E-mail server receive and send spams

Discussion in 'Installation/Configuration' started by Mole, Sep 28, 2009.

  1. Mole

    Mole New Member

    Hello!
    I tried to solve this problem, spending time in google and other forums, finding information...
    I think I did many things...but!

    The problem is that my e-mail server sends and receive thousands of spam and I'm listed in http://www.mxtoolbox.com/blacklists.aspx in 5-7lists.

    What I have:
    OpenSuse10.3
    Postfix 2.6.5
    Cyrus SASL 2.1.22
    Postgrey 1.32
    ISPconfig 2.2.33

    Here are:
    1) /etc/postfix/main.cf:
    Code:
    ####################################################################################
    ###GENERAL SETTINGS
    ####################################################################################
    mail_owner = postfix
    masquerade_exceptions = root
    masquerade_classes = envelope_sender, header_sender, header_recipient
    myhostname = myhostname.$mydomain
    inet_interfaces = all
    inet_protocols = all
    biff = yes
    masquerade_domains = 
    #mydestination = $myhostname, localhost.$mydomain
    defer_transports = 
    mynetworks_style = subnet
    disable_dns_lookups = no
    relayhost = 
    mailbox_command = 
    mailbox_transport = 
    strict_8bitmime = no
    disable_mime_output_conversion = no
    mailbox_size_limit = 0
    message_size_limit = 10240000
    mydomain = ardit.lv
    mynetworks = 127.0.0.0/8
    delay_warning_time = 1h
    message_strip_characters = \0
    setgid_group = maildrop
    
    ####################################################################################
    ###MAPS
    ####################################################################################
    canonical_maps = hash:/etc/postfix/canonical
    #virtual_alias_maps = hash:/etc/postfix/virtual
    virtual_alias_domains = hash:/etc/postfix/virtual
    relocated_maps = hash:/etc/postfix/relocated
    transport_maps = hash:/etc/postfix/transport
    sender_canonical_maps = hash:/etc/postfix/sender_canonical
    virtual_maps = hash:/etc/postfix/virtusertable
    alias_maps = hash:/etc/aliases
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    
    ####################################################################################
    ###DIRECTORIES
    ####################################################################################
    readme_directory = /usr/share/doc/packages/postfix/README_FILES
    mail_spool_directory = /var/mail
    program_directory = /usr/lib/postfix
    mydestination = /etc/postfix/local-host-names
    sample_directory = /usr/share/doc/packages/postfix/samples
    manpage_directory = /usr/share/man
    html_directory = /usr/share/doc/packages/postfix/html
    
    ####################################################################################
    ###PATHS
    ####################################################################################
    sendmail_path = /usr/sbin/sendmail
    mailq_path = /usr/bin/mailq
    newaliases_path = /usr/bin/newaliases
    daemon_directory = /usr/lib/postfix
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    mydestination = /etc/postfix/local-host-names
    
    ####################################################################################
    ###DEBUG
    ####################################################################################
    debug_peer_level = 2
    debugger_command =
    	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    	 xxgdb $daemon_directory/$process_name $process_id & sleep 5
    
    ####################################################################################
    ###SASL
    ####################################################################################
    smtp_sasl_auth_enable = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_type = cyrus
    #smtpd_sasl_path = private/auth
    smtpd_sasl_path = smtpd
    smtpd_sasl_mechanism_filter = !gssapi, !external, static:all
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    
    ####################################################################################
    ###TLS
    ####################################################################################
    smtpd_use_tls = yes
    smtp_use_tls = yes
    smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    ####################################################################################
    ###RULES AGAINST SPAMS ETC. MALWARES
    ####################################################################################
    smtpd_sender_restrictions = 
    	    warn_if_reject,
    	    hash:/etc/postfix/access_client,
    	    permit_sasl_authenticated,
    	    permit_mynetworks,
    	    reject_non_fqdn_sender,
    	    reject_unknown_sender_domain,
    	    reject_rbl_client list.dsbl.org,
    	    reject_rbl_client zen.spamhaus.org,
    	    permit
    
    smtpd_client_restrictions =
    	    permit_sasl_authenticated,
    	    check_client_access hash:/etc/postfix/access_client,
    	    reject_rbl_client relays.mail-abuse.org,
    	    reject_rbl_client relays.ordlb.org,
    	    reject_rhsbl_sender dsn.rfc-ignorant.org,
    #	    reject_unknown_client,
    	    reject_rbl_client list.dsbl.org,
    	    reject_rbl_client zen.spamhaus.org,
    	    permit_mynetworks,
    	    reject_unauth_pipelining,
    	    permit 
    
    smtpd_helo_restrictions = 
    	    permit_sasl_authenticated,
    	    permit_mynetworks, 
    	    reject_invalid_hostname, 
    	    reject_unknown_hostname,
    	    reject_non_fqdn_hostname,
    	    reject_rbl_client list.dsbl.org,
    	    reject_rbl_client zen.spamhaus.org,
    	    regexp:/etc/postfix/helo.regexp, 
    	    permit
    
    bounce_size_limit = 1024
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    strict_rfc821_envelopes = yes
    disable_vrfy_command = yes
    default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
    
    access_map_reject_code = 554
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_client_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    notify_classes = resource,software
    
    smtpd_recipient_restrictions = 
    	    warn_if_reject,
    	    permit_sasl_authenticated,
    	    permit_mynetworks,
    	    check_relay_domains,
    	    reject_non_fqdn_sender,
    	    reject_non_fqdn_recipient,
    	    reject_unknown_sender_domain,
    	    reject_unknown_recipient_domain,
    	    reject_unauth_destination,
    	    reject_unauth_pipelining,
    	    check_policy_service inet:127.0.0.1:6000,
    	    check_policy_service inet:127.0.0.1:10023,
    	    #check_sender_access hash:/etc/postfix/verify_sender_map,
    	    reject_rbl_client cbl.abuseat.org,
    	    reject_rbl_client sbl-xbl.spamhaus.org,
    	    reject_rbl_client bl.spamcop.net, 
    	    reject_rbl_client rblmap.tu-berlin.de,
    	    reject_rbl_client relays.ordb.org,
    	    reject_rbl_client dnsbl.sorbs.org,
    	    reject_rbl_client opm.blitzed.org,
    	    reject_rbl_client blackholes.easynet.nl,
    	    reject_rbl_client ix.dnsbl.manitu.net,
    	    reject_rbl_client dsn.rfc-ignorant.org,
    	    reject_rbl_client proxies.relays.monkeys.com,
    	    reject_rbl_client dul.dnsbl.sorbs.net,
    	    reject_rbl_client list.dsbl.org,
    	    reject_rbl_client multi.uribl.com,
    	    reject_rbl_client zen.spamhaus.org,
    	    reject_rbl_client bogusmx.rfc-ignorant.org,
    #	    check_client_access hash:/etc/postfix/helo_client_exceptions,
    	    check_client_access hash:/etc/postfix/rbl_client_exceptions,
    	    permit
    
    2) Body checks is made after this How To: http://www.malware.com.br/postfix.txt

    3) /etc/postfix/rbl_client_exceptions contains my client domain names:
    Code:
    .domain.com OK
    .........
    
    4) hello.regexp contains:
    Code:
    /^localhost$/ 550 Don't use my own hostname
    /^host\.domain\.com$/ 550 Don't use my own hostname
    /^127\.0\.0\.1$/ 550 Don't use my own IP address
    /^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
    /^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
    #/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
    #/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant
    ~
    
    5) /etc/access_client contains:
    Code:
    ####################################################
    ###Manually founded
    ####################################################
    216.52.192.0/24 REJECT
    63.251.178.28 REJECT
    158.36.80.149 REJECT
    82.128.0.0/24 REJECT
    65.55.92.0/24 REJECT
    206.46.232.0/24 REJECT
    65.55.92.88 REJECT
    65.55.37.0/24 REJECT
    58.36.80.149 REJECT
    116.228.146.94REJECT
    195.248.241.211 REJECT
    203.34.37.27 REJECT
    210.241.225.190 REJECT
    167.206.112.6 REJECT
    96.57.243.42 REJECT
    207.157.105.74 REJECT
    41.222.193.35 REJECT
    203.39.191.100 REJECT
    216.201.209.161 REJECT
    80.232.169.191 REJECT
    202.22.159.237 REJECT
    84.238.0.4 REJECT
    
    ####################################################
    ###Whitelist
    ####################################################
    .myclient1.com OK
    .myclient2.com OK
    ...........
    .myclient3.com OK
    .gov OK
    .gov.lv OK
    
    #####################################################
    ### ALL Bad IP's from http://www.unixhub.com/block.html###
    #####################################################
    
    after updeiting these file I use postmap /etc/postfix/appropriate_map_file

    7) /etc/postfix/master.cf:
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd
    #submission inet n      -       n       -       -       smtpd
    #	-o smtpd_etrn_restrictions=reject
    #	-o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
    #  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    smtps   inet n   -   n   - - smtpd
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_reject_unlisted_sender=yes
          -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          -o broken_sasl_auth_clients=yes
    #submission   inet    n       -       n       -       -       smtpd
    #  -o smtpd_etrn_restrictions=reject
    #  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    #628      inet  n       -       n       -       -       qmqpd
    pickup    fifo  n       -       n       60      1       pickup
    cleanup   unix  n       -       n       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       n       1000?   1       tlsmgr
    rewrite   unix  -       -       n       -       -       trivial-rewrite
    bounce    unix  -       -       n       -       0       bounce
    defer     unix  -       -       n       -       0       bounce
    trace     unix  -       -       n       -       0       bounce
    verify    unix  -       -       n       -       1       verify
    flush     unix  n       -       n       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    smtp      unix  -       -       n       -       -       smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay     unix  -       -       n       -       -       smtp
    	-o fallback_relay=
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       n       -       -       showq
    error     unix  -       -       n       -       -       error
    discard   unix  -       -       n       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       n       -       -       lmtp
    anvil     unix  -       -       n       -       1       anvil
    #localhost:10025 inet	n	-	n	-	-	smtpd -o content_filter=
    scache	  unix	-	-	n	-	1	scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    cyrus	  unix	-	n	n	-	-	pipe
      user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    uucp	  unix	-	n	n	-	-	pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
    procmail  unix  -       n       n       -       -       pipe
      flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
    retry     unix  -       -       n       -       -       error
    tlsmgr    unix  -       -       n       1000?   1       tlsmgr
    
    8) netstat -tap
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
    tcp        0      0 *:imaps                 *:*                     LISTEN      3302/couriertcpd    
    tcp        0      0 *:pop3s                 *:*                     LISTEN      3334/couriertcpd    
    tcp        0      0 *:mysql                 *:*                     LISTEN      2361/mysqld         
    tcp        0      0 *:corba-iiop-ssl        *:*                     LISTEN      5647/rpc.rquotad    
    tcp        0      0 *:pop3                  *:*                     LISTEN      3317/couriertcpd    
    tcp        0      0 localhost.localdoma:783 *:*                     LISTEN      6329/spamd.pid      
    tcp        0      0 *:sunrpc                *:*                     LISTEN      3421/portmap        
    tcp        0      0 *:imap                  *:*                     LISTEN      3280/couriertcpd    
    tcp        0      0 *:www-http              *:*                     LISTEN      2953/httpd2-prefork 
    tcp        0      0 *:smtps                 *:*                     LISTEN      5314/master         
    tcp        0      0 *:hosts2-ns             *:*                     LISTEN      2889/ispconfig_http 
    tcp        0      0 *:ftp                   *:*                     LISTEN      5756/proftpd: (acce 
    tcp        0      0 myhost.mydomain.l:domain *:*                     LISTEN      5621/named          
    tcp        0      0 localhost.locald:domain *:*                     LISTEN      5621/named          
    tcp        0      0 *:ssh                   *:*                     LISTEN      3234/sshd           
    tcp        0      0 localhost.localdoma:953 *:*                     LISTEN      5621/named          
    tcp        0      0 *:smtp                  *:*                     LISTEN      5314/master         
    tcp        0      0 *:https                 *:*                     LISTEN      2953/httpd2-prefork 
    tcp        0      0 localhost.loc:lanserver *:*                     LISTEN      3429/famd           
    tcp        0      0 myhost.mydomain.lv:38451 mta-v9.mail.vip.mu:smtp ESTABLISHED 5266/smtp           
    tcp        0      0 myhost.mydomain.lv:33570 mfe1.sinos.net:smtp     ESTABLISHED 5332/smtp           
    tcp        0      0 myhost.mydomain.lv:57976 server4.camintel.c:smtp ESTABLISHED 3051/smtp           
    tcp        0      0 myhost.mydomain.lv:ftp   customer-2:compaq-https ESTABLISHED 5582/proftpd: mole  
    tcp        0      0 myhost.mydomain.lv:47469 fr-end-01.ipteleco:smtp ESTABLISHED 5336/smtp           
    tcp        0      0 myhost.mydomain.lv:54602 mta-v2.mail.vip.sp:smtp TIME_WAIT   -                   
    tcp        0      0 myhost.mydomain.lv:38921 de.mx.aol.com:smtp      TIME_WAIT   -                   
    tcp        0      0 myhost.mydomain.lv:37318 mx-ha01.web.de:smtp     TIME_WAIT   -                   
    tcp        0      0 myhost.mydomain.lv:41672 mxf2.rambler.ru:smtp    TIME_WAIT   -                   
    tcp        0      1 myhost.mydomain.lv:55333 211.76.133.78:smtp      FIN_WAIT1   -                   
    tcp        0      0 myhost.mydomain.lv:50394 server-0076f.dnspr:smtp ESTABLISHED 3033/smtp           
    tcp        0      1 myhost.mydomain.lv:50499 eowyn.portugalmail:smtp SYN_SENT    5481/smtp                          
    
    10) created post-rule-setup.sh script as described in http://www.howtoforge.com/forums/showthread.php?t=6393 and http://www.howtoforge.com/forums/showthread.php?t=36299 and here are source
    Inserted almost ALL bad IPS
    Code:
    ##############################
    ##############################
    ##############################
    # For AUTH-SMTP###############
    ##############################
    iptables -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 465 -j ACCEPT
    
    ######################################################
    ###Blocking incoming for smtp port 25
    ######################################################
    ######################################################
    # My own blaclikst of IP's
    ######################################################
    iptables -A INPUT -p tcp -s 158.26.80.149 --dport 25 -j REJECT
    iptables -A INPUT -p tcp -s 63.251.178.28 --dport 25 -j REJECT
    iptables -A INPUT -p tcp -s 216.52.192.104 --dport 25 -j REJECT
    iptables -A INPUT -p tcp -s 216.52.192.8 --dport 25 -j REJECT
    ...............
    iptables -A OUTPUT -p tcp -s 204.126.12.0/23 --dport 21 -j REJECT
    iptables -A OUTPUT -p tcp -s 204.126.140.0/23 --dport 21 -j REJECT
    
    

    In process solving the problem I added almost all INPUT and OUTPUT IP addresses from this blackIPlist: http://blacklist.linuxadmin.org/

    But the problem is, that after system reboot, iptables locks and does not start, so I manually have to delete /var/lock/bastille. After that I restart FW, but all rules ar gone...

    All installed as described in http://www.howtoforge.com/perfect_server_opensuse10.3... 1.5 years mail server lives without big problems, but all started last week...dead line was last Thursday ;-(

    11) /var/log/messages:
    Code:
    Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (REFUSED) resolving 'ondasnet.com.br/MX/IN': IP_
    Sep 28 12:28:28 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'inter.net.co/MX/IN': IP_#53
    Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
    Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
    Sep 28 12:28:29 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
    Sep 28 12:28:29 myhost named[4739]: FORMERR resolving 'hotmail.com.pe/MX/IN': IP_#53
    Sep 28 12:28:30 myhost named[4739]: unexpected RCODE (SERVFAIL) resolving 'colombianet.net/MX/IN': IP_#53
    Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ahcrucha.hurtad.plaza.cl' (in 'plaza.cl'?): IP_#53
    Sep 28 12:28:54 myhost named[4739]: lame server resolving 'ajahuel.paine.plaza.cl' (in 'plaza.cl'?): IP_#53
    Sep 28 12:28:54 myhost named[4739]: lame server resolving 'andbello.florid.plaza.cl' (in 'plaza.cl'?): IP_#53
    Sep 28 12:28:54 myhost named[4739]: lame server resolving 'anglica.plaza.cl' (in 'plaza.cl'?): IP_#53
    
    12) /var/log/mail.err:
    Code:
    Sep 28 11:45:19 myhost postfix/bounce[9990]: fatal: lock file defer 42F952F96E8: Resource temporarily unavailable
    Sep 28 11:46:05 myhost postfix/bounce[11012]: fatal: lock file defer 41C74EE2F14: Resource temporarily unavailable
    Sep 28 11:46:14 myhost postfix/bounce[11003]: fatal: lock file defer E25FD77AA7E: Resource temporarily unavailable
    Sep 28 11:46:58 myhost postfix/bounce[9942]: fatal: lock file defer 176FF519632: Resource temporarily unavailable
    Sep 28 21:09:21 myhost postfix/master[5313]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable
    
    13) I have no DNS server on my server, DNS entries manages my data center ISP...

    14)I have fail2ban installed and configured and DenyHosts.

    15) Also system is checked using rkhunter-1.3.4 and chkrootkit...

    I have aprr. 10 clients with appr. 30 emails. But my /var/spool/postfix/incoming folder contains >160 000 entries (messages), /var/spool/postfix/active folder contains max size - 20 000 entries...

    I can delete all recors from these folders, but they are back after few seconds.
    There are messages with "Australian National Lotteries", "Nigeria e-mails", spam meils to big amount of aol and yahho users (existing, non-existing) etc...

    Today after some searches in google I make SASL authentification to SMTP server, so, without authorizing and check TLS box e-mails cann not be sent! But these also do not solve the problem!

    I don't know, what else You should know to help me...?

    Is there any chance to win the spammers and get back my normal mail server process? :(
     
    Last edited: Sep 29, 2009
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi,

    the changes you did do not hurt, but they will not solve your problem. If your server sends out spam and was configured properly before, there are 3 possible reasons:

    1) Your server configuration changed and it is now an open relay. You can esaily test this here:

    http://www.mxtoolbox.com/blacklists.aspx

    2) One of your smtp / pop3 accounts is misused for sending spam e.g. because someone got a password or cracked a passord of one of your users. To find this out, you have to read your mail log and check it if a user that sends out spam authenticates itself first.

    3) The most common reason is not even related to your postfix setup. You might have a vulnerable contact form or cms system in one of the websites on your server that is misused to send spam. To find out which of the webs is causing this, you can use this logging setup:

    http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam
     
  3. Mole

    Mole New Member

    1) No, my server has no Open relay... I'm tested in in many web pages (for example: http://www.abuse.net/relay.html) and with scripts. This is not the cause.
    2) In log file there is no info about users who sent e-mail. Log files look as I post it in root post.
    3) I'm used this link and create logins from web forms... Only 1 client have mail form in his web application and it is secured by Secure code... and I thin - this is not the cause.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Your first post does not contain the mail log, you just posted errors and warnings. Please take a look at your mail log file and check what I explaine din 2).

    Also check your server with rkhunter to ensure that it did not got hacked.

    http://www.rootkit.nl/projects/rootkit_hunter.html
     
  5. Mole

    Mole New Member

    OK, I'll check mail log.

    As I wrote in root post:
    15) Also system is checked using rkhunter-1.3.4 and chkrootkit, nothing bad found...
     
  6. Mole

    Mole New Member

    I checked logs - there is no info, that some clientusernam@clientdomain sent spams...

    Any more ideas?

    I'm working with google and other sources to "upgrade" my Bastille-firewall...
     
  7. xenlab

    xenlab New Member HowtoForge Supporter

    SPF Record

    Do you have an SPF Record for that domain in your DNS Zone? More than likely its not originating from your server, but possibly they are able to forge your domain from their own email server. Adding an SPF Record will have most receiving email systems deny the email as spam with no penalty to you.
     
  8. MxToolBox

    MxToolBox New Member

    Our guess from the information here is that most likely you have had a client's account compromised by a weak password. The other possibility is some type of web application or similar which generates email for you, which may have been compromised.

    The first thing we would recommend doing is to take a look into the mail queues and try to look at an individual message to determine where it has come from since you have had no luck with your logs. If you can't do that, then you are going to have to increase logging to see where these messages are coming from.

    We also would recommend making sure that you have a password policy for your clients such as minimum lengths including non-alpha characters. Depending on how difficult it would be to change your user's passwords you might just try that to start with. Lastly, you will need to delete the mail queues or you will just get listed again.

    @MxToolBox
     
  9. Mole

    Mole New Member

    Hello again!

    Thanks for previous answers and suggestions....

    I'm still trying to kill spam on my server... Lasts weeks in my postfix active directory there is 4000-10000 files... My server is busy, also http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist bad result (5-6 blacklists) ;-(

    I reinstalled server, now I'm using Ubuntu server 9.10, last ispconfig...

    Code:
    /etc/postfix/main.cf:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    myhostname = hostname.domain.lv
    #alias_maps = hash:/etc/aliases
    #alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost = 
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    message_size_limit = 20971520
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain = 
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    ########
    ### MAPS:
    ########
    virtual_maps = hash:/etc/postfix/virtusertable
    mydestination = /etc/postfix/local-host-names
    relay_recipient_maps = hash:/etc/postfix/relay_recipients
    header_checks = pcre:/etc/postfix/header_checks.pcre
    body_checks = pcre:/etc/postfix/body_checks.pcre
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    
    ########
    ### My manual entries
    ########
    disable_vrfy_command = yes
    smtpd_helo_required = yes
    strict_rfc821_envelopes = yes
    smtpd_delay_reject = yes
    smtpd_reject_unlisted_recipient = yes
    
    ########
    #Error codes
    ########
    unknown_address_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_client_reject_code = 554
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    smtpd_restriction_classes = verify_sender, from_freemail_host
    
    from_freemail_host = check_client_access hash://etc/postfix/freemail_hosts,reject
    
    verify_sender = reject_unverified_sender
    
    
    smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,check_client_access hash:/etc/postfix/client_checks,reject_unknown_reverse_client_hostname
    
    smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_unknown_helo_hostname,check_helo_access hash:/etc/postfix/helo_checks,regexp:/etc/postfix/helo.regexp
    
    smtpd_sender_restrictions = reject_unknown_sender_domain,reject_non_fqdn_sender,permit_sasl_authenticated,permit_mynetworks,check_sender_access hash:/etc/postfix/sender_access,check_sender_access hash:/etc/postfix/freemail_access,reject_unauth_destination
    
    smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_unauth_pipelining,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,check_policy_service inet:127.0.0.1:6000,check_sender_access hash:/etc/postfix/verify_sender.map,reject_non_fqdn_hostname,reject_invalid_hostname,reject_unverified_recipient,reject_rbl_client cbl.abuseat.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client multi.uribl.com,reject_rbl_client dsn.rfc-ignorant.org,reject_rbl_client bogusmx.rfc-ignorant.org,reject_rbl_client list.dsbl.org,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl-1.uceprotect.net,permit
    
    I informed customers to change passwords to "Strong_passwords"...

    Testing http://verify.abuse.net/cgi-bin/relaytest for Open relay - My server is not open relay...

    I do not manage dns records on my server, dns records, if customer like, are managed out of my server.

    Server is checked with: lynis, chkrootkit, rkhunter.

    Server also is configured with Spamassasin, Postrgrey, Clamavis, Mailscanner (for graphical report), munin, monit and cactis.

    It seems that some-one is sending spams "from" my server despite the fact that server is not open relay, and "non-existing" receivers send back e-mails that e-mail can not be sent...

    Any more ideas what else could be the problem? ;-O

    EDITED:
    Such "mails" are in my postfix active dorectory:
    Code:
    CO           3600            4946              48               0            2972T1270261376 [email protected]_time=1270261377Arewrite_context=remoteAsasl_method=LOGINAsasl_username=infoA.log_client_name=ml82.128.19.157.multilinks.comA log_client_address=82.128.19.157Alog_client_port=4624A@log_message_origin=ml82.128.19.157.multilinks.com[82.128.19.157]Alog_helo_name=UserAlog_protocol_name=ESMTPA*client_name=ml82.128.19.157.multilinks.comA2reverse_client_name=ml82.128.19.157.multilinks.comAclient_address=82.128.19.157Aclient_port=4624Ahelo_name=UserAprotocol_name=ESMTPAclient_address_type=2A.dsn_orig_rcpt=rfc822;[email protected]@[email protected]$dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]"[email protected]"[email protected]/dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]/dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected](dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]$dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]*dsn_orig_rcpt=rfc822;[email protected]@[email protected])dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]@[email protected],dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;[email protected]$[email protected]$[email protected]#dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected](dsn_orig_rcpt=rfc822;[email protected][email protected][email protected]+dsn_orig_rcpt=rfc822;[email protected]@[email protected]&dsn_orig_rcpt=rfc822;[email protected]@[email protected]'dsn_orig_rcpt=rfc822;[email protected]@[email protected]_orig_rcpt=rfc822;byronnursingadmin@gmail.comObyronnursingadmin@gmail.comDbyronnursingadmin@gmail.comM
    
    Interesting that this "client" IP is blocked with iptables:
    Code:
    iptables -A INPUT -s 82.128.18.0/23 -j DROP
    iptables -A OUTPUT -d 82.128.18.0/23 -j DROP
    iptables -A INPUT -s 82.128.83.46 -j DROP
    iptables -A OUTPUT -d 82.128.83.46 -j DROP
    iptables -A INPUT -s 82.128.83.49 -j DROP
    iptables -A OUTPUT -d 82.128.83.49 -j DROP
    iptables -A INPUT -s 82.128.20.59 -j DROP
    iptables -A OUTPUT -d 82.128.20.59 -j DROP
    
    Also this ip is blocked using /etc/postfix/client_access:
    Code:
    #Always allow my host
    MY-IP OK
    
    #Whitelist
    GOOD-IP OK
    
    # Using a domain name
    
    #Block concrete IP addresses
    196.46.245.21 DROP
    41.28.220.193 DROP
    41.211.228.122 DROP
    41.211.228.232 DROP
    41.211.238.145 DROP
    82.128.83.46 DROP
    82.128.83.49 DROP
    82.128.18.0/23 DROP
    82.128.20.59 DROP
    
    here is mail.warn log:
    Code:
    Apr  7 15:22:46 ardweb01 postfix/smtp[15468]: warning: numeric domain name in resource data of MX record for hostelturf.com: 67.102.46.122
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4146 of 5229 active queue entries
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance
    Apr  7 15:23:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0
    Apr  7 15:23:19 ardweb01 postfix/smtp[18721]: warning: no MX host for gmaul.com has a valid address record
    Apr  7 15:24:31 ardweb01 postfix/smtp[19229]: warning: no MX host for rigbyco.com has a valid address record
    Apr  7 15:27:37 ardweb01 postfix/smtp[18709]: warning: no MX host for jpost.co.il has a valid address record
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: mail for gmail.com is using up 4059 of 4656 active queue entries
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: this may slow down other mail deliveries
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: you may need to increase the main.cf smtp_destination_concurrency_limit from 20
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: please avoid flushing the whole queue when you have
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: lots of deferred mail, that is bad for performance
    Apr  7 15:28:01 ardweb01 postfix/qmgr[15293]: warning: to turn off these warnings specify: qmgr_clog_warn_time = 0
    Apr  7 15:29:14 ardweb01 postfix/smtp[20368]: warning: numeric domain name in resource data of MX record for mail.intellect.com.tw: 211.75.226.154
    Apr  7 15:30:21 ardweb01 postfix/smtp[20397]: warning: numeric domain name in resource data of MX record for chinawangtai.com: 203.88.192.62
    Apr  7 15:30:42 ardweb01 postfix/smtp[15526]: warning: numeric domain name in resource data of MX record for aurora.il.us: 64.195.1.137
    Apr  7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no issuer Organization
    Apr  7 15:32:46 ardweb01 postfix/smtp[20285]: warning: tls_text_name: mail.loversline.de[194.187.140.2]:25: peer certificate has no subject CN
    Apr  7 15:34:16 ardweb01 postfix/smtp[19160]: warning: no MX host for gmaii.com has a valid address record
    Apr  7 15:35:46 ardweb01 postfix/smtpd[20986]: warning: 83.150.207.253: hostname 253-207-150-83.customers.iber-x.net verification failed: Name or service not known
    Apr  7 15:48:19 ardweb01 postfix/smtp[22044]: warning: numeric domain name in resource data of MX record for sur-design.com: 66.92.134.116
    Apr  7 15:48:44 ardweb01 postfix/smtp[22105]: warning: no MX host for aol.cm has a valid address record
    Apr  7 15:49:22 ardweb01 postfix/smtp[22045]: warning: no MX host for dma.mil has a valid address record
    Apr  7 15:49:25 ardweb01 postfix/smtpd[22138]: warning: 78.155.47.46: hostname adsl-new47-l47.crnagora.net verification failed: Name or service not known
    Apr  7 15:49:35 ardweb01 postfix/smtp[22029]: warning: numeric domain name in resource data of MX record for greenmatrix.net: 204.247.178.85
    Apr  7 15:49:58 ardweb01 postfix/smtp[22064]: warning: no MX host for dma.mil has a valid address record
    Apr  7 15:53:03 ardweb01 postfix/smtp[22498]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119
    Apr  7 15:53:10 ardweb01 postfix/smtp[22496]: warning: numeric domain name in resource data of MX record for audiointercomservices.com: 69.22.252.49
    Apr  7 15:53:19 ardweb01 postfix/smtp[22046]: warning: no MX host for futurephoto.com has a valid address record
    Apr  7 15:54:38 ardweb01 postfix/smtp[22506]: warning: numeric domain name in resource data of MX record for kflc.ac.kr: 218.149.189.119
    Apr  7 15:54:54 ardweb01 postfix/smtp[22020]: warning: numeric domain name in resource data of MX record for pyramidcoach.com: 68.74.53.33
    Apr  7 15:55:10 ardweb01 postgrey[3073]: whitelisted: mailfe02.swip.net[212.247.154.33]
    Apr  7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no issuer Organization
    Apr  7 15:55:21 ardweb01 postfix/smtp[22469]: warning: tls_text_name: starburstcom.com[62.241.60.2]:25: peer certificate has no subject CN
    Apr  7 15:55:21 ardweb01 postfix/smtp[22518]: warning: no MX host for uoguelph.ca has a valid address record
    Apr  7 15:55:41 ardweb01 postfix/smtp[22517]: warning: no MX host for cirpack.fr has a valid address record
    Apr  7 15:55:57 ardweb01 postfix/smtp[22498]: warning: no MX host for uoguelph.ca has a valid address record
    Apr  7 15:56:54 ardweb01 postgrey[3073]: whitelisted: mailfe06.swip.net[212.247.154.161]
    Apr  7 15:58:02 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for mail.ctin.ac.cn: 218.70.66.117
    Apr  7 15:58:08 ardweb01 postfix/smtp[22529]: warning: no MX host for futurephoto.com has a valid address record
    Apr  7 16:00:12 ardweb01 postfix/smtp[22064]: warning: numeric domain name in resource data of MX record for sgrow.com: 64.22.126.33
    Apr  7 16:00:23 ardweb01 postfix/smtp[22468]: warning: no MX host for uoguelph.ca has a valid address record
    Apr  7 16:03:11 ardweb01 postfix/smtp[22445]: warning: no MX host for ragingbull.com has a valid address record
    Apr  7 16:05:28 ardweb01 postfix/smtp[22532]: warning: numeric domain name in resource data of MX record for unidocsys.com: 131.210.4.32
    Apr  7 16:05:28 ardweb01 postfix/smtp[22494]: warning: numeric domain name in resource data of MX record for xteamlinux.com.cn: 211.153.184.18
    Apr  7 16:05:30 ardweb01 postfix/smtp[22064]: warning: no MX host for aol.cm has a valid address record
    Apr  7 16:08:04 ardweb01 postfix/smtp[22445]: warning: no MX host for uoguelph.ca has a valid address record
    Apr  7 16:08:34 ardweb01 postfix/smtp[22531]: warning: numeric domain name in resource data of MX record for 168market.com: 209.164.15.45
    Apr  7 16:08:35 ardweb01 postfix/smtp[22505]: warning: numeric domain name in resource data of MX record for cubexs.net.pk: 202.63.215.14
    Apr  7 16:09:52 ardweb01 postfix/smtp[21664]: warning: no MX host for dma.mil has a valid address record
    Apr  7 16:10:18 ardweb01 postfix/smtp[22053]: warning: no MX host for uoguelph.ca has a valid address record
    Apr  7 16:10:56 ardweb01 postfix/smtp[22019]: warning: numeric domain name in resource data of MX record for laitai.com: 211.157.1.130
    Apr  7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142
    Apr  7 16:11:08 ardweb01 postfix/smtp[22525]: warning: numeric domain name in resource data of MX record for mm459.com: 207.111.216.142
    Apr  7 16:11:52 ardweb01 postfix/smtp[22498]: warning: no MX host for futurephoto.com has a valid address record
    Apr  7 16:12:05 ardweb01 postfix/smtp[22060]: warning: no MX host for dma.mil has a valid address record
    Apr  7 16:12:17 ardweb01 postfix/smtpd[25558]: warning: 78.155.37.159: hostname adsl-new37-l160.crnagora.net verification failed: Name or service not known
    
    mail.log:
    Code:
    Apr  7 16:34:19 mydomain postfix/error[27490]: E68C346EDF: to=<jls321@cox.net>, relay=none, delay=383814, delays=383296/517/0/0.66, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
    Apr  7 16:34:19 mydomain postfix/error[27384]: 0BDC744F6D: to=<eclark_wworks@yahoo.com>, relay=none, delay=126914, delays=126389/523/0/1.8, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr  7 16:34:19 mydomain postfix/smtp[25996]: AA3A942DEF: host idcmail-mx2no.cg.shawcable.net[64.59.134.8] refused to talk to me: 554-idcmail.shaw.ca 554 Your connection from [MY_IP] has been rejected due to poor reputation.
    Apr  7 16:34:19 mydomain postfix/error[27440]: 0C2E045D93: to=<ditongaje@yahoo.com>, relay=none, delay=385201, delays=384676/524/0/0.38, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr  7 16:34:19 mydomain postfix/smtp[26048]: A995646DFD: host smtp.secureserver.net[216.69.186.201] refused to talk to me: 554-m1pismtp01-022.prod.mesa1.secureserver.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
    Apr  7 16:34:19 mydomain postfix/smtp[26081]: connect to maninet.com[82.98.86.167]:25: Connection timed out
    Apr  7 16:34:19 mydomain postfix/smtp[26058]: A995646DFD: host hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <[MY_IP]> - See http://security.rr.com/cgi-bin/block-lookup?[MY_IP]
    Apr  7 16:34:19 mydomain postfix/error[27493]: 6324F44DB6: to=<jtepper@cox.net>, relay=none, delay=383710, delays=383461/248/0/0.52, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
    Apr  7 16:34:19 mydomain postfix/error[27449]: 139F043032: to=<waltkuper@cox.net>, relay=none, delay=131452, delays=130934/517/0/0.93, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
    Apr  7 16:34:19 mydomain postfix/error[27424]: A3CEF41BD3: to=<ghulb001@cox.net>, relay=none, delay=384481, delays=384233/247/0/0.48, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
    Apr  7 16:34:19 mydomain postfix/error[27421]: 087C5468EB: to=<dollarselloff@yahoo.com>, relay=none, delay=425667, delays=425142/524/0/0.74, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr  7 16:34:19 mydomain postfix/error[27459]: AB1D646B4B: to=<jimfus@cox.net>, relay=none, delay=423642, delays=423395/247/0/0.46, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.east.cox.net[68.1.17.3] refused to talk to me: 554 eastrmimpi05.cox.net IMP [MY_IP] blocked.  Error Code: IPBL0100 - Refer to Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more information.)
    Apr  7 16:34:19 mydomain postfix/error[27381]: 3D5C642037: to=<zenithhuizar@yahoo.com>, relay=none, delay=131137, delays=130606/528/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Apr  7 16:34:19 mydomain postfix/error[27489]: 91A1A456FA: to=<coreydunson@yahoo.com>, relay=none, delay=385572, delays=385049/523/0/0.42, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from [MY_IP] temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    
     
    Last edited: Apr 7, 2010
  10. falko

    falko Super Moderator ISPConfig Developer

  11. Mole

    Mole New Member

    Thanks Falko, but now - I already have this "hole" for logging (also add feature that IP address are logged to) and there is no "spammers" from here... ;-(

    It ir somewhere else, but I really do not have any ideas - where? ;-OOO
     
  12. dayjahone

    dayjahone Member

    I am having a similar problem. All of the email seems to be coming from admispconfig@server.mydomain.com. Does this mean someone has found a hole in ispconfig?
     
  13. falko

    falko Super Moderator ISPConfig Developer

    This doesn't mean there's a hole in ISPConfig as you can set any email address you like when you send a mail, even something like president@whitehouse.gov... Of course, spammers can do the same.
     

Share This Page