Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st December 2012, 06:44
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
Default disbale a local domain from sending emails

Hi,

I am using ispconfig 3, latest version.

I have a domain mcfcomp.in (name changed)

Somehow this domain trying to send spam emails using local server using id webmaster@mcfcomp.in

I disabled the domain in controlpanel, blacklisted the email id .. still it is able to access the postfix and add bunch of emails to mailq

2012-12-21T08:58:48.012716+05:18 linode postfix/smtpd[21202]: 030F922800C: client=unknown[127.0.0.1]
2012-12-21T08:58:48.017287+05:18 linode postfix/cleanup[21506]: 030F922800C: message-id=<20121221032746.50CBF2AF3F@linode.frix.net>
2012-12-21T08:58:48.017662+05:18 linode postfix/smtpd[20754]: 0440E22800E: client=unknown[127.0.0.1]
2012-12-21T08:58:48.018802+05:18 linode postfix/qmgr[13424]: 030F922800C: from=<webmaster@mcfcomp.in>, size=5744, nrcpt=1 (queue active)
2012-12-21T08:58:48.022308+05:18 linode postfix/cleanup[21440]: 0440E22800E: message-id=<20121221032746.4ADA62AF3E@linode.frix.net>
2012-12-21T08:58:48.023032+05:18 linode postfix/qmgr[13424]: 0440E22800E: from=<webmaster@mcfcomp.in>, size=5714, nrcpt=1 (queue active)
2012-12-21T08:58:48.027995+05:18 linode amavis[18855]: (18855-09-27) Passed BAD-HEADER, <webmaster@mcfcomp.in> -> <dmccandless@agoc.com>, Message-ID: <20121221032746.50CBF2AF3F@linode.frix.net>, mail_id: CZVJF7YaJvMP, Hits: 2.017, size: 5268, queued_as: 030F922800C, 1336 ms
2

How can I fix this?

Thanks
Richard
Reply With Quote
Sponsored Links
  #2  
Old 21st December 2012, 09:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,596 Times in 4,407 Posts
Default

These emails are most likely inserted trough a website script e.g. like a vulnerable contact form or cms system, so blocking on postfix level will not work if you dont want to block all emails from localhost. Check the email content of one of the mails in the queue with postcat, it should contain additional info like the user which send the email so you can find the site which contains the script.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st December 2012, 10:46
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
Default

Dear Admin,

Thank you for the reply.

I have installed phpsendmail script which logs all php sendmail attempts. This does not fall in this area.

I have disabled the domain mccomplex.in completely in ISPConfig. What can I do to force postfix to accept any emails from mccomplex.in domain?


Richard
Reply With Quote
  #4  
Old 21st December 2012, 10:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,596 Times in 4,407 Posts
Default

Quote:
I have disabled the domain mccomplex.in completely in ISPConfig.
When you disable a domain then you instruct postfix that you dont want tto receive emails for this domain, this is not disabling sending as the sending can be done even trogh a completely different domain when the user is authenticated with correct username and password. To stop it you just have to disable the account that is used for sending or change the password of that account. Find out which email account is being used to send these emails and then disable this account. You can see this in the mail log file as there must be a smtp login right before the sending starts.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 21st December 2012, 11:02
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
Default

Till,

The account which is used webmaster@mcfcomplex.in is not configured at all.
here is the details from mail log. I also do not see any authenticated user logged before this.

Richard



2012-12-16T20:22:53.192803+05:18 linode postfix/pickup[32607]: 2F08B2AE81: uid=48 from=<webmaster@mcfcomplex.in>
2012-12-16T20:22:53.193682+05:18 linode postfix/cleanup[32670]: 2F08B2AE81: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
2012-12-16T20:22:53.194670+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: from=<webmaster@mcfcomplex.in>, size=654, nrcpt=1 (queue active)
2012-12-16T20:22:53.683559+05:18 linode postfix/smtpd[32412]: connect from unknown[127.0.0.1]
2012-12-16T20:22:53.690177+05:18 linode postfix/smtpd[32412]: A874D2AE5B: client=unknown[127.0.0.1]
2012-12-16T20:22:53.692991+05:18 linode postfix/cleanup[32670]: A874D2AE5B: message-id=<20121216145253.2F08B2AE81@linode.florix.net>
2012-12-16T20:22:53.694136+05:18 linode postfix/smtpd[32412]: disconnect from unknown[127.0.0.1]
2012-12-16T20:22:53.694167+05:18 linode postfix/qmgr[3150]: A874D2AE5B: from=<webmaster@mcfcomplex.in>, size=1201, nrcpt=1 (queue active)
2012-12-16T20:22:53.702627+05:18 linode amavis[24900]: (24900-13) Passed BAD-HEADER, <webmaster@mcfcomplex.in> -> <Timofeiene351@yahoo.com>, Message-ID: <20121216145253.2F08B2AE81@linode.florix.net>, mail_id: 3NgtUp3w8hJt, Hits: -0.799, size: 654, queued_as: A874D2AE5B, 505 ms
2012-12-16T20:22:53.705182+05:18 linode postfix/smtp[32673]: 2F08B2AE81: to=<Timofeiene351@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.51, delays=0/0/0/0.51, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=24900-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A874D2AE5B)
2012-12-16T20:22:53.705501+05:18 linode postfix/qmgr[3150]: 2F08B2AE81: removed
2012-12-16T20:22:54.313849+05:18 linode postfix/smtp[32747]: A874D2AE5B: to=<Timofeiene351@yahoo.com>, relay=mta5.am0.yahoodns.net[98.139.54.60]:25, delay=0.63, delays=0.01/0/0.17/0.45, dsn=2.0.0, status=sent (250 ok Sun Dec 16 06:52:54 2012: ql 229824655, qr 0)
2012-12-16T20:22:54.314276+05:18 linode postfix/qmgr[3150]: A874D2AE5B: removed
Reply With Quote
  #6  
Old 21st December 2012, 11:09
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,733
Thanks: 840
Thanked 5,596 Times in 4,407 Posts
Default

Quote:
The account which is used webmaster@mcfcomplex.in is not configured at all.
This is the sender address and not nescessarily the account which is used to send the emails. Dont mix that up, thsender address and sending account can be the same but dont have to be the same!

Quote:
I also do not see any authenticated user logged before this.
You have to find the login when the first spam email of a session is sent, there is no new login for each message.

There are 3 options:

1) The emails are send trough a local script.
3) The emails are sent trough a authenticated account.
4) Your server is a open relay (check: http://mxtoolbox.com/diagnostic.aspx)

If you want to find out more of the emails, then you can inspect their headers with postcat command in the queue.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 21st December 2012, 12:58
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hi Till,

I think it's happening by an autheticated user machine, after pop3 login, the bunch of spam arrives.

The sender is sending small bunch at random intervals, hence difficult to track. I have changed the password of one email id associated with that domain.

I will keep you posted.
Reply With Quote
  #8  
Old 21st December 2012, 13:15
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
Default

One more burst ..

The postcat shows this


[root@linode log]# postcat -q EEE6E2AF15
*** ENVELOPE RECORDS deferred/E/EEE6E2AF15 ***
message_size: 6037 490 1 0
message_arrival_time: Fri Dec 21 16:35:47 2012
create_time: Fri Dec 21 16:35:47 2012
named_attribute: rewrite_context=local
sender: webmaster@mcfcomplex.in
named_attribute: encoding=7bit
named_attribute: log_client_address=127.0.0.1
named_attribute: log_message_origin=unknown[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=unknown
named_attribute: reverse_client_name=unknown
named_attribute: client_address=127.0.0.1
named_attribute: helo_name=localhost
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;amicpht@yahoo.com
original_recipient: amicpht@yahoo.com
recipient: amicpht@yahoo.com
*** MESSAGE CONTENTS deferred/E/EEE6E2AF15 ***
Received: from localhost (unknown [127.0.0.1])
by linode.florix.net (Postfix) with ESMTP id EEE6E2AF15
for <amicpht@yahoo.com>; Fri, 21 Dec 2012 11:05:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at linode.florix.net
X-Amavis-Alert: BAD HEADER SECTION, MIME error: error: part did not end with
expected boundary
Received: from linode.florix.net ([127.0.0.1])
by localhost (linode.florix.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Pael-rtGiT-i for <amicpht@yahoo.com>;
Fri, 21 Dec 2012 16:35:44 +0530 (IST)
Received: by linode.florix.net (Postfix, from userid 48)
id DF22322804A; Fri, 21 Dec 2012 16:30:51 +0530 (IST)
To: amicpht@yahoo.com
Subject: Tracking ID (961)73-961-961-9798-9798
From: "Express Service" <user-zp@hialeah.com>
X-Mailer: TWIG2.6.2
Reply-To: "Express Service" <user-zp@hialeah.com>
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------135608765150D44163DA575"
Message-Id: <20121221110051.DF22322804A@linode.florix.net>
Date: Fri, 21 Dec 2012 16:30:51 +0530 (IST)
Reply With Quote
  #9  
Old 21st December 2012, 14:48
florix.net florix.net is offline
Member
 
Join Date: Oct 2010
Posts: 42
Thanks: 4
Thanked 1 Time in 1 Post
 
Default

Hi Till,


Please let me know .. I am unable to stop this junk.

How can we simply disable a domain from sending any emails.


RIchard
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix/courier/Centos 6 cant send email to external email servers maxtorzito Installation/Configuration 14 7th October 2011 11:56
freebsd 7, samba 3, domain controller alexdimarco Suggest HOWTO 6 5th November 2010 17:54
mail authentication failure - unknown user or password evok Installation/Configuration 9 16th October 2010 07:37
Mail server using Postfix, Dovecot, Mysql... Postfix virtual maps doesn't work?? tarasbuljba HOWTO-Related Questions 33 28th May 2010 15:33
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 12:14


All times are GMT +2. The time now is 09:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.