu > > These mails are just delivered to the mailbox, without any other log entry. Unfortunately it's not really possible to run Postfix in debug mode, since I can't reproduce the problem and would have to wait for the next occurance. > > It's not a big problem since there are max. 5 of these spams getting through on the whole server per day. But I really want to investigate it and would be happy if anybody had an idea. > > Jan-Kaspar check your spampd: as there any cases where it would pass mail without checking it Example: wrong whitelisting mechanism. a common error in spamassassin is to use whitelist_from (which is easily abused by sender forgery). didn't check all your samples, but as for hinet, if you "have no hope from them", then firewall them: # cat /etc/pf.conf .... discard = "block drop quick" .... table <banned> persist file "/etc/pf/banned.net" .... $discard from <banned> label "banned" # cat /etc/pf/banned.net .... #59.112.0.0 - 59.127.255.255 59.112.0.0/12 #61.220.0.0 - 61.231.255.255 61.220.0.0/14 61.224.0.0/14 61.228.0.0/14 #111.240.0.0 - 111.255.255.255 111.240.0.0/12 #114.32.0.0 - 114.47.255.255 114.32.0.0/12 #118.160.0.0 - 118.167.255.255 118.160.0.0/13 #118.168.0.0 - 118.171.255.255 118.168.0.0/14 #122.120.0.0 - 122.127.255.255 122.120.0.0/13 #218.160.0.0 - 218.175.255.255 218.160.0.0/12 #220.128.0.0 - 220.143.255.255 220.128.0.0/12
From: Wietse Venema on 27 May 2010 20:45 Jan-Kaspar M�nnich: > Hello, > > I've setup Postfix 2.7.0 to relay all mails to the local proxy spampd: > > smtp inet n - n - 25 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_proxy_options=speed_adjust > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions= > -o mynetworks=127.0.0.0/8 > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_client_connection_count_limit=25 > > This works well for ~10.000 mails a day, but not for one kind of > spam that occured first two weeks ago. It is always very similar > (one line, just varying URL and spam bot): http://pastebin.com/4arTzeRu What is the output of # grep smtpd /etc/postfix/master.cf # find / -name master.cf The pastebin logging does not prove that spam came in on this port 25. Wietse
From: =?iso-8859-1?Q?Jan-Kaspar_M=FCnnich?= on 27 May 2010 21:24 On 28.05.2010, at 02:45, Wietse Venema wrote: > The pastebin logging does not prove that spam came in on this port 25. Thanks a lot, that was the hint! I had recently misconfigured port 587. Now I changed it to: 587 inet n - n - - smtpd -o smtpd_client_restrictions=permit_sasl_authenticated,reject That should be safe... Jan-Kaspar
|
Pages: 1 Prev: I've inherited a botnet target Next: user unknown, not getting mapped |