Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th September 2009, 23:23
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default E-mail server receive and send spams

Hello!
I tried to solve this problem, spending time in google and other forums, finding information...
I think I did many things...but!

The problem is that my e-mail server sends and receive thousands of spam and I'm listed in http://www.mxtoolbox.com/blacklists.aspx in 5-7lists.

What I have:
OpenSuse10.3
Postfix 2.6.5
Cyrus SASL 2.1.22
Postgrey 1.32
ISPconfig 2.2.33

Here are:
1) /etc/postfix/main.cf:
Code:
####################################################################################
###GENERAL SETTINGS
####################################################################################
mail_owner = postfix
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = myhostname.$mydomain
inet_interfaces = all
inet_protocols = all
biff = yes
masquerade_domains = 
#mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = 
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
mailbox_size_limit = 0
message_size_limit = 10240000
mydomain = ardit.lv
mynetworks = 127.0.0.0/8
delay_warning_time = 1h
message_strip_characters = \0
setgid_group = maildrop

####################################################################################
###MAPS
####################################################################################
canonical_maps = hash:/etc/postfix/canonical
#virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
virtual_maps = hash:/etc/postfix/virtusertable
alias_maps = hash:/etc/aliases
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
body_checks = regexp:/etc/postfix/body_checks

####################################################################################
###DIRECTORIES
####################################################################################
readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/mail
program_directory = /usr/lib/postfix
mydestination = /etc/postfix/local-host-names
sample_directory = /usr/share/doc/packages/postfix/samples
manpage_directory = /usr/share/man
html_directory = /usr/share/doc/packages/postfix/html

####################################################################################
###PATHS
####################################################################################
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
newaliases_path = /usr/bin/newaliases
daemon_directory = /usr/lib/postfix
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
mydestination = /etc/postfix/local-host-names

####################################################################################
###DEBUG
####################################################################################
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5

####################################################################################
###SASL
####################################################################################
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = cyrus
#smtpd_sasl_path = private/auth
smtpd_sasl_path = smtpd
smtpd_sasl_mechanism_filter = !gssapi, !external, static:all
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

####################################################################################
###TLS
####################################################################################
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

####################################################################################
###RULES AGAINST SPAMS ETC. MALWARES
####################################################################################
smtpd_sender_restrictions = 
	    warn_if_reject,
	    hash:/etc/postfix/access_client,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    reject_non_fqdn_sender,
	    reject_unknown_sender_domain,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit

smtpd_client_restrictions =
	    permit_sasl_authenticated,
	    check_client_access hash:/etc/postfix/access_client,
	    reject_rbl_client relays.mail-abuse.org,
	    reject_rbl_client relays.ordlb.org,
	    reject_rhsbl_sender dsn.rfc-ignorant.org,
#	    reject_unknown_client,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    permit_mynetworks,
	    reject_unauth_pipelining,
	    permit 

smtpd_helo_restrictions = 
	    permit_sasl_authenticated,
	    permit_mynetworks, 
	    reject_invalid_hostname, 
	    reject_unknown_hostname,
	    reject_non_fqdn_hostname,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client zen.spamhaus.org,
	    regexp:/etc/postfix/helo.regexp, 
	    permit

bounce_size_limit = 1024
smtpd_helo_required = yes
smtpd_delay_reject = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

access_map_reject_code = 554
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

notify_classes = resource,software

smtpd_recipient_restrictions = 
	    warn_if_reject,
	    permit_sasl_authenticated,
	    permit_mynetworks,
	    check_relay_domains,
	    reject_non_fqdn_sender,
	    reject_non_fqdn_recipient,
	    reject_unknown_sender_domain,
	    reject_unknown_recipient_domain,
	    reject_unauth_destination,
	    reject_unauth_pipelining,
	    check_policy_service inet:127.0.0.1:6000,
	    check_policy_service inet:127.0.0.1:10023,
	    #check_sender_access hash:/etc/postfix/verify_sender_map,
	    reject_rbl_client cbl.abuseat.org,
	    reject_rbl_client sbl-xbl.spamhaus.org,
	    reject_rbl_client bl.spamcop.net, 
	    reject_rbl_client rblmap.tu-berlin.de,
	    reject_rbl_client relays.ordb.org,
	    reject_rbl_client dnsbl.sorbs.org,
	    reject_rbl_client opm.blitzed.org,
	    reject_rbl_client blackholes.easynet.nl,
	    reject_rbl_client ix.dnsbl.manitu.net,
	    reject_rbl_client dsn.rfc-ignorant.org,
	    reject_rbl_client proxies.relays.monkeys.com,
	    reject_rbl_client dul.dnsbl.sorbs.net,
	    reject_rbl_client list.dsbl.org,
	    reject_rbl_client multi.uribl.com,
	    reject_rbl_client zen.spamhaus.org,
	    reject_rbl_client bogusmx.rfc-ignorant.org,
#	    check_client_access hash:/etc/postfix/helo_client_exceptions,
	    check_client_access hash:/etc/postfix/rbl_client_exceptions,
	    permit
2) Body checks is made after this How To: http://www.malware.com.br/postfix.txt

3) /etc/postfix/rbl_client_exceptions contains my client domain names:
Code:
.domain.com OK
.........
4) hello.regexp contains:
Code:
/^localhost$/ 550 Don't use my own hostname
/^host\.domain\.com$/ 550 Don't use my own hostname
/^127\.0\.0\.1$/ 550 Don't use my own IP address
/^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
/^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
#/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
#/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
~
5) /etc/access_client contains:
Code:
####################################################
###Manually founded
####################################################
216.52.192.0/24 REJECT
63.251.178.28 REJECT
158.36.80.149 REJECT
82.128.0.0/24 REJECT
65.55.92.0/24 REJECT
206.46.232.0/24 REJECT
65.55.92.88 REJECT
65.55.37.0/24 REJECT
58.36.80.149 REJECT
116.228.146.94REJECT
195.248.241.211 REJECT
203.34.37.27 REJECT
210.241.225.190 REJECT
167.206.112.6 REJECT
96.57.243.42 REJECT
207.157.105.74 REJECT
41.222.193.35 REJECT
203.39.191.100 REJECT
216.201.209.161 REJECT
80.232.169.191 REJECT
202.22.159.237 REJECT
84.238.0.4 REJECT

####################################################
###Whitelist
####################################################
.myclient1.com OK
.myclient2.com OK
...........
.myclient3.com OK
.gov OK
.gov.lv OK

#####################################################
### ALL Bad IP's from http://www.unixhub.com/block.html###
#####################################################
after updeiting these file I use postmap /etc/postfix/appropriate_map_file

7) /etc/postfix/master.cf:
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
smtps   inet n   -   n   - - smtpd
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_sender=yes
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      -o broken_sasl_auth_clients=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
	-o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#localhost:10025 inet	n	-	n	-	-	smtpd -o content_filter=
scache	  unix	-	-	n	-	1	scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus	  unix	-	n	n	-	-	pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp	  unix	-	n	n	-	-	pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
retry     unix  -       -       n       -       -       error
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
8) netstat -tap
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:imaps                 *:*                     LISTEN      3302/couriertcpd    
tcp        0      0 *:pop3s                 *:*                     LISTEN      3334/couriertcpd    
tcp        0      0 *:mysql                 *:*                     LISTEN      2361/mysqld         
tcp        0      0 *:corba-iiop-ssl        *:*                     LISTEN      5647/rpc.rquotad    
tcp        0      0 *:pop3                  *:*                     LISTEN      3317/couriertcpd    
tcp        0      0 localhost.localdoma:783 *:*                     LISTEN      6329/spamd.pid      
tcp        0      0 *:sunrpc                *:*                     LISTEN      3421/portmap        
tcp        0      0 *:imap                  *:*                     LISTEN      3280/couriertcpd    
tcp        0      0 *:www-http              *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 *:smtps                 *:*                     LISTEN      5314/master         
tcp        0      0 *:hosts2-ns             *:*                     LISTEN      2889/ispconfig_http 
tcp        0      0 *:ftp                   *:*                     LISTEN      5756/proftpd: (acce 
tcp        0      0 myhost.mydomain.l:domain *:*                     LISTEN      5621/named          
tcp        0      0 localhost.locald:domain *:*                     LISTEN      5621/named          
tcp        0      0 *:ssh                   *:*                     LISTEN      3234/sshd           
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      5621/named          
tcp        0      0 *:smtp                  *:*                     LISTEN      5314/master         
tcp        0      0 *:https                 *:*                     LISTEN      2953/httpd2-prefork 
tcp        0      0 localhost.loc:lanserver *:*                     LISTEN      3429/famd           
tcp        0      0 myhost.mydomain.lv:38451 mta-v9.mail.vip.mu:smtp ESTABLISHED 5266/smtp           
tcp        0      0 myhost.mydomain.lv:33570 mfe1.sinos.net:smtp     ESTABLISHED 5332/smtp           
tcp        0      0 myhost.mydomain.lv:57976 server4.camintel.c:smtp ESTABLISHED 3051/smtp           
tcp        0      0 myhost.mydomain.lv:ftp   customer-2:compaq-https ESTABLISHED 5582/proftpd: mole  
tcp        0      0 myhost.mydomain.lv:47469 fr-end-01.ipteleco:smtp ESTABLISHED 5336/smtp           
tcp        0      0 myhost.mydomain.lv:54602 mta-v2.mail.vip.sp:smtp TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:38921 de.mx.aol.com:smtp      TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:37318 mx-ha01.web.de:smtp     TIME_WAIT   -                   
tcp        0      0 myhost.mydomain.lv:41672 mxf2.rambler.ru:smtp    TIME_WAIT   -                   
tcp        0      1 myhost.mydomain.lv:55333 211.76.133.78:smtp      FIN_WAIT1   -                   
tcp        0      0 myhost.mydomain.lv:50394 server-0076f.dnspr:smtp ESTABLISHED 3033/smtp           
tcp        0      1 myhost.mydomain.lv:50499 eowyn.portugalmail:smtp SYN_SENT    5481/smtp
10) created post-rule-setup.sh script as described in http://www.howtoforge.com/forums/showthread.php?t=6393 and http://www.howtoforge.com/forums/showthread.php?t=36299 and here are source
Inserted almost ALL bad IPS
Code:
##############################
##############################
##############################
# For AUTH-SMTP###############
##############################
iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT

######################################################
###Blocking incoming for smtp port 25
######################################################
######################################################
# My own blaclikst of IP's
######################################################
iptables -A INPUT -p tcp -s 158.26.80.149 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 63.251.178.28 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.104 --dport 25 -j REJECT
iptables -A INPUT -p tcp -s 216.52.192.8 --dport 25 -j REJECT
...............
iptables -A OUTPUT -p tcp -s 204.126.12.0/23 --dport 21 -j REJECT
iptables -A OUTPUT -p tcp -s 204.126.140.0/23 --dport 21 -j REJECT

In process solving the problem I added almost all INPUT and OUTPUT IP addresses from this blackIPlist: http://blacklist.linuxadmin.org/

But the problem is, that after system reboot, iptables locks and does not start, so I manually have to delete /var/lock/bastille. After that I restart FW, but all rules ar gone...

All installed as described in http://www.howtoforge.com/perfect_server_opensuse10.3... 1.5 years mail server lives without big problems, but all started last week...dead line was last Thursday ;-(

11) /var/log/messages:
Code:
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (REFUSED) resolving 'ondasnet.com.br/MX/IN': IP_
Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'inter.net.co/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
Sep 28 12:28:30 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ahcrucha.hurtad.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ajahuel.paine.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'andbello.florid.plaza.cl' (in 'plaza.cl'?): IP_#53
Sep 28 12:28:54 myhost named[4739]: lame server resolving 'anglica.plaza.cl' (in 'plaza.cl'?): IP_#53
12) /var/log/mail.err:
Code:
Sep 28 11:45:19 myhost postfix/bounce[9990]: fatal: lock file defer 42F952F96E8: Resource temporarily unavailable
Sep 28 11:46:05 myhost postfix/bounce[11012]: fatal: lock file defer 41C74EE2F14: Resource temporarily unavailable
Sep 28 11:46:14 myhost postfix/bounce[11003]: fatal: lock file defer E25FD77AA7E: Resource temporarily unavailable
Sep 28 11:46:58 myhost postfix/bounce[9942]: fatal: lock file defer 176FF519632: Resource temporarily unavailable
Sep 28 21:09:21 myhost postfix/master[5313]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable
13) I have no DNS server on my server, DNS entries manages my data center ISP...

14)I have fail2ban installed and configured and DenyHosts.

15) Also system is checked using rkhunter-1.3.4 and chkrootkit...

I have aprr. 10 clients with appr. 30 emails. But my /var/spool/postfix/incoming folder contains >160 000 entries (messages), /var/spool/postfix/active folder contains max size - 20 000 entries...

I can delete all recors from these folders, but they are back after few seconds.
There are messages with "Australian National Lotteries", "Nigeria e-mails", spam meils to big amount of aol and yahho users (existing, non-existing) etc...

Today after some searches in google I make SASL authentification to SMTP server, so, without authorizing and check TLS box e-mails cann not be sent! But these also do not solve the problem!

I don't know, what else You should know to help me...?

Is there any chance to win the spammers and get back my normal mail server process?

Last edited by Mole; 29th September 2009 at 02:26.
Reply With Quote
Sponsored Links
  #2  
Old 29th September 2009, 09:26
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Hi,

the changes you did do not hurt, but they will not solve your problem. If your server sends out spam and was configured properly before, there are 3 possible reasons:

1) Your server configuration changed and it is now an open relay. You can esaily test this here:

http://www.mxtoolbox.com/blacklists.aspx

2) One of your smtp / pop3 accounts is misused for sending spam e.g. because someone got a password or cracked a passord of one of your users. To find this out, you have to read your mail log and check it if a user that sends out spam authenticates itself first.

3) The most common reason is not even related to your postfix setup. You might have a vulnerable contact form or cms system in one of the websites on your server that is misused to send spam. To find out which of the webs is causing this, you can use this logging setup:

http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 29th September 2009, 10:02
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default

1) No, my server has no Open relay... I'm tested in in many web pages (for example: http://www.abuse.net/relay.html) and with scripts. This is not the cause.
2) In log file there is no info about users who sent e-mail. Log files look as I post it in root post.
3) I'm used this link and create logins from web forms... Only 1 client have mail form in his web application and it is secured by Secure code... and I thin - this is not the cause.
Reply With Quote
  #4  
Old 29th September 2009, 10:16
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

Your first post does not contain the mail log, you just posted errors and warnings. Please take a look at your mail log file and check what I explaine din 2).

Also check your server with rkhunter to ensure that it did not got hacked.

http://www.rootkit.nl/projects/rootkit_hunter.html
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 29th September 2009, 10:26
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default

OK, I'll check mail log.

As I wrote in root post:
15) Also system is checked using rkhunter-1.3.4 and chkrootkit, nothing bad found...
Reply With Quote
  #6  
Old 29th September 2009, 15:32
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I checked logs - there is no info, that some clientusernam@clientdomain sent spams...

Any more ideas?

I'm working with google and other sources to "upgrade" my Bastille-firewall...
Reply With Quote
  #7  
Old 16th November 2009, 21:35
xenlab xenlab is offline
Junior Member
 
Join Date: Aug 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Lightbulb SPF Record

Do you have an SPF Record for that domain in your DNS Zone? More than likely its not originating from your server, but possibly they are able to forge your domain from their own email server. Adding an SPF Record will have most receiving email systems deny the email as spam with no penalty to you.
Reply With Quote
  #8  
Old 20th November 2009, 18:16
MxToolBox MxToolBox is offline
Junior Member
 
Join Date: Nov 2009
Location: Austin, TX
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Our guess from the information here is that most likely you have had a client's account compromised by a weak password. The other possibility is some type of web application or similar which generates email for you, which may have been compromised.

The first thing we would recommend doing is to take a look into the mail queues and try to look at an individual message to determine where it has come from since you have had no luck with your logs. If you can't do that, then you are going to have to increase logging to see where these messages are coming from.

We also would recommend making sure that you have a password policy for your clients such as minimum lengths including non-alpha characters. Depending on how difficult it would be to change your user's passwords you might just try that to start with. Lastly, you will need to delete the mail queues or you will just get listed again.

@MxToolBox
__________________
MxToolBox.com
@MxToolBox
Reply With Quote
  #9  
Old 6th April 2010, 20:12
Mole Mole is offline
Member
 
Join Date: Apr 2008
Location: Latvia
Posts: 83
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Hello again!

Thanks for previous answers and suggestions....

I'm still trying to kill spam on my server... Lasts weeks in my postfix active directory there is 4000-10000 files... My server is busy, also http://www.mxtoolbox.com/SuperTool.a...tion=blacklist bad result (5-6 blacklists) ;-(

I reinstalled server, now I'm using Ubuntu server 9.10, last ispconfig...

Code:
/etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

myhostname = hostname.domain.lv
#alias_maps = hash:/etc/aliases
#alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 20971520
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

########
### MAPS:
########
virtual_maps = hash:/etc/postfix/virtusertable
mydestination = /etc/postfix/local-host-names
relay_recipient_maps = hash:/etc/postfix/relay_recipients
header_checks = pcre:/etc/postfix/header_checks.pcre
body_checks = pcre:/etc/postfix/body_checks.pcre
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

########
### My manual entries
########
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
smtpd_reject_unlisted_recipient = yes

########
#Error codes
########
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_restriction_classes = verify_sender, from_freemail_host

from_freemail_host = check_client_access hash://etc/postfix/freemail_hosts,reject

verify_sender = reject_unverified_sender


smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,check_client_access hash:/etc/postfix/client_checks,reject_unknown_reverse_client_hostname

smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_unknown_helo_hostname,check_helo_access hash:/etc/postfix/helo_checks,regexp:/etc/postfix/helo.regexp

smtpd_sender_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_sasl_authenticated,permit_mynetworks,check_sender_access hash:/etc/postfix/sender_access,check_sender_access hash:/etc/postfix/freemail_access,reject_unauth_destination

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_unauth_pipelining,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,check_policy_service inet:127.0.0.1:6000,check_sender_access hash:/etc/postfix/verify_sender.map,reject_non_fqdn_hostname,reject_invalid_hostname,reject_unverified_recipient,reject_rbl_client cbl.abuseat.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client multi.uribl.com,reject_rbl_client dsn.rfc-ignorant.org,reject_rbl_client bogusmx.rfc-ignorant.org,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl-1.uceprotect.net,permit
I informed customers to change passwords to "Strong_passwords"...

Testing http://verify.abuse.net/cgi-bin/relaytest for Open relay - My server is not open relay...

I do not manage dns records on my server, dns records, if customer like, are managed out of my server.

Server is checked with: lynis, chkrootkit, rkhunter.

Server also is configured with Spamassasin, Postrgrey, Clamavis, Mailscanner (for graphical report), munin, monit and cactis.

It seems that some-one is sending spams "from" my server despite the fact that server is not open relay, and "non-existing" receivers send back e-mails that e-mail can not be sent...

Any more ideas what else could be the problem? ;-O

EDITED:
Such "mails" are in my postfix active dorectory:
Code:
CO           3600            4946              48               0            2972T1270261376 996574Srcklycnh1@gmail.comAcreate_time=1270261377Arewrite_context=remoteAsasl_method=LOGINAsasl_username=infoA.log_client_name=ml82.128.19.157.multilinks.comA log_client_address=82.128.19.157Alog_client_port=4624A@log_message_origin=ml82.128.19.157.multilinks.com[82.128.19.157]Alog_helo_name=UserAlog_protocol_name=ESMTPA*client_name=ml82.128.19.157.multilinks.comA2reverse_client_name=ml82.128.19.157.multilinks.comAclient_address=82.128.19.157Aclient_port=4624Ahelo_name=UserAprotocol_name=ESMTPAclient_address_type=2A.dsn_orig_rcpt=rfc822;byezg.qfryf@msa.hinet.netObyezg.qfryf@msa.hinet.netDbyezg.qfryf@msa.hinet.netA$dsn_orig_rcpt=rfc822;byf8h@yahoo.comObyf8h@yahoo.comDbyf8h@yahoo.comA7dsn_orig_rcpt=rfc822;byfypudolo1545@comcastbusiness.netO"byfypudolo1545@comcastbusiness.netR"byfypudolo1545@comcastbusiness.netA/dsn_orig_rcpt=rfc822;byfyyatoey1195@vsnl.net.inObyfyyatoey1195@vsnl.net.inDbyfyyatoey1195@vsnl.net.inA)dsn_orig_rcpt=rfc822;by-george@excite.comOby-george@excite.comDby-george@excite.comA,dsn_orig_rcpt=rfc822;bygolwhiteboy@yahoo.comObygolwhiteboy@yahoo.comDbygolwhiteboy@yahoo.comA#dsn_orig_rcpt=rfc822;bygosh@aol.comObygosh@aol.comDbygosh@aol.comA*dsn_orig_rcpt=rfc822;bygrace@bewellnet.comObygrace@bewellnet.comRbygrace@bewellnet.comA+dsn_orig_rcpt=rfc822;bygrace@mail.ftc-i.netObygrace@mail.ftc-i.netRbygrace@mail.ftc-i.netA2dsn_orig_rcpt=rfc822;byhalialady1948@wmconnect.comObyhalialady1948@wmconnect.comDbyhalialady1948@wmconnect.comA+dsn_orig_rcpt=rfc822;byhisgrace61@yahoo.comObyhisgrace61@yahoo.comDbyhisgrace61@yahoo.comA,dsn_orig_rcpt=rfc822;byington420la@yahoo.comObyington420la@yahoo.comDbyington420la@yahoo.comA/dsn_orig_rcpt=rfc822;byinoobiusixae@fadmail.comObyinoobiusixae@fadmail.comDbyinoobiusixae@fadmail.comA&dsn_orig_rcpt=rfc822;byisi9640@vtr.netObyisi9640@vtr.netDbyisi9640@vtr.netA&dsn_orig_rcpt=rfc822;by-jess@lycos.comOby-jess@lycos.comDby-jess@lycos.comA#dsn_orig_rcpt=rfc822;byjr1@juno.comObyjr1@juno.comDbyjr1@juno.comA0dsn_orig_rcpt=rfc822;byjuksjcodxb@bpplawcorp.comObyjuksjcodxb@bpplawcorp.comDbyjuksjcodxb@bpplawcorp.comA(dsn_orig_rcpt=rfc822;bykoveho2870@iol.czObykoveho2870@iol.czDbykoveho2870@iol.czA-dsn_orig_rcpt=rfc822;bykutuditu2091@otenet.grObykutuditu2091@otenet.grDbykutuditu2091@otenet.grA'dsn_orig_rcpt=rfc822;bylcat@hotmail.comObylcat@hotmail.comDbylcat@hotmail.comA*dsn_orig_rcpt=rfc822;bylinefkk@company.comObylinefkk@company.comDbylinefkk@company.comA,dsn_orig_rcpt=rfc822;bymdragon88@verizon.netObymdragon88@verizon.netDbymdragon88@verizon.netA$dsn_orig_rcpt=rfc822;bynch@lycos.comObynch@lycos.comDbynch@lycos.comA.dsn_orig_rcpt=rfc822;bynortzorin@sbcglobal.netObynortzorin@sbcglobal.netDbynortzorin@sbcglobal.netA'dsn_orig_rcpt=rfc822;byojab8152@ono.comObyojab8152@ono.comDbyojab8152@ono.comA)dsn_orig_rcpt=rfc822;byorks37@netzero.comObyorks37@netzero.comDbyorks37@netzero.comA,dsn_orig_rcpt=rfc822;byounce2001@hotmail.comObyounce2001@hotmail.comDbyounce2001@hotmail.comA'dsn_orig_rcpt=rfc822;byoung@3rivers.netObyoung@3rivers.netDbyoung@3rivers.netA'dsn_orig_rcpt=rfc822;byoung0103@aol.comObyoung0103@aol.comRbyoung0103@aol.comA+dsn_orig_rcpt=rfc822;byoung30@austin.rr.comObyoung30@austin.rr.comRbyoung30@austin.rr.comA*dsn_orig_rcpt=rfc822;byoung35214@yahoo.comObyoung35214@yahoo.comDbyoung35214@yahoo.comA)dsn_orig_rcpt=rfc822;byoungparker@aol.comObyoungparker@aol.comDbyoungparker@aol.comA'dsn_orig_rcpt=rfc822;byovith@netbox.comObyovith@netbox.comDbyovith@netbox.comA.dsn_orig_rcpt=rfc822;bypassing@redwinter.co.ukObypassing@redwinter.co.ukDbypassing@redwinter.co.ukA,dsn_orig_rcpt=rfc822;bypassingh@shuheian.comObypassingh@shuheian.comDbypassingh@shuheian.comA&dsn_orig_rcpt=rfc822;bypresume@aol.comObypresume@aol.comDbypresume@aol.comA9dsn_orig_rcpt=rfc822;byproductuni4@lescordeliershotel.comO$byproductuni4@lescordeliershotel.comR$byproductuni4@lescordeliershotel.comA#dsn_orig_rcpt=rfc822;byrd4a@aol.comObyrd4a@aol.comRbyrd4a@aol.comA'dsn_orig_rcpt=rfc822;byrd56@comcast.netObyrd56@comcast.netRbyrd56@comcast.netA&dsn_orig_rcpt=rfc822;byrdbelle@aol.comObyrdbelle@aol.comDbyrdbelle@aol.comA'dsn_orig_rcpt=rfc822;byrdiegrl2@aol.comObyrdiegrl2@aol.comDbyrdiegrl2@aol.comA(dsn_orig_rcpt=rfc822;byrne_dz@willett.noObyrne_dz@willett.noDbyrne_dz@willett.noA(dsn_orig_rcpt=rfc822;byrne_rh@fastweb.itObyrne_rh@fastweb.itDbyrne_rh@fastweb.itA(dsn_orig_rcpt=rfc822;byrne_xp@macnews.deObyrne_xp@macnews.deDbyrne_xp@macnews.deA+dsn_orig_rcpt=rfc822;byrnevm@dvb-brasil.orgObyrnevm@dvb-brasil.orgRbyrnevm@dvb-brasil.orgA&dsn_orig_rcpt=rfc822;byron@balu.com.twObyron@balu.com.twDbyron@balu.com.twA'dsn_orig_rcpt=rfc822;byronicy4@ragg.comObyronicy4@ragg.comDbyronicy4@ragg.comA0dsn_orig_rcpt=rfc822;byronnursingadmin@gmail.comObyronnursingadmin@gmail.comDbyronnursingadmin@gmail.comM
Interesting that this "client" IP is blocked with iptables:
Code:
iptables -A INPUT -s 82.128.18.0/23 -j DROP
iptables -A OUTPUT -d 82.128.18.0/23 -j DROP
iptables -A INPUT -s 82.128.83.46 -j DROP
iptables -A OUTPUT -d 82.128.83.46 -j DROP
iptables -A INPUT -s 82.128.83.49 -j DROP
iptables -A OUTPUT -d 82.128.83.49 -j DROP
iptables -A INPUT -s 82.128.20.59 -j DROP
iptables -A OUTPUT -d 82.128.20.59 -j DROP
Also this ip is blocked using /etc/postfix/client_access:
Code:
#Always allow my host
MY-IP OK

#Whitelist
GOOD-IP OK

# Using a domain name

#Block concrete IP addresses
196.46.245.21 DROP
41.28.220.193 DROP
41.211.228.122 DROP
41.211.228.232 DROP
41.211.238.145 DROP
82.128.83.46 DROP
82.128.83.49 DROP
82.128.18.0/23 DROP
82.128.20.59 DROP
here is mail.warn log:
Code:
Apr  7 15:22:46 ardweb01 postfix/smtp[15468]: warning: numeric domain name in resource data of MX record for hostelturf.com: 67.102.46.122
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4146 of 5229 active queue entries
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance
Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0
Apr  7 15:23:19 ardweb01 postfix/smtp[18721]: warning: no MX host for gmaul.com has a valid address record
Apr  7 15:24:31 ardweb01 postfix/smtp[19229]: warning: no MX host for rigbyco.com has a valid address record
Apr  7 15:27:37 ardweb01 postfix/smtp[18709]: warning: no MX host for jpost.co.il has a valid address record
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4059 of 4656 active queue entries
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance
Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0
Apr  7 15:29:14 ardweb01 postfix/smtp[20368]: warning: numeric domain name in resource data of MX record for mail.intellect.com.tw: 211.75.226.154
Apr  7 15:30:21 ardweb01 postfix/smtp[20397]: warning: numeric domain name in resource data of MX record for chinawangtai.com: 203.88.192.62
Apr  7 15:30:42 ardweb01 postfix/smtp[15526]: warning: numeric domain name in resource data of MX record for aurora.il.us: 64.195.1.137
Apr  7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no issuer Organization
Apr  7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no subject CN
Apr  7 15:34:16 ardweb01 postfix/smtp[19160]: warning: no MX host for gmaii.com has a valid address record
Apr  7 15:35:46 ardweb01 postfix/smtpd[20986]: warning: 83.150.207.253: hostname 253-207-150-83.customers.iber-x.net verification failed: Name or service not known
Apr  7 15:48:19 ardweb01 postfix/smtp[22044]: warning: numeric domain name in resource data of MX record for sur-design.com: 66.92.134.116
Apr  7 15:48:44 ardweb01 postfix/smtp[22105]: warning: no MX host for aol.cm has a valid address record
Apr  7 15:49:22 ardweb01 postfix/smtp[22045]: warning: no MX host for dma.mil has a valid address record
Apr  7 15:49:25 ardweb01 postfix/smtpd[22138]: warning: 78.155.47.46: hostname adsl-new47-l47.crnagora.net verification failed: Name or service not known
Apr  7 15:49:35 ardweb01 postfix/smtp[22029]: warning: numeric domain name in resource data of MX record for greenmatrix.net: 204.247.178.85
Apr  7 15:49:58 ardweb01 postfix/smtp[22064]: warning: no MX host for dma.mil has a valid address record
Apr  7 15:53:03 ardweb01 postfix/smtp[22498]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119
Apr  7 15:53:10 ardweb01 postfix/smtp[22496]: warning: numeric domain name in resource data of MX record for audiointercomservices.com: 69.22.252.49
Apr  7 15:53:19 ardweb01 postfix/smtp[22046]: warning: no MX host for futurephoto.com has a valid address record
Apr  7 15:54:38 ardweb01 postfix/smtp[22506]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119
Apr  7 15:54:54 ardweb01 postfix/smtp[22020]: warning: numeric domain name in resource data of MX record for pyramidcoach.com: 68.74.53.33
Apr  7 15:55:10 ardweb01 postgrey[3073]: whitelisted: mailfe02.swip.net[212.247.154.33]
Apr  7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no issuer Organization
Apr  7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no subject CN
Apr  7 15:55:21 ardweb01 postfix/smtp[22518]: warning: no MX host for uoguelph.ca has a valid address record
Apr  7 15:55:41 ardweb01 postfix/smtp[22517]: warning: no MX host for cirpack.fr has a valid address record
Apr  7 15:55:57 ardweb01 postfix/smtp[22498]: warning: no MX host for uoguelph.ca has a valid address record
Apr  7 15:56:54 ardweb01 postgrey[3073]: whitelisted: mailfe06.swip.net[212.247.154.161]
Apr  7 15:58:02 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for mail.ctin.ac.cn: 218.70.66.117
Apr  7 15:58:08 ardweb01 postfix/smtp[22529]: warning: no MX host for futurephoto.com has a valid address record
Apr  7 16:00:12 ardweb01 postfix/smtp[22064]: warning: numeric domain name in resource data of MX record for sgrow.com: 64.22.126.33
Apr  7 16:00:23 ardweb01 postfix/smtp[22468]: warning: no MX host for uoguelph.ca has a valid address record
Apr  7 16:03:11 ardweb01 postfix/smtp[22445]: warning: no MX host for ragingbull.com has a valid address record
Apr  7 16:05:28 ardweb01 postfix/smtp[22532]: warning: numeric domain name in resource data of MX record for unidocsys.com: 131.210.4.32
Apr  7 16:05:28 ardweb01 postfix/smtp[22494]: warning: numeric domain name in resource data of MX record for xteamlinux.com.cn: 211.153.184.18
Apr  7 16:05:30 ardweb01 postfix/smtp[22064]: warning: no MX host for aol.cm has a valid address record
Apr  7 16:08:04 ardweb01 postfix/smtp[22445]: warning: no MX host for uoguelph.ca has a valid address record
Apr  7 16:08:34 ardweb01 postfix/smtp[22531]: warning: numeric domain name in resource data of MX record for 168market.com: 209.164.15.45
Apr  7 16:08:35 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for cubexs.net.pk: 202.63.215.14
Apr  7 16:09:52 ardweb01 postfix/smtp[21664]: warning: no MX host for dma.mil has a valid address record
Apr  7 16:10:18 ardweb01 postfix/smtp[22053]: warning: no MX host for uoguelph.ca has a valid address record
Apr  7 16:10:56 ardweb01 postfix/smtp[22019]: warning: numeric domain name in resource data of MX record for laitai.com: 211.157.1.130
Apr  7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142
Apr  7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142
Apr  7 16:11:52 ardweb01 postfix/smtp[22498]: warning: no MX host for futurephoto.com has a valid address record
Apr  7 16:12:05 ardweb01 postfix/smtp[22060]: warning: no MX host for dma.mil has a valid address record
Apr  7 16:12:17 ardweb01 postfix/smtpd[25558]: warning: 78.155.37.159: hostname adsl-new37-l160.crnagora.net verification failed: Name or service not known
mail.log:
Code:
Apr  7 16:34:19 mydomain postfix/error[27490]: E68C346EDF: to=<jls321@cox.net>, relay=none, delay=383814, delays=383296/517/0/0.66, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Apr  7 16:34:19 mydomain postfix/error[27384]: 0BDC744F6D: to=<eclark_wworks@yahoo.com>, relay=none, delay=126914, delays=126389/523/0/1.8, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  7 16:34:19 mydomain postfix/smtp[25996]: AA3A942DEF: host idcmail-mx2no.cg.shawcable.net[64.59.134.8] refused to talk to me: 554-idcmail.shaw.ca 554 Your connection from [MY_IP] has been rejected due to poor reputation.
Apr  7 16:34:19 mydomain postfix/error[27440]: 0C2E045D93: to=<ditongaje@yahoo.com>, relay=none, delay=385201, delays=384676/524/0/0.38, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  7 16:34:19 mydomain postfix/smtp[26048]: A995646DFD: host smtp.secureserver.net[216.69.186.201] refused to talk to me: 554-m1pismtp01-022.prod.mesa1.secureserver.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
Apr  7 16:34:19 mydomain postfix/smtp[26081]: connect to maninet.com[82.98.86.167]:25: Connection timed out
Apr  7 16:34:19 mydomain postfix/smtp[26058]: A995646DFD: host hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <[MY_IP]> - See http://security.rr.com/cgi-bin/block-lookup?[MY_IP]
Apr  7 16:34:19 mydomain postfix/error[27493]: 6324F44DB6: to=<jtepper@cox.net>, relay=none, delay=383710, delays=383461/248/0/0.52, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Apr  7 16:34:19 mydomain postfix/error[27449]: 139F043032: to=<waltkuper@cox.net>, relay=none, delay=131452, delays=130934/517/0/0.93, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Apr  7 16:34:19 mydomain postfix/error[27424]: A3CEF41BD3: to=<ghulb001@cox.net>, relay=none, delay=384481, delays=384233/247/0/0.48, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Apr  7 16:34:19 mydomain postfix/error[27421]: 087C5468EB: to=<dollarselloff@yahoo.com>, relay=none, delay=425667, delays=425142/524/0/0.74, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  7 16:34:19 mydomain postfix/error[27459]: AB1D646B4B: to=<jimfus@cox.net>, relay=none, delay=423642, delays=423395/247/0/0.46, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
Apr  7 16:34:19 mydomain postfix/error[27381]: 3D5C642037: to=<zenithhuizar@yahoo.com>, relay=none, delay=131137, delays=130606/528/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Apr  7 16:34:19 mydomain postfix/error[27489]: 91A1A456FA: to=<coreydunson@yahoo.com>, relay=none, delay=385572, delays=385049/523/0/0.42, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

Last edited by Mole; 7th April 2010 at 16:15.
Reply With Quote
  #10  
Old 7th April 2010, 16:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,727 Times in 2,565 Posts
Default

Maybe the spammer uses a hole in one of your web applications to send out spam.

http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Tags
postfix, spams

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
with ISPConfig, Postfix, and Courier, mail does not send or receive karazy-k Server Operation 15 20th July 2009 05:44
postfix unable to send email to other mail server terry15 Server Operation 1 8th May 2009 13:45
Mail Server Wont send or receive emails... andrusha Installation/Configuration 21 7th June 2008 10:51
Mail server jas_esp Server Operation 1 7th December 2005 18:17


All times are GMT +2. The time now is 18:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.