Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th March 2013, 17:52
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Exclamation postfix DoS Spam attack

Hi guys!

I'm having a serious problem with my mailserver. It seems there is some kind of DoS or Spam attack running, which is nearly crashing the whole server. Some days ago we had a DoS attack on apache (40+ requests to one site per second from one ip), and now it's starting on the mailserver.

It seems to originate from an single ip, if i'm not mistaken. If I do run the command "tail -f /var/log/mail.log | grep 1.2.3.4" I get the following output:

Code:
Mar 28 17:37:01 server1 postfix/smtpd[2413]: 715002530564: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2423]: 77E012530565: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:01 server1 postfix/smtpd[2512]: E53542530413: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:02 server1 amavis[1871]: (01871-03-4) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <etzsthbyquxte@yahoo.com> -> <3390@yahoo.com.tw>,<34dn@yahoo.com.tw>,<430j@yahoo.c                                                       om.tw>,<486y@yahoo.com.tw>,<6nob@yahoo.com.tw>,<a0937736793@yahoo.com.tw>,<a855151151@yahoo.com.tw>,<aaajoe1207@yahoo.com.tw>,<azero0831@yahoo.com.tw>,<bawea@yahoo.com.tw>,<c0762@yah                                                       oo.com.tw>,<ccty218@yahoo.com.tw>,<cids75@yahoo.com.tw>,<clot0955@yahoo.com.tw>,<digev@yahoo.com.tw>,<downright@yahoo.com.tw>,<e31310@yahoo.com.tw>,<fingersob@yahoo.com.tw>,<greatest                                                       _club7@yahoo.com.tw>,<kikocc2005@yahoo.com.tw>,<myanmarfuturegenerations@yahoo.com.tw>,<ritsukoaizawa@yahoo.com.tw>, quarantine: X/badh-XPAn+KjwcGjn, Message-ID: <IUHTZUPJBXXGZAGGBWH                                                       Z@yahoo.com>, mail_id: XPAn+KjwcGjn, Hits: 29.032, size: 5547, queued_as: 77E182530566, 4413 ms
Mar 28 17:37:04 server1 postfix/smtpd[2512]: 7F0DA21B112F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2423]: 7F17B25303C4: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:04 server1 postfix/smtpd[2413]: 803D22530568: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: warning: 1.2.3.4: address not listed for hostname email.DomainOnMyServer.at
Mar 28 17:37:05 server1 postfix/smtpd[2708]: connect from unknown[1.2.3.4]
Mar 28 17:37:05 server1 amavis[1870]: (01870-03-13) Passed BAD-HEADER, [1.2.3.4] [75.116.26.152] <ljbpzsbqrqzkx@yahoo.com> -> <gdccu@yahoo.com.tw>, quarantine: j/badh-jLp6v1RP31                                                       FB, Message-ID: <UFCEFYPRWNNJJWDLBKLI@yahoo.com>, mail_id: jLp6v1RP31FB, Hits: 28.97, size: 5545, queued_as: B476F2530569, 2765 ms
Mar 28 17:37:06 server1 postfix/smtpd[2708]: 5EEF92331F5D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: 7897B253056B: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: 789E0253056C: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2512]: 79B99253056D: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: 7A618253056E: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 amavis[1871]: (01871-03-5) Passed BAD-HEADER, [1.2.3.4] [185.248.120.84] <njzbxiaa@yahoo.com> -> <miffy.0311@kimo.com>,<helen0801@yahoo.com.tw>,<johnsonp                                                       @yahoo.com.tw>,<k4682t@yahoo.com.tw>,<laiju2421@yahoo.com.tw>,<leizikong@yahoo.com.tw>,<leo1966leo@yahoo.com.tw>,<lewell@yahoo.com.tw>,<lwt1970@yahoo.com.tw>,<ml_ngan@yahoo.com.tw>,<                                                       mung-bean-paste@yahoo.com.tw>,<nan2223@yahoo.com.tw>,<niokei@yahoo.com.tw>,<p0936069@yahoo.com.tw>,<sm135ok@yahoo.com.tw>, quarantine: B/badh-BWzuYpe8ThAM, Message-ID: <BUDYAWCSBBNEN                                                       TIUQCKEISDXZ@yahoo.com>, mail_id: BWzuYpe8ThAM, Hits: 29.469, size: 6527, queued_as: 77FB4253056A, 5424 ms
Mar 28 17:37:08 server1 postfix/smtpd[2512]: A4E29253056F: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2423]: A732B2530570: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: ADFFE2530571: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2708]: EAC6C2530572: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:08 server1 postfix/smtpd[2413]: EAC8C2530573: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2423]: 69F422530575: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2512]: E010A2530576: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:10 server1 postfix/smtpd[2708]: E0FE62530578: client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=account@DomainOnMyServer.at
Mar 28 17:37:12 server1 amavis[1870]: (01870-03-14) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <slbburxoarum@yahoo.com> -> <a0926298122@yahoo.com.tw>,<a223542804@yahoo.com.tw>,

as you can see, this is the output of only a few seconds.

Last edited by arraken; 30th March 2013 at 10:27.
Reply With Quote
Sponsored Links
  #2  
Old 28th March 2013, 17:53
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Default

If I dont grep for the IP and just use "tail -f /var/log/mail.log" i get this within seconds:

Code:
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<daijimmy@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dd3717383@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<demmy_714@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dmwv@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<dufeichun@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<ecjh70513@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<edesw@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<erica19840721@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<f68291@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fegia@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fermilco@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<fish690617@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<gamale@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<herc31@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<jing910330@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<k079618@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<kelly5211@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<tcby12345@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<video95025@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<weisau789@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<whogamall@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<wyukang@yahoo.com.tw>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22826765@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228267748@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22826956@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228269877@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827053@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827127@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827140@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228271420@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228272000@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827217@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a2282721@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228272981@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228274191@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827465@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228275222@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228275464@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827606@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827612@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/smtpd[2454]: 08E3E25307F6: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2620]: 098A425307F7: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a22827715@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a2282777@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<a228279328@yahoo.com.tw>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/smtpd[2708]: 0E69425307F8: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2585]: 0F80225307F9: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/smtpd[2398]: 0F99425307FA: client=unknown[90.146.13.50], sasl_method=LOGIN, sasl_username=account@domainOnMyServer.at
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<6v2g@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a0956672213@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a28336245@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a58111207@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<a_better_living@yahoo.com.tw>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Can anyone help, or explain what exactly is going on? it's real urgent, considering that the server just crashed a few minutes ago, and i have some live sites running on it. I would also be glad for some kind of a quick fix (just ban that one ip or something?)

Last edited by arraken; 30th March 2013 at 10:30.
Reply With Quote
  #3  
Old 28th March 2013, 18:01
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Default blocked ip - no success

I have now blocked the ip with "route add -host 1.2.3.4 reject". The "tail -f /var/log/mail.log | grep 90.146.13.50" now results in the following:

Code:
Mar 28 17:57:31 server1 amavis[18006]: (18006-02-46) Passed BAD-HEADER, [1.2.3.4:] [183.128.84.108] <xlcbojvoqswso@yahoo.com> -> <bbxx@kimo.com>,<nsrrc123@kimo.com>,<15c3@yahoo.com.tw>,<a4789002@yahoo.com.tw>,<a5723149@yahoo.com.tw>,<actionmaps@yahoo.com.tw>,<angel-linda@yahoo.com.tw>,<c60732@yahoo.com.tw>,<davidjoe999@yahoo.com.tw>,<dysqo@yahoo.com.tw>,<ht0222@yahoo.com.tw>,<juliahskimo@yahoo.com.tw>,<n3676732@yahoo.com.tw>,<odream_star_sky@yahoo.com.tw>,<pan_yu_lan@yahoo.com.tw>,<pengpenglao@yahoo.com.tw>,<q.zhang@yahoo.com.tw>,<qianfanzu@yahoo.com.tw>,<reiko_0322@yahoo.com.tw>,<sammi_yuan@yahoo.com.tw>,<satana685@yahoo.com.tw>,<serenawanders@yahoo.com.tw>,<shiliangsan@yahoo.com.tw>,<simonhouse@yahoo.com.tw>,<stutson@yahoo.com.tw>,<t19016@yahoo.com.tw>,<t750501@yahoo.com.tw>,<tha559@yahoo.com.tw>,<tpalways179@yahoo.com.tw>,<ttt22246@yahoo.com.tw>,<u983610@yahoo.com.tw>,<vanila313@yahoo.com.tw>,<vickie_1124@yahoo.com.tw>,<ya73217@yahoo.com.tw>,<yin5125@yahoo.com.tw>,<yolo40@yahoo.com.tw>, quarant...
Mar 28 17:57:31 server1 amavis[16078]: (16078-01-111) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <vswlogswv@yahoo.com> -> <e37n11@yahoo.com.tw>,<et159576@yahoo.com.tw>,<ewcc@yahoo.com.tw>,<ezteclea@yahoo.com.tw>,<f5sld@yahoo.com.tw>,<fish81528@yahoo.com.tw>,<gbo52002@yahoo.com.tw>,<gigila123123@yahoo.com.tw>,<gj4012@yahoo.com.tw>,<h05901037@yahoo.com.tw>,<haiyin0130@yahoo.com.tw>,<halloween201031@yahoo.com.tw>,<ho801008@yahoo.com.tw>,<homoe042002@yahoo.com.tw>,<how168520@yahoo.com.tw>,<hupingpu@yahoo.com.tw>,<iado@yahoo.com.tw>,<icesam0414@yahoo.com.tw>,<inpopstyle@yahoo.com.tw>,<javangsomsb@yahoo.com.tw>,<jay890726@yahoo.com.tw>,<jes2000@yahoo.com.tw>,<jrlovers998@yahoo.com.tw>,<justin28225463@yahoo.com.tw>,<k42234141@yahoo.com.tw>,<kevinabc77@yahoo.com.tw>,<knoe7708800@yahoo.com.tw>,<ktss_719@yahoo.com.tw>,<l2273123@yahoo.com.tw>,<lc0955048776@yahoo.com.tw>,<lisalane@yahoo.com.tw>,<love7931388@yahoo.com.tw>,<love871072000@yahoo.com.tw>,<mail.a45232@yahoo.com.tw>,<mars_tu@yahoo.com.tw>, quarant...
Mar 28 17:57:33 server1 amavis[18006]: (18006-02-47) Passed BAD-HEADER, [1.2.3.4] [157.120.139.150] <bnjmxgdtpswnn@yahoo.com> -> <73.21189@yahoo.com.tw>,<chgshsdhft@yahoo.com.tw>,<chiang0118@yahoo.com.tw>,<dqwd77888@yahoo.com.tw>,<dumaisen@yahoo.com.tw>,<f70280@yahoo.com.tw>,<fanny0333@yahoo.com.tw>,<five_six2520@yahoo.com.tw>,<fle1216@yahoo.com.tw>,<ghqn@yahoo.com.tw>,<hahaismyname@yahoo.com.tw>,<hjt44fvmilpqfoc@yahoo.com.tw>,<hsiuying88@yahoo.com.tw>,<hw0125011@yahoo.com.tw>,<itachf3104@yahoo.com.tw>,<kkandy2@yahoo.com.tw>,<louvretaiwan@yahoo.com.tw>, quarantine: N/badh-NWyeRQikDbdr, Message-ID: <MQJQGDCKOTPTCKQYARIQAHHQ@yahoo.com>, mail_id: NWyeRQikDbdr, Hits: 27.748, size: 5828, queued_as: 0DD8623313BE, 1404 ms
Mar 28 17:57:34 server1 amavis[16078]: (16078-01-112) Passed BAD-HEADER, [1.2.3.4] [181.236.150.22] <pprjfz@yahoo.com> -> <a_wey_h@yahoo.com.tw>,<aa541188882000@yahoo.com.tw>,<amanda198200@yahoo.com.tw>,<but_why_not2001@yahoo.com.tw>,<cara0105.tw@yahoo.com.tw>,<cezra@yahoo.com.tw>,<chiugffgff@yahoo.com.tw>,<dc916ms58@yahoo.com.tw>,<f-squall@yahoo.com.tw>,<handmakebear@yahoo.com.tw>,<ioanna@yahoo.com.tw>,<jack198167@yahoo.com.tw>,<kai55@yahoo.com.tw>,<kery0418@yahoo.com.tw>,<maddog@yahoo.com.tw>,<n235512@yahoo.com.tw>,<rabj@yahoo.com.tw>,<seatleichiro@yahoo.com.tw>,<shizuka_banzai@yahoo.com.tw>,<spide18@yahoo.com.tw>,<steven-30@yahoo.com.tw>,<sunday05272002@yahoo.com.tw>,<swt11807@yahoo.com.tw>,<teyou_shuai@yahoo.com.tw>,<totorowg@yahoo.com.tw>,<vino2001new@yahoo.com.tw>, quarantine: u/badh-u6-w7u-VHSX8, Message-ID: <QUIULRGETEBUGHBJHZZZHGLW@yahoo.com>, mail_id: u6-w7u-VHSX8, Hits: 27.625, size: 7382, queued_as: CCF7921B1CF6, 1033 ms
Mar 28 17:57:35 server1 amavis[16078]: (16078-01-113) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <muppubbysaehgh@yahoo.com> -> <3r0e@yahoo.com.tw>,<bossrong@yahoo.com.tw>,<chobits_janne21@yahoo.com.tw>
any ideas?

Last edited by arraken; 30th March 2013 at 10:33.
Reply With Quote
  #4  
Old 28th March 2013, 18:39
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Default server abused as spambot?

Ok, I think my server is abused for sending spam. I don't think it's an open relay however, so can it be some script on my server that sends the mails?

I followed the instructions from the first answer here: http://serverfault.com/questions/333...refusing-mails

I seem to have the same problem as the poster there.

when i execute "qshape deferred" i get the following output:

Code:
             yahoo.com.tw 70279  0 42  0 1998 5617 12254 39296 11072    0     0
          DomainOnMyServer.at 12583  0  0  0   17   31    36    73   885 1445 10096
                  kimo.com   310  0  0  0   16   24    48   159    63    0     0
     heattreatmentchina.ru    29  0  0  0    1    0     1     0     0    0    27
              yahoo.com.hk    22  0  0  0    1    2     9     9     1    0     0
             purifiercn.ru    16  0  0  0    0    0     1     1     0    1    13
             earthlink.net    12  0  0  0    0    0     0     0     0    0    12
                 ymail.com    11  0  0  0    0    0     6     4     1    0     0                  
               example.com     8  0  0  0    0    0     0     0     0    2     6            
                   aol.com     2  0  0  0    0    0     0     0     0    0     2
                  jumpy.it     2  0  0  0    0    0     0     0     0    0     2
                 gawab.com     2  0  0  0    0    0     0     0     0    0     2
            rocketmail.com     2  0  0  0    0    0     0     2     0    0     0
 gdp-globaldigitalpost.com     2  0  0  0    0    0     0     0     0    0     2
                   nsi.com     1  0  0  0    0    0     0     0     0    0     1
                   mxb.org     1  0  0  0    0    0     0     0     0    0     1
                   kjf.com     1  0  0  0    0    0     0     0     0    0     1
when i look in /var/spool/postfix/deferred/ there are masses of mails there - all apparently spam-mails.

What can i do to stop this? please help! - I had to shut down the mailserver already, which isn't good, as it is used by quite some customers..

Last edited by arraken; 30th March 2013 at 10:34.
Reply With Quote
  #5  
Old 29th March 2013, 11:08
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Default problem seems to be solved for now

Ok, the problem seems to be fixed for now. I'll post a little summary of the problem and of what i did, as this may be interesting to other ISPConfig 3 users that also use the standard postfix settings.

1. My mailserver sent masses of spam-mails to seemingly random accounts (mostly @yahoo.com) My log was full of lines like this:
Code:
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<ho08132000@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hot7495@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<hwahwa09091203@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<i5325@yahoo.com.tw>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error)
2. There were lots of logins from a mailaccount on my server, all from the same IP

3. As a result of the many spam mails, yahoo blocked the IP of my server.

What i did was the following:

1. Panicked and tried to find out what the hell was going on...
2. Tried some stuff that didn't work, most of which i can't remember in the correct order now..
3. What i think did the trick was that i changed the password of the account which i thought was compromised, and removed all mail from the queue (which was completely clogged up). Afterwards there were no more outgoing spam-mails in my mail.log.

The hardest part was finding the compromised account, because the mail log was filling up so fast, it was hard to find useful information. If anyone has some info on how to identify a compromised account quickly, i would be glad to hear it.


I still see spam-mail blocks in my mail log, but the spam comes from the outside now, and get's blocked, if i interpret it correctly. Here's a short snippet:

Code:
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0DBC22134107: from=<ellipsej7@verbatim.com>, size=2461, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0EAAD213410A: from=<2B6FC5FB46@albrightins.com>, size=5221, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: F400621340DF: from=<fusilladejs@google.com>, size=1797, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: E426E2134109: from=<ramoni0838@adsensesurf.com>, size=2865, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7DB341FBE351: from=<F86E74B2E@acecars.net>, size=5396, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 79D781FBE34F: from=<27FD215@4-action.com>, size=5261, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7F4632134152: from=<mabelhliz634@maaslichtengeluid.com>, size=2694, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7929F21340AA: from=<nutmegkp4@8pdi.com>, size=2482, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/qmgr[27307]: D6F7F1FBE353: from=<386C4DDC@akmar.info>, size=5178, nrcpt=1 (queue active)
which get's followed by:

Code:
Mar 29 08:58:36 server1 postfix/qmgr[27307]: 1D1B7213410B: from=<rabbiesw62@megacs.com>, size=2489, nrcpt=1 (queue active)
Mar 29 08:58:36 server1 postfix/pipe[330]: 647FA2138021: to=<smuglyaguirre@domainOnMyServer.at>, orig_to=<smuglyaguirre@vitak.at>, relay=maildrop, delay=8889, delays=8889/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/smuglyaguirre/337.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[324]: A6F4B1FBE2A7: to=<evalyn.danby@domainOnMyServer.at>, orig_to=<evalyn.danby@vitak.at>, relay=maildrop, delay=42406, delays=42406/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/evalyn.danby/332.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[315]: B38AF21340DE: to=<markus.novak@domainOnMyServer.at>, orig_to=<markus.novak@vitak.at>, relay=maildrop, delay=25730, delays=25730/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/markus.novak/339.0.server1.  )
Mar 29 08:58:36 server1 postfix/pipe[336]: BF10F213419A: to=<kontaktformular@domainOnMyServer.at>, orig_to=<kontaktformular@vitak.at>, relay=maildrop, delay=2384, delays=2384/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/kontaktformular/343.0.
So i guess that's all right?

Are there some best practices for preventing something like this in the future? It may be that another account gets compromised, and i don't want to go throught this again.

PS: even though i didn't get repies here in the forum, i still got quick help via private messages - so thanks for that!
Reply With Quote
  #6  
Old 29th March 2013, 11:35
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
Default

if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure.

Could be somebody hacked the password of a mail user via bruteforce or some other way

Last edited by compugraphix; 29th March 2013 at 11:37.
Reply With Quote
  #7  
Old 29th March 2013, 11:59
pititis pititis is offline
Senior Member
 
Join Date: Dec 2010
Location: München
Posts: 364
Thanks: 39
Thanked 90 Times in 68 Posts
Default

Quote:
Originally Posted by compugraphix View Post
if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure.

Could be somebody hacked the password of a mail user via bruteforce or some other way
I agree.

You can check if fail2fan is working with:

Code:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
(example in ubuntu for the sasl filter)

You can check pop3, imap and so on as well. The report will give you something like this(bottom):

Code:
Success, the total number of match is 43
Reply With Quote
The Following User Says Thank You to pititis For This Useful Post:
arraken (29th March 2013)
  #8  
Old 29th March 2013, 14:11
Lionheart82 Lionheart82 is offline
Member
 
Join Date: May 2011
Posts: 40
Thanks: 3
Thanked 4 Times in 4 Posts
Default

I have had exactly this incident in my server a while ago...

Seems like a good fail2ban rule along with monit is a good way to stop this attacks and monitor the server for multiple emails queue ( in case some account is compromised again).

my fail2ban sasl rule has currently 10 bans and by using the recidive rule you can ban permanently those attackers.

If you need help with the rule we will be here
Reply With Quote
  #9  
Old 29th March 2013, 15:28
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 98
Thanks: 15
Thanked 3 Times in 3 Posts
Default

Thanks for the tipps guys!

I'll set up mail for ssl and try to move my clients over asap.

Concerning the fail2ban rules: i have some rules, following this tutorial:
http://scottlinux.com/2011/05/26/pre...x-brute-force/

So i got a rule for sasl that looks like this:

[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 3

When i check the logs with the command suggested by pititis "fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf" i dont get any results though.

But in the attack on my server, the user apparently logged in with the correct (hacked) password, so i guess the sasl rule doesn't trigger in that case, is that right?

@leonheart82: Can you tell me which sasl rule you use? I'm curious about that, as it seems to be working.

which fail2ban rules would be responsible to block a single account from sending huge amouts of mails? Or do i just need a simple postfix rule for that?

@compugraphix: do you have any suggestions for courier-pop3(-ssl), courier-imap(-ssl) and smtp settings for fail2ban, or a good tutorial? I found this one: http://www.howtoforge.de/anleitung/v...f-debian-etch/ but it's from 2007, and there's no smtp rule.


thanks again for the help. you never stop learning here.
Reply With Quote
  #10  
Old 29th March 2013, 15:59
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
 
Default

i got something like this:

[courierpop3]

enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5

[courierpop3s]

enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5


most is standard in the /etc/fail2ban/jail.conf

O and one big tip :P you must ensure that your own ip can't be banned...
put it in /etc/hosts.allow
like
sshd: yourip
ftpd: yourip
etc...
Reply With Quote
The Following User Says Thank You to compugraphix For This Useful Post:
arraken (29th March 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 22:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.