HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   postfix DoS Spam attack (http://www.howtoforge.com/forums/showthread.php?t=61196)

arraken 28th March 2013 17:52

postfix DoS Spam attack
 
Hi guys!

I'm having a serious problem with my mailserver. It seems there is some kind of DoS or Spam attack running, which is nearly crashing the whole server. Some days ago we had a DoS attack on apache (40+ requests to one site per second from one ip), and now it's starting on the mailserver.

It seems to originate from an single ip, if i'm not mistaken. If I do run the command "tail -f /var/log/mail.log | grep 1.2.3.4" I get the following output:

Code:

Mar 28 17:37:01 server1 postfix/smtpd[2413]: 715002530564: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2423]: 77E012530565: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2512]: E53542530413: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:02 server1 amavis[1871]: (01871-03-4) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <etzsthbyquxte@yahoo.com> -> <3390@yahoo.com.tw>,<34dn@yahoo.com.tw>,<430j@yahoo.c                                                      om.tw>,<486y@yahoo.com.tw>,<6nob@yahoo.com.tw>,<a0937736793@yahoo.com.tw>,<a855151151@yahoo.com.tw>,<aaajoe1207@yahoo.com.tw>,<azero0831@yahoo.com.tw>,<bawea@yahoo.com.tw>,<c0762@yah                                                      oo.com.tw>,<ccty218@yahoo.com.tw>,<cids75@yahoo.com.tw>,<clot0955@yahoo.com.tw>,<digev@yahoo.com.tw>,<downright@yahoo.com.tw>,<e31310@yahoo.com.tw>,<fingersob@yahoo.com.tw>,<greatest                                                      _club7@yahoo.com.tw>,<kikocc2005@yahoo.com.tw>,<myanmarfuturegenerations@yahoo.com.tw>,<ritsukoaizawa@yahoo.com.tw>, quarantine: X/badh-XPAn+KjwcGjn, Message-ID: <IUHTZUPJBXXGZAGGBWH                                                      Z@yahoo.com>, mail_id: XPAn+KjwcGjn, Hits: 29.032, size: 5547, queued_as: 77E182530566, 4413 ms
Mar 28 17:37:04 server1 postfix/smtpd[2512]: 7F0DA21B112F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2423]: 7F17B25303C4: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2413]: 803D22530568: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: warning: 1.2.3.4: address not listed for hostname email.DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: connect from unknown[1.2.3.4]
Mar 28 17:37:05 server1 amavis[1870]: (01870-03-13) Passed BAD-HEADER, [1.2.3.4] [75.116.26.152] <ljbpzsbqrqzkx@yahoo.com> -> <gdccu@yahoo.com.tw>, quarantine: j/badh-jLp6v1RP31                                                      FB, Message-ID: <UFCEFYPRWNNJJWDLBKLI@yahoo.com>, mail_id: jLp6v1RP31FB, Hits: 28.97, size: 5545, queued_as: B476F2530569, 2765 ms
Mar 28 17:37:06 server1 postfix/smtpd[2708]: 5EEF92331F5D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: 7897B253056B: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: 789E0253056C: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2512]: 79B99253056D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: 7A618253056E: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 amavis[1871]: (01871-03-5) Passed BAD-HEADER, [1.2.3.4] [185.248.120.84] <njzbxiaa@yahoo.com> -> <miffy.0311@kimo.com>,<helen0801@yahoo.com.tw>,<johnsonp                                                      @yahoo.com.tw>,<k4682t@yahoo.com.tw>,<laiju2421@yahoo.com.tw>,<leizikong@yahoo.com.tw>,<leo1966leo@yahoo.com.tw>,<lewell@yahoo.com.tw>,<lwt1970@yahoo.com.tw>,<ml_ngan@yahoo.com.tw>,<                                                      mung-bean-paste@yahoo.com.tw>,<nan2223@yahoo.com.tw>,<niokei@yahoo.com.tw>,<p0936069@yahoo.com.tw>,<sm135ok@yahoo.com.tw>, quarantine: B/badh-BWzuYpe8ThAM, Message-ID: <BUDYAWCSBBNEN                                                      TIUQCKEISDXZ@yahoo.com>, mail_id: BWzuYpe8ThAM, Hits: 29.469, size: 6527, queued_as: 77FB4253056A, 5424 ms
Mar 28 17:37:08 server1 postfix/smtpd[2512]: A4E29253056F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: A732B2530570: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: ADFFE2530571: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: EAC6C2530572: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: EAC8C2530573: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2423]: 69F422530575: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2512]: E010A2530576: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2708]: E0FE62530578: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:12 server1 amavis[1870]: (01870-03-14) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <slbburxoarum@yahoo.com> -> <a0926298122@yahoo.com.tw>,<a223542804@yahoo.com.tw>,


as you can see, this is the output of only a few seconds.

arraken 28th March 2013 17:53

If I dont grep for the IP and just use "tail -f /var/log/mail.log" i get this within seconds:

Code:

Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<daijimmy@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dd3717383@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<demmy_714@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dmwv@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dufeichun@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<ecjh70513@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<edesw@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<erica19840721@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<f68291@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fegia@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fermilco@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fish690617@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<gamale@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<herc31@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<jing910330@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<k079618@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<kelly5211@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<tcby12345@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<video95025@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<weisau789@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<whogamall@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<wyukang@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22826765@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228267748@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22826956@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228269877@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827053@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827127@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827140@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228271420@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228272000@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827217@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a2282721@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228272981@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228274191@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827465@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228275222@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228275464@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827606@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827612@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/smtpd[2454]: 08E3E25307F6: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2620]: 098A425307F7: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827715@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a2282777@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228279328@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/smtpd[2708]: 0E69425307F8: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2585]: 0F80225307F9: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2398]: 0F99425307FA: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<6v2g@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a0956672213@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a28336245@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a58111207@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a_better_living@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

Can anyone help, or explain what exactly is going on? it's real urgent, considering that the server just crashed a few minutes ago, and i have some live sites running on it. I would also be glad for some kind of a quick fix (just ban that one ip or something?)

arraken 28th March 2013 18:01

blocked ip - no success
 
I have now blocked the ip with "route add -host 1.2.3.4 reject". The "tail -f /var/log/mail.log | grep 90.146.13.50" now results in the following:

Code:

Mar 28 17:57:31 server1 amavis[18006]: (18006-02-46) Passed BAD-HEADER, [1.2.3.4:] [183.128.84.108] <xlcbojvoqswso@yahoo.com> -> <bbxx@kimo.com>,<nsrrc123@kimo.com>,<15c3@yahoo.com.tw>,<a4789002@yahoo.com.tw>,<a5723149@yahoo.com.tw>,<actionmaps@yahoo.com.tw>,<angel-linda@yahoo.com.tw>,<c60732@yahoo.com.tw>,<davidjoe999@yahoo.com.tw>,<dysqo@yahoo.com.tw>,<ht0222@yahoo.com.tw>,<juliahskimo@yahoo.com.tw>,<n3676732@yahoo.com.tw>,<odream_star_sky@yahoo.com.tw>,<pan_yu_lan@yahoo.com.tw>,<pengpenglao@yahoo.com.tw>,<q.zhang@yahoo.com.tw>,<qianfanzu@yahoo.com.tw>,<reiko_0322@yahoo.com.tw>,<sammi_yuan@yahoo.com.tw>,<satana685@yahoo.com.tw>,<serenawanders@yahoo.com.tw>,<shiliangsan@yahoo.com.tw>,<simonhouse@yahoo.com.tw>,<stutson@yahoo.com.tw>,<t19016@yahoo.com.tw>,<t750501@yahoo.com.tw>,<tha559@yahoo.com.tw>,<tpalways179@yahoo.com.tw>,<ttt22246@yahoo.com.tw>,<u983610@yahoo.com.tw>,<vanila313@yahoo.com.tw>,<vickie_1124@yahoo.com.tw>,<ya73217@yahoo.com.tw>,<yin5125@yahoo.com.tw>,<yolo40@yahoo.com.tw>, quarant...
Mar 28 17:57:31 server1 amavis[16078]: (16078-01-111) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <vswlogswv@yahoo.com> -> <e37n11@yahoo.com.tw>,<et159576@yahoo.com.tw>,<ewcc@yahoo.com.tw>,<ezteclea@yahoo.com.tw>,<f5sld@yahoo.com.tw>,<fish81528@yahoo.com.tw>,<gbo52002@yahoo.com.tw>,<gigila123123@yahoo.com.tw>,<gj4012@yahoo.com.tw>,<h05901037@yahoo.com.tw>,<haiyin0130@yahoo.com.tw>,<halloween201031@yahoo.com.tw>,<ho801008@yahoo.com.tw>,<homoe042002@yahoo.com.tw>,<how168520@yahoo.com.tw>,<hupingpu@yahoo.com.tw>,<iado@yahoo.com.tw>,<icesam0414@yahoo.com.tw>,<inpopstyle@yahoo.com.tw>,<javangsomsb@yahoo.com.tw>,<jay890726@yahoo.com.tw>,<jes2000@yahoo.com.tw>,<jrlovers998@yahoo.com.tw>,<justin28225463@yahoo.com.tw>,<k42234141@yahoo.com.tw>,<kevinabc77@yahoo.com.tw>,<knoe7708800@yahoo.com.tw>,<ktss_719@yahoo.com.tw>,<l2273123@yahoo.com.tw>,<lc0955048776@yahoo.com.tw>,<lisalane@yahoo.com.tw>,<love7931388@yahoo.com.tw>,<love871072000@yahoo.com.tw>,<mail.a45232@yahoo.com.tw>,<mars_tu@yahoo.com.tw>, quarant...
Mar 28 17:57:33 server1 amavis[18006]: (18006-02-47) Passed BAD-HEADER, [1.2.3.4] [157.120.139.150] <bnjmxgdtpswnn@yahoo.com> -> <73.21189@yahoo.com.tw>,<chgshsdhft@yahoo.com.tw>,<chiang0118@yahoo.com.tw>,<dqwd77888@yahoo.com.tw>,<dumaisen@yahoo.com.tw>,<f70280@yahoo.com.tw>,<fanny0333@yahoo.com.tw>,<five_six2520@yahoo.com.tw>,<fle1216@yahoo.com.tw>,<ghqn@yahoo.com.tw>,<hahaismyname@yahoo.com.tw>,<hjt44fvmilpqfoc@yahoo.com.tw>,<hsiuying88@yahoo.com.tw>,<hw0125011@yahoo.com.tw>,<itachf3104@yahoo.com.tw>,<kkandy2@yahoo.com.tw>,<louvretaiwan@yahoo.com.tw>, quarantine: N/badh-NWyeRQikDbdr, Message-ID: <MQJQGDCKOTPTCKQYARIQAHHQ@yahoo.com>, mail_id: NWyeRQikDbdr, Hits: 27.748, size: 5828, queued_as: 0DD8623313BE, 1404 ms
Mar 28 17:57:34 server1 amavis[16078]: (16078-01-112) Passed BAD-HEADER, [1.2.3.4] [181.236.150.22] <pprjfz@yahoo.com> -> <a_wey_h@yahoo.com.tw>,<aa541188882000@yahoo.com.tw>,<amanda198200@yahoo.com.tw>,<but_why_not2001@yahoo.com.tw>,<cara0105.tw@yahoo.com.tw>,<cezra@yahoo.com.tw>,<chiugffgff@yahoo.com.tw>,<dc916ms58@yahoo.com.tw>,<f-squall@yahoo.com.tw>,<handmakebear@yahoo.com.tw>,<ioanna@yahoo.com.tw>,<jack198167@yahoo.com.tw>,<kai55@yahoo.com.tw>,<kery0418@yahoo.com.tw>,<maddog@yahoo.com.tw>,<n235512@yahoo.com.tw>,<rabj@yahoo.com.tw>,<seatleichiro@yahoo.com.tw>,<shizuka_banzai@yahoo.com.tw>,<spide18@yahoo.com.tw>,<steven-30@yahoo.com.tw>,<sunday05272002@yahoo.com.tw>,<swt11807@yahoo.com.tw>,<teyou_shuai@yahoo.com.tw>,<totorowg@yahoo.com.tw>,<vino2001new@yahoo.com.tw>, quarantine: u/badh-u6-w7u-VHSX8, Message-ID: <QUIULRGETEBUGHBJHZZZHGLW@yahoo.com>, mail_id: u6-w7u-VHSX8, Hits: 27.625, size: 7382, queued_as: CCF7921B1CF6, 1033 ms
Mar 28 17:57:35 server1 amavis[16078]: (16078-01-113) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <muppubbysaehgh@yahoo.com> -> <3r0e@yahoo.com.tw>,<bossrong@yahoo.com.tw>,<chobits_janne21@yahoo.com.tw>

any ideas?

arraken 28th March 2013 18:39

server abused as spambot?
 
Ok, I think my server is abused for sending spam. I don't think it's an open relay however, so can it be some script on my server that sends the mails?

I followed the instructions from the first answer here: http://serverfault.com/questions/333...refusing-mails

I seem to have the same problem as the poster there.

when i execute "qshape deferred" i get the following output:

Code:

            yahoo.com.tw 70279  0 42  0 1998 5617 12254 39296 11072    0    0
          DomainOnMyServer.at 12583  0  0  0  17  31    36    73  885 1445 10096
                  kimo.com  310  0  0  0  16  24    48  159    63    0    0
    heattreatmentchina.ru    29  0  0  0    1    0    1    0    0    0    27
              yahoo.com.hk    22  0  0  0    1    2    9    9    1    0    0
            purifiercn.ru    16  0  0  0    0    0    1    1    0    1    13
            earthlink.net    12  0  0  0    0    0    0    0    0    0    12
                ymail.com    11  0  0  0    0    0    6    4    1    0    0                 
              example.com    8  0  0  0    0    0    0    0    0    2    6           
                  aol.com    2  0  0  0    0    0    0    0    0    0    2
                  jumpy.it    2  0  0  0    0    0    0    0    0    0    2
                gawab.com    2  0  0  0    0    0    0    0    0    0    2
            rocketmail.com    2  0  0  0    0    0    0    2    0    0    0
 gdp-globaldigitalpost.com    2  0  0  0    0    0    0    0    0    0    2
                  nsi.com    1  0  0  0    0    0    0    0    0    0    1
                  mxb.org    1  0  0  0    0    0    0    0    0    0    1
                  kjf.com    1  0  0  0    0    0    0    0    0    0    1

when i look in /var/spool/postfix/deferred/ there are masses of mails there - all apparently spam-mails.

What can i do to stop this? please help! - I had to shut down the mailserver already, which isn't good, as it is used by quite some customers..

arraken 29th March 2013 11:08

problem seems to be solved for now
 
Ok, the problem seems to be fixed for now. I'll post a little summary of the problem and of what i did, as this may be interesting to other ISPConfig 3 users that also use the standard postfix settings.

1. My mailserver sent masses of spam-mails to seemingly random accounts (mostly @yahoo.com) My log was full of lines like this:
Code:

Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<ho08132000@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hot7495@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hwahwa09091203@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<i5325@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)

2. There were lots of logins from a mailaccount on my server, all from the same IP

3. As a result of the many spam mails, yahoo blocked the IP of my server.

What i did was the following:

1. Panicked and tried to find out what the hell was going on... :)
2. Tried some stuff that didn't work, most of which i can't remember in the correct order now..
3. What i think did the trick was that i changed the password of the account which i thought was compromised, and removed all mail from the queue (which was completely clogged up). Afterwards there were no more outgoing spam-mails in my mail.log.

The hardest part was finding the compromised account, because the mail log was filling up so fast, it was hard to find useful information. If anyone has some info on how to identify a compromised account quickly, i would be glad to hear it.


I still see spam-mail blocks in my mail log, but the spam comes from the outside now, and get's blocked, if i interpret it correctly. Here's a short snippet:

Code:

Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0DBC22134107: from=<ellipsej7@verbatim.com>, size=2461, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0EAAD213410A: from=<2B6FC5FB46@albrightins.com>, size=5221, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: F400621340DF: from=<fusilladejs@google.com>, size=1797, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: E426E2134109: from=<ramoni0838@adsensesurf.com>, size=2865, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7DB341FBE351: from=<F86E74B2E@acecars.net>, size=5396, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 79D781FBE34F: from=<27FD215@4-action.com>, size=5261, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7F4632134152: from=<mabelhliz634@maaslichtengeluid.com>, size=2694, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7929F21340AA: from=<nutmegkp4@8pdi.com>, size=2482, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: D6F7F1FBE353: from=<386C4DDC@akmar.info>, size=5178, nrcpt=1 (queue active)

which get's followed by:

Code:

Mar 29 08:58:36 server1 postfix/qmgr[27307]: 1D1B7213410B: from=<rabbiesw62@megacs.com>, size=2489, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/pipe[330]: 647FA2138021: to=<smuglyaguirre@domainOnMyServer.at>, orig_to=<smuglyaguirre@vitak.at>, relay=maildrop, delay=8889, delays=8889/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/smuglyaguirre/337.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[324]: A6F4B1FBE2A7: to=<evalyn.danby@domainOnMyServer.at>, orig_to=<evalyn.danby@vitak.at>, relay=maildrop, delay=42406, delays=42406/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/evalyn.danby/332.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[315]: B38AF21340DE: to=<markus.novak@domainOnMyServer.at>, orig_to=<markus.novak@vitak.at>, relay=maildrop, delay=25730, delays=25730/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/markus.novak/339.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[336]: BF10F213419A: to=<kontaktformular@domainOnMyServer.at>, orig_to=<kontaktformular@vitak.at>, relay=maildrop, delay=2384, delays=2384/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/kontaktformular/343.0.

So i guess that's all right?

Are there some best practices for preventing something like this in the future? It may be that another account gets compromised, and i don't want to go throught this again.

PS: even though i didn't get repies here in the forum, i still got quick help via private messages - so thanks for that!

compugraphix 29th March 2013 11:35

if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure.

Could be somebody hacked the password of a mail user via bruteforce or some other way

pititis 29th March 2013 11:59

Quote:

Originally Posted by compugraphix (Post 294975)
if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure.

Could be somebody hacked the password of a mail user via bruteforce or some other way

I agree.

You can check if fail2fan is working with:

Code:

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
(example in ubuntu for the sasl filter)

You can check pop3, imap and so on as well. The report will give you something like this(bottom):

Code:

Success, the total number of match is 43

Lionheart82 29th March 2013 14:11

I have had exactly this incident in my server a while ago...

Seems like a good fail2ban rule along with monit is a good way to stop this attacks and monitor the server for multiple emails queue ( in case some account is compromised again).

my fail2ban sasl rule has currently 10 bans and by using the recidive rule you can ban permanently those attackers.

If you need help with the rule we will be here :)

arraken 29th March 2013 15:28

Thanks for the tipps guys!

I'll set up mail for ssl and try to move my clients over asap.

Concerning the fail2ban rules: i have some rules, following this tutorial:
http://scottlinux.com/2011/05/26/pre...x-brute-force/

So i got a rule for sasl that looks like this:

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 3

When i check the logs with the command suggested by pititis "fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf" i dont get any results though.

But in the attack on my server, the user apparently logged in with the correct (hacked) password, so i guess the sasl rule doesn't trigger in that case, is that right?

@leonheart82: Can you tell me which sasl rule you use? I'm curious about that, as it seems to be working. :)

which fail2ban rules would be responsible to block a single account from sending huge amouts of mails? Or do i just need a simple postfix rule for that?

@compugraphix: do you have any suggestions for courier-pop3(-ssl), courier-imap(-ssl) and smtp settings for fail2ban, or a good tutorial? I found this one: http://www.howtoforge.de/anleitung/v...f-debian-etch/ but it's from 2007, and there's no smtp rule.


thanks again for the help. you never stop learning here. :)

compugraphix 29th March 2013 15:59

i got something like this:

[courierpop3]

enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5

[courierpop3s]

enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5


most is standard in the /etc/fail2ban/jail.conf

O and one big tip :P you must ensure that your own ip can't be banned...
put it in /etc/hosts.allow
like
sshd: yourip
ftpd: yourip
etc...


All times are GMT +2. The time now is 04:23.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.