Postfix and spammer

Discussion in 'Installation/Configuration' started by delfo2000, Nov 23, 2015.

  1. delfo2000

    delfo2000 Member

    Dear,
    I'm using ispconfig 3 perfect server (Apache2, PHP, MySQL, PureFTPD, BIND, Dovecot) I have a problem with my e-mail server and I can't understand if the problem is my DNS configuration or my Postfix configuration.
    I attached mail log:

    Code:
    Nov 23 14:19:43 dns2 postfix/qmgr[2299]: 7659D20431: from=<[email protected]>, size=1215, nrcpt=1 (queue active)
    Nov 23 14:19:43 dns2 amavis[19160]: (19160-19) Passed CLEAN {RelayedOpenRelay}, [200.161.84.176]:4492 [200.161.84.176] <[email protected]> -> <[email protected]>, Queue-ID: 9CC822042B, Message-ID: <[email protected]>, mail_id: gfTcC2v9tuQe, Hits: -0.999, size: 755, queued_as: 7659D20431, 675 ms
    Nov 23 14:19:43 dns2 postfix/smtp[21221]: 9CC822042B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9, delays=3.2/0/0/0.68, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7659D20431)
    Nov 23 14:19:43 dns2 postfix/qmgr[2299]: 9CC822042B: removed
    Nov 23 14:19:43 dns2 postfix/qmgr[2299]: 58EC820432: removed
    Nov 23 14:19:44 dns2 postfix/smtp[21226]: 7659D20431: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=0.88, delays=0.01/0/0.45/0.41, dsn=2.0.0, status=sent (250 ok dirdel)
    Nov 23 14:19:44 dns2 postfix/qmgr[2299]: 7659D20431: removed
    Nov 23 14:19:44 dns2 postfix/smtpd[21191]: BAF632042B: client=200-161-84-176.dsl.telesp.net.br[200.161.84.176], sasl_method=PLAIN, [email protected]
    Nov 23 14:19:45 dns2 postfix/smtp[21207]: 903F020430: to=<[email protected]>, relay=maggotts.co.uk[91.146.107.251]:25, delay=41, delays=0.01/0/21/20, dsn=2.0.0, status=sent (250 OK id=1a0r1z-0007Fb-Ld)
    Nov 23 14:19:45 dns2 postfix/qmgr[2299]: 903F020430: removed
    Nov 23 14:19:46 dns2 postfix/cleanup[21202]: BAF632042B: message-id=<[email protected]>
    Nov 23 14:19:46 dns2 postfix/qmgr[2299]: BAF632042B: from=<[email protected]>, size=767, nrcpt=1 (queue active)
    Nov 23 14:19:47 dns2 postfix/smtpd[21232]: connect from localhost[127.0.0.1]
    Nov 23 14:19:47 dns2 postfix/smtpd[21232]: 0C10D20430: client=localhost[127.0.0.1]
    Nov 23 14:19:47 dns2 postfix/cleanup[21234]: 0C10D20430: message-id=<[email protected]>
    Nov 23 14:19:47 dns2 postfix/smtpd[21232]: disconnect from localhost[127.0.0.1]
    Nov 23 14:19:47 dns2 postfix/qmgr[2299]: 0C10D20430: from=<[email protected]>, size=1231, nrcpt=1 (queue active)
    Nov 23 14:19:47 dns2 amavis[19158]: (19158-18) Passed CLEAN {RelayedOpenRelay}, [200.161.84.176]:4492 [200.161.84.176] <[email protected]> -> <[email protected]>, Queue-ID: BAF632042B, Message-ID: <[email protected]>, mail_id: s44PTGNmtaO1, Hits: -0.999, size: 767, queued_as: 0C10D20430, 558 ms
    Nov 23 14:19:47 dns2 postfix/smtp[21203]: BAF632042B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.3, delays=2.7/0/0/0.56, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0C10D20430)
    Nov 23 14:19:47 dns2 postfix/qmgr[2299]: BAF632042B: removed
    Nov 23 14:19:47 dns2 postfix/smtpd[21191]: F35422042B: client=200-161-84-176.dsl.telesp.net.br[200.161.84.176], sasl_method=PLAIN, [email protected]
    Nov 23 14:19:51 dns2 postfix/cleanup[21202]: F35422042B: message-id=<[email protected]>
    Nov 23 14:19:51 dns2 postfix/qmgr[2299]: F35422042B: from=<[email protected]>, size=732, nrcpt=1 (queue active)
    Nov 23 14:19:52 dns2 postfix/smtpd[21191]: 9267820431: client=200-161-84-176.dsl.telesp.net.br[200.161.84.176], sasl_method=PLAIN, [email protected]
    Nov 23 14:19:53 dns2 postfix/smtp[21224]: 0C10D20430: to=<[email protected]>, relay=maila.correonegocios.com[200.57.129.65]:25, delay=6, delays=0.01/0/4.4/1.5, dsn=2.0.0, status=sent (250 ok: Message 644978315 accepted)
    Nov 23 14:19:53 dns2 postfix/qmgr[2299]: 0C10D20430: removed
    Nov 23 14:19:53 dns2 postfix/smtpd[21206]: 0EDF220430: client=localhost[127.0.0.1]
    Nov 23 14:19:53 dns2 postfix/cleanup[21202]: 0EDF220430: message-id=<[email protected]>
    Nov 23 14:19:53 dns2 postfix/qmgr[2299]: 0EDF220430: from=<[email protected]>, size=1186, nrcpt=1 (queue active)
    Nov 23 14:19:53 dns2 amavis[19160]: (19160-20) Passed CLEAN {RelayedOpenRelay}, [200.161.84.176]:4492 [200.161.84.176] <[email protected]> -> <[email protected]>, Queue-ID: F35422042B, Message-ID: <[email protected]>, mail_id: nRcWuMynngKv, Hits: -0.999, size: 732, queued_as: 0EDF220430, 1902 ms
    Nov 23 14:19:53 dns2 postfix/smtp[21221]: F35422042B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.5, delays=3.6/0/0.01/1.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0EDF220430)
    Nov 23 14:19:53 dns2 postfix/qmgr[2299]: F35422042B: removed
    Nov 23 14:19:53 dns2 postfix/smtpd[21206]: disconnect from localhost[127.0.0.1]
    Nov 23 14:19:54 dns2 postfix/smtp[21223]: 0EDF220430: host cpe.durham.gov.uk[217.23.233.70] said: 451 4.7.1 Greylisting in action, please come back later (in reply to RCPT TO command)
    Nov 23 14:19:54 dns2 postfix/smtp[21223]: 0EDF220430: to=<[email protected]>, relay=mailhub-b.derwentside.net[217.23.233.65]:25, delay=1.7, delays=0.01/0/1.6/0.07, dsn=4.2.0, status=deferred (host mailhub-b.derwentside.net[217.23.233.65] said: 450 4.2.0 <[email protected]>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/durham.gov.uk.html (in reply to RCPT TO command))
    Nov 23 14:19:54 dns2 postfix/cleanup[21234]: 9267820431: message-id=<[email protected]>
    Nov 23 14:19:55 dns2 postfix/qmgr[2299]: 9267820431: from=<[email protected]>, size=699, nrcpt=1 (queue active)
    Nov 23 14:19:56 dns2 postfix/smtpd[21232]: connect from localhost[127.0.0.1]
    Nov 23 14:19:56 dns2 postfix/smtpd[21232]: 0ECEE2042B: client=localhost[127.0.0.1]
    Nov 23 14:19:56 dns2 postfix/cleanup[21202]: 0ECEE2042B: message-id=<[email protected]>
    Nov 23 14:19:56 dns2 postfix/qmgr[2299]: 0ECEE2042B: from=<[email protected]>, size=1149, nrcpt=1 (queue active)
    Nov 23 14:19:56 dns2 postfix/smtpd[21232]: disconnect from localhost[127.0.0.1]
    Nov 23 14:19:56 dns2 amavis[19158]: (19158-19) Passed CLEAN {RelayedOpenRelay}, [200.161.84.176]:4492 [200.161.84.176] <[email protected]> -> <[email protected]>, Queue-ID: 9267820431, Message-ID: <[email protected]>, mail_id: Vq7kcw4LUaZg, Hits: -0.999, size: 699, queued_as: 0ECEE2042B, 1049 ms
    Nov 23 14:19:56 dns2 postfix/smtp[21203]: 9267820431: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.8, delays=2.7/0/0.01/1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0ECEE2042B)
    Nov 23 14:19:56 dns2 postfix/qmgr[2299]: 9267820431: removed
    Nov 23 14:19:56 dns2 postfix/smtpd[21191]: D238B20431: client=200-161-84-176.dsl.telesp.net.br[200.161.84.176], sasl_method=PLAIN, [email protected]
    Nov 23 14:19:56 dns2 postfix/smtp[21224]: 0ECEE2042B: to=<[email protected]>, relay=mail2.stirling.gov.uk[194.83.173.4]:25, delay=0.9, delays=0.01/0/0.78/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D381EE2056)
    Nov 23 14:19:57 dns2 postfix/qmgr[2299]: 0ECEE2042B: removed
    Nov 23 14:19:58 dns2 postfix/cleanup[21234]: D238B20431: message-id=<[email protected]>
    Nov 23 14:19:58 dns2 postfix/qmgr[2299]: D238B20431: from=<[email protected]>, size=736, nrcpt=1 (queue active)
    Nov 23 14:20:01 dns2 postfix/smtpd[21191]: 19F6E2042B: client=200-161-84-176.dsl.telesp.net.br[200.161.84.176], sasl_method=PLAIN, [email protected]
    Nov 23 14:20:02 dns2 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<iEoqFTUloAAAAAAAAAAAAAAAAAAAAAAB>
    Spammer sent mail from my server, but I can't understand how block them
    I hope some people can help me.
    Regards
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Probably neither nor. Spamming is mostly done through hacked accounts (someone got the password of an account, e.g. trough a trojan or virus on the desktop where the email address is used or the email login is used in a insecure environment like internet cafe) or by hacked websites.

    Check the mail headers of mails in the mailqueue with the postcat command. search this forum for postcat, this has been explained in several threads.
     
  3. Jesse Norell

    Jesse Norell Active Member

    for a quick sender count in your deferred mail queue, try:
    Code:
    for f in `find /var/spool/postfix/deferred/ -type f`; do postcat $f | egrep '^sasl_username: .+|^sender: .+' | cut -d' ' -f2 | head -1; done | sort | uniq -c | sort -n
    Note that doesn't count anything with null sender; you may have a lot of MAILER-DAEMON messages in queue due to your spam that won't be counted here, but you can pretty safely just remove them all (note you may loose a "legitimate" mailer-daemon notice or two in that, but most often they're undeliverable if they've been in queue long).
     
  4. delfo2000

    delfo2000 Member

    Hi,

    thx for reply and help. I toll my user change pass (thx till) and now it's perfect spammer can't use my server.
    I have deleted all mail queue (thx Jessen Norel) and now monitor my ip for free http://www.rblmon.com/ in this way I'm sure.
    I have controlled my e-mail volume hystory http://www.senderbase.org/ and it's ok.
    Regards
     

Share This Page