postfix DoS Spam attack

Discussion in 'Installation/Configuration' started by arraken, Mar 28, 2013.

  1. compugraphix

    compugraphix Member HowtoForge Supporter

    It only works if the spammer is not logged in and doesn't know your login password so if he is still trying

    what do you see in the E-Mail mail-log ?
    And in the Show fail2ban-log ?
  2. compugraphix

    compugraphix Member HowtoForge Supporter

    /sbin/iptables -I INPUT -s -j DROP ip you want to block
  3. arraken

    arraken Member HowtoForge Supporter

    the mail.log is the same as in my second post, when the attacks are running. at the moment, after banning the suspictious ip, the spam has stopped. but it may just be a break, and then start again i fear.

    also: the ip belongs to a company which we host on our server. the suspictious user that i banned earlier also works at this company.

    so if banning this ip really stops the spam (i will monitor it in the next hour or so), i still have to find a way to stop the spamming, because i have to unblock their ip at some point..

    anyway - i'll see if the spamming goes on. if not, i'll go to sleep and start working at it again tomorrow.

    for now: thanks a LOT for your quick and tireless help so far compugraphix. i think i owe you some beers or something :)
  4. compugraphix

    compugraphix Member HowtoForge Supporter

    than the guy has a virus or he is hacked by a trojan so he must cleanup his pc
    Ow and change his email password :)
  5. arraken

    arraken Member HowtoForge Supporter

    ok, so i banned the "problematic" ip, and the spam attack stopped until now (ca. 7 hours without spam).

    I'm guessing if i unblock the IP, the spam attacks will begin again. The fact that the spam only apparently only get sent over this one IP (fingers crossed) - does that mean there is no harmful script on the server, and the problem is for example a compromised PC from the company with said IP?

    It would already help if i can assume that there is no harmful script on my server, as it makes finding the problem much easier...

    Also, i tried to set up this:

    it should block emails where the sender isn't the same as the sasl login - so it should block most of the spam being sent. But as soon as i put this line " check_policy_service unix:private/policy," in my, i get an error from my mail client: "451 4.3.5 Server configuration problem"'. :(
  6. arraken

    arraken Member HowtoForge Supporter

    just found this:

    describes my problem pretty well. also a nice solution for how to find the compromised email account in the more detailed explanation:

    very useful. i found out that one user has over 30.000 sasl logins, and another over 1700. The problem is that i already changed the pw of one user, and the spams continued. I'll try changing all mail-pw's on said domain.
  7. Lionheart82

    Lionheart82 Member

    Monit has a postfix graph where you can actually see the spikes and understand if something is wrong :) i am afraid that you have to dig the log files to learn about the compromised account.

    Edit: i saw both links, really nice guides i can say :)
    Last edited: Mar 30, 2013
  8. arraken

    arraken Member HowtoForge Supporter

    thanks for the explanation lionheart.

    the second link in my previous post has a great way to dig the logfiles and find out the compromised accounts. I think i pinned the problem down to two accounts - let's see what happens when i change their pw's.
  9. compugraphix

    compugraphix Member HowtoForge Supporter

    Nice to see you are locating the problem and getting grip on the situation :)
    your client has the problem with a virus/botnet/trojan not you, your just dealing with the problems he created.

    Have you got any banned ip's in your fail2ban log allready?
    it looks something like:
    fail2ban.actions: WARNING [ssh] Ban

    for de munin monit install, look here
    Last edited: Mar 30, 2013
  10. arraken

    arraken Member HowtoForge Supporter

    Ok, for anyone who is interested how this story ended:

    The problem apparently was a compromised exchange server. All the spam sent through my server was originating from one IP, which was as i found out the IP of the compromised, or poorly configurated exchange server. The accounts through which the spam mail was sent belonged to the same company as the exchange server, and thus were managed on this server. After i talked to the admin of the exchange-server he found out the problem (i don't know what it was exactly), and fixed it. I unbanned the IP afterwards, and the spam flood didn't return for some days now, so i guess the problem is solved.

    @compugraphix: You were exactly right: the problem was created by the client. Fortunately he was able to remedy the situation. :)
    I got some banned IP's from fail2ban. Gotta finetune it a bit though - but it seem's to be working fine.

    I still get many deferred mail's though, but i think it's a different problem. I summed it up here:
    Last edited: Apr 4, 2013

Share This Page