using my server for spamming?

Discussion in 'Installation/Configuration' started by lyndros, Oct 31, 2006.

  1. lyndros

    lyndros New Member

    hi all, i have notice this mail logs:whats that?

    Oct 31 01:21:58 server1 postfix/smtp[31508]: 363B03326D0: to=<[email protected]
    tockphotos.com>, relay=mailserver.blackstockphotos.com[213.171.216.65], delay=2,
    status=bounced (host mailserver.blackstockphotos.com[213.171.216.65] said: 552

    Oct 31 00:23:51 server1 postfix/smtp[29728]: 754183326CE: to=<[email protected]
    .com>, relay=sexyadultworld.com[62.141.48.86], delay=2, status=sent (250 Data re
    ceived OK.)

    they connect without auth? formmail probably? how can i know if this is from formmail?

    thks in advanced :)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Test that your server is not a open relay:

    http://www.abuse.net/relay.html

    2) If you have a insecure mail form on your server, there is no authentication needed for sending mails trough this form as the origin of the mails is localhost and localhost is a thrusted domain that dont need to authenticate.
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Also, what's the output of
    Code:
    postconf -d|grep mynetworks
    and
    Code:
    postconf -n|grep mynetworks
    ?
     
  4. nvn

    nvn New Member

    Hi

    I have the same problem...

    My mailserver is working like hell sending mails.. :(

    web1:~ # postconf -d|grep mynetworks
    mynetworks = 127.0.0.0/8 192.168.1.0/24
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    web1:~ # postconf -n|grep mynetworks
    mynetworks_style = subnet
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The settings are fine so far. The way to find the origin of the mails is to inspect them with postcat as I described in your other thread:

    http://www.howtoforge.com/forums/showthread.php?t=7766&highlight=postcat

    I guess you checked the the spam is not send from your local network "192.168.1.0/24" ;)
     
  6. lyndros

    lyndros New Member

    This is my output: postconf -d | grep mynetworks

    mynetworks = 127.0.0.0/8 192.168.1.0/24
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

    postconf -n | grep mynetworks

    mynetworks = 127.0.0.0/8
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

    i've checked the server and is not open relay ...

    any help would be much appreciated

    thks in advanced
     
  7. falko

    falko Super Moderator ISPConfig Developer

    That's the right setting, so your mail server is no open relay. So I guess Till is right:

    Check your web applications for email forms, guest books, etc. that send emails. Probably a weakness in one of those scripts is used by spammers...
     

Share This Page