HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   disbale a local domain from sending emails (http://www.howtoforge.com/forums/showthread.php?t=60012)

florix.net 21st December 2012 06:44

disbale a local domain from sending emails
 
Hi,

I am using ispconfig 3, latest version.

I have a domain mcfcomp.in (name changed)

Somehow this domain trying to send spam emails using local server using id webmaster@mcfcomp.in

I disabled the domain in controlpanel, blacklisted the email id .. still it is able to access the postfix and add bunch of emails to mailq

2012-12-21T08:58:48.012716+05:18 linode postfix/smtpd[21202]: 030F922800C: client=unknown[127.0.0.1]
2012-12-21T08:58:48.017287+05:18 linode postfix/cleanup[21506]: 030F922800C: message-id=<20121221032746.50CBF2AF3F@linode.frix.net>
2012-12-21T08:58:48.017662+05:18 linode postfix/smtpd[20754]: 0440E22800E: client=unknown[127.0.0.1]
2012-12-21T08:58:48.018802+05:18 linode postfix/qmgr[13424]: 030F922800C: from=<webmaster@mcfcomp.in>, size=5744, nrcpt=1 (queue active)
2012-12-21T08:58:48.022308+05:18 linode postfix/cleanup[21440]: 0440E22800E: message-id=<20121221032746.4ADA62AF3E@linode.frix.net>
2012-12-21T08:58:48.023032+05:18 linode postfix/qmgr[13424]: 0440E22800E: from=<webmaster@mcfcomp.in>, size=5714, nrcpt=1 (queue active)
2012-12-21T08:58:48.027995+05:18 linode amavis[18855]: (18855-09-27) Passed BAD-HEADER, <webmaster@mcfcomp.in> -> <dmccandless@agoc.com>, Message-ID: <20121221032746.50CBF2AF3F@linode.frix.net>, mail_id: CZVJF7YaJvMP, Hits: 2.017, size: 5268, queued_as: 030F922800C, 1336 ms
2

How can I fix this?

Thanks
Richard

till 21st December 2012 09:25

These emails are most likely inserted trough a website script e.g. like a vulnerable contact form or cms system, so blocking on postfix level will not work if you dont want to block all emails from localhost. Check the email content of one of the mails in the queue with postcat, it should contain additional info like the user which send the email so you can find the site which contains the script.

florix.net 21st December 2012 10:46

Dear Admin,

Thank you for the reply.

I have installed phpsendmail script which logs all php sendmail attempts. This does not fall in this area.

I have disabled the domain mccomplex.in completely in ISPConfig. What can I do to force postfix to accept any emails from mccomplex.in domain?


Richard

till 21st December 2012 10:55

Quote:

I have disabled the domain mccomplex.in completely in ISPConfig.
When you disable a domain then you instruct postfix that you dont want tto receive emails for this domain, this is not disabling sending as the sending can be done even trogh a completely different domain when the user is authenticated with correct username and password. To stop it you just have to disable the account that is used for sending or change the password of that account. Find out which email account is being used to send these emails and then disable this account. You can see this in the mail log file as there must be a smtp login right before the sending starts.

florix.net 21st December 2012 11:02

Till,

The account which is used webmaster@mcfcomplex.in is not configured at all.
here is the details from mail log. I also do not see any authenticated user logged before this.

Richard



2012-12-16T20:22:53.192803+05:18 linode postfix/pickup[32607]: 2F08B2AE81: uid=48 from=<webmaster@mcfcomplex.in>
2012-12-16T20:22:53.193682+05:18 linode postfix/cleanup[32670]: 2F08B2AE81: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
2012-12-16T20:22:53.194670+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: from=<webmaster@mcfcomplex.in>, size=654, nrcpt=1 (queue active)
2012-12-16T20:22:53.683559+05:18 linode postfix/smtpd[32412]: connect from unknown[127.0.0.1]
2012-12-16T20:22:53.690177+05:18 linode postfix/smtpd[32412]: A874D2AE5B: client=unknown[127.0.0.1]
2012-12-16T20:22:53.692991+05:18 linode postfix/cleanup[32670]: A874D2AE5B: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
2012-12-16T20:22:53.694136+05:18 linode postfix/smtpd[32412]: disconnect from unknown[127.0.0.1]
2012-12-16T20:22:53.694167+05:18 linode postfix/qmgr[3150]: A874D2AE5B: from=<webmaster@mcfcomplex.in>, size=1201, nrcpt=1 (queue active)
2012-12-16T20:22:53.702627+05:18 linode amavis[24900]: (24900-13) Passed BAD-HEADER, <webmaster@mcfcomplex.in> -> <Timofeiene351@yahoo.com>, Message-ID: <20121216145253.2F08B2AE81@linode.florix.net>, mail_id: 3NgtUp3w8hJt, Hits: -0.799, size: 654, queued_as: A874D2AE5B, 505 ms
2012-12-16T20:22:53.705182+05:18 linode postfix/smtp[32673]: 2F08B2AE81: to=<Timofeiene351@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.51, delays=0/0/0/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=24900-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A874D2AE5B)
2012-12-16T20:22:53.705501+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: removed
2012-12-16T20:22:54.313849+05:18 linode postfix/smtp[32747]: A874D2AE5B: to=<Timofeiene351@yahoo.com>, relay=mta5.am0.yahoodns.net[98.139.54.60]:25, delay=0.63, delays=0.01/0/0.17/0.45, dsn=2.0.0, status=sent (250 ok Sun Dec 16 06:52:54 2012: ql 229824655, qr 0)
2012-12-16T20:22:54.314276+05:18 linode postfix/qmgr[3150]: A874D2AE5B: removed

till 21st December 2012 11:09

Quote:

The account which is used webmaster@mcfcomplex.in is not configured at all.
This is the sender address and not nescessarily the account which is used to send the emails. Dont mix that up, thsender address and sending account can be the same but dont have to be the same!

Quote:

I also do not see any authenticated user logged before this.
You have to find the login when the first spam email of a session is sent, there is no new login for each message.

There are 3 options:

1) The emails are send trough a local script.
3) The emails are sent trough a authenticated account.
4) Your server is a open relay (check: http://mxtoolbox.com/diagnostic.aspx)

If you want to find out more of the emails, then you can inspect their headers with postcat command in the queue.

florix.net 21st December 2012 12:58

Hi Till,

I think it's happening by an autheticated user machine, after pop3 login, the bunch of spam arrives.

The sender is sending small bunch at random intervals, hence difficult to track. I have changed the password of one email id associated with that domain.

I will keep you posted.

florix.net 21st December 2012 13:15

One more burst ..

The postcat shows this


[root@linode log]# postcat -q EEE6E2AF15
*** ENVELOPE RECORDS deferred/E/EEE6E2AF15 ***
message_size: 6037 490 1 0
message_arrival_time: Fri Dec 21 16:35:47 2012
create_time: Fri Dec 21 16:35:47 2012
named_attribute: rewrite_context=local
sender: webmaster@mcfcomplex.in
named_attribute: encoding=7bit
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=unknown[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;amicpht@yahoo.com
original_recipient: amicpht@yahoo.com
recipient: amicpht@yahoo.com
*** MESSAGE CONTENTS deferred/E/EEE6E2AF15 ***
Received: from localhost (unknown [127.0.0.1])
by linode.florix.net (Postfix) with ESMTP id EEE6E2AF15
for <amicpht@yahoo.com>; Fri, 21 Dec 2012 11:05:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at linode.florix.net
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
expected boundary
Received: from linode.florix.net ([127.0.0.1])
by localhost (linode.florix.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Pael-rtGiT-i for <amicpht@yahoo.com>;
Fri, 21 Dec 2012 16:35:44 +0530 (IST)
Received: by linode.florix.net (Postfix, from userid 48)
id DF22322804A; Fri, 21 Dec 2012 16:30:51 +0530 (IST)
To: amicpht@yahoo.com
Subject: Tracking ID (961)73-961-961-9798-9798
From: "Express Service" <user-zp@hialeah.com>
X-Mailer: TWIG2.6.2
Reply-To: "Express Service" <user-zp@hialeah.com>
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------135608765150D44163DA575"
Message-Id: <20121221110051.DF22322804A@linode.florix.net>
Date: Fri, 21 Dec 2012 16:30:51 +0530 (IST)

florix.net 21st December 2012 14:48

Hi Till,


Please let me know .. I am unable to stop this junk.

How can we simply disable a domain from sending any emails.


RIchard


All times are GMT +2. The time now is 13:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.