Bombarded With Spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Bombarded With Spam

Kirk Bocek-2
I inadvertently set open relay on my server sometime ago. I've fixed it
but I am now bombarded with spam messages. I'm seeing messages like:

6C5C41FCB3     5940 Sun Sep 24 11:10:12  [hidden email]
(delivery temporarily suspended: lost connection with
mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)

That fill up my mailq. I've since blocked sflic.com but I get others
with a gmail.com domain.

How do I block or reject these messages?


Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Benny Pedersen-2
Kirk Bocek skrev den 2017-09-24 20:25:

> That fill up my mailq. I've since blocked sflic.com but I get others
> with a gmail.com domain.
>
> How do I block or reject these messages?

google loopback-only is the most simple one :)

more help post postconf -n
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2


On 9/24/2017 11:34 AM, Benny Pedersen wrote:

> Kirk Bocek skrev den 2017-09-24 20:25:
>
>> That fill up my mailq. I've since blocked sflic.com but I get others
>> with a gmail.com domain.
>>
>> How do I block or reject these messages?
>
> google loopback-only is the most simple one :)
>
> more help post postconf -n

Thanks Benny.

I was unaware of loopback-only. A quick search shows it's used in
send-only configurations. I, however, am receiving a few domains on this
server.

Here is postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost,    pvt,
bocek.org,      bocekrealty.com
mydomain = pvt
myhostname = amber.pvt
mynetworks = 10.0.0.0/21, localhost, 127.0.0.0/8
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 173.8.164.189
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, localhost, $myhostname
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks,  permit_inet_interfaces,
permit_tls_all_clientcerts,     reject_unknown_client_hostname,     reject
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_unknown_sender_domain,    reject_non_fqdn_hostname,
reject_invalid_hostname,    reject_unknown_helo_hostname,   permit
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/sender_access,     permit_mynetworks,
reject_unauth_pipelining,   reject_non_fqdn_recipient,
reject_unknown_recipient_domain,        reject_unauth_destination,
check_policy_service unix:postgrey/socket,  permit_sasl_authenticated,
    reject_non_fqdn_hostname,       reject_non_fqdn_sender,
reject_non_fqdn_recipient,      reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,      reject_rbl_client
dnsbl.sorbs.net,  reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client dnsbl-2.uceprotect.net,  reject_rbl_client
dnsbl-3.uceprotect.net,        reject_rbl_client b.barracudacentral.org,
       check_recipient_access hash:/etc/postfix/access,
reject_unlisted_recipient,      reject_unverified_recipient,    permit
smtpd_tls_key_file = /etc/postfix/sslcert-20151019.pem
smtpd_tls_cert_file = /etc/postfix/sslcert-20151019.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3  smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_access,    permit_mynetworks,
reject_non_fqdn_sender,   reject_unknown_sender_domain,
reject_unverified_sender,       warn_if_reject, permit
unknown_local_recipient_reject_code = 550
virtual_alias_domains = bocek.org, bocekrealty.com
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/stonealias,   hash:/etc/postfix/testalias


I am constantly battling getting smtpd_sender_restrictions,
smtpd_helo_restrictions, smtpd_client_restrictions and the others
correct. I've used the check_sender_access hash through several of them
and I'm not sure that's correct.

Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Wietse Venema
In reply to this post by Kirk Bocek-2
Kirk Bocek:
> I inadvertently set open relay on my server sometime ago. I've fixed it
> but I am now bombarded with spam messages. I'm seeing messages like:
>
> 6C5C41FCB3   5940 Sun Sep 24 11:10:12  [hidden email]
> (delivery temporarily suspended: lost connection with
> mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)

Why did your server ACCEPT this email? Seach the logs for 6C5C41FCB3,
then find out why it was accepted.

        Wierse
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Benny Pedersen-2
In reply to this post by Kirk Bocek-2
Kirk Bocek skrev den 2017-09-24 22:27:

> Here is postconf -n:

> mydestination = $myhostname, localhost.$mydomain, localhost,    pvt,
> bocek.org,      bocekrealty.com

> relay_domains = $mydestination, localhost, $myhostname
> relay_recipient_maps = hash:/etc/postfix/relay_recipients

do not list $mydestination, @myhostname, localhost as relay_domains

this is only need maps if you are active backup mx

to solve it:

relay_domains=
relay_recipient_maps=
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2


On 9/24/2017 2:05 PM, Benny Pedersen wrote:

> Kirk Bocek skrev den 2017-09-24 22:27:
>
>> Here is postconf -n:
>
>> mydestination = $myhostname, localhost.$mydomain, localhost,    pvt,
>> bocek.org,      bocekrealty.com
>
>> relay_domains = $mydestination, localhost, $myhostname
>> relay_recipient_maps = hash:/etc/postfix/relay_recipients
>
> do not list $mydestination, @myhostname, localhost as relay_domains
>
> this is only need maps if you are active backup mx
>
> to solve it:
>
> relay_domains=
> relay_recipient_maps=

Several complex things are happening. I need to accept mail from
localhost for messages from an array controller. This host needs to
relay mail from workstations on the LAN. This host is also accepting
mail from several listed domains via the router.

This part always confuses me in Postfix.
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2
In reply to this post by Wietse Venema


On 9/24/2017 1:50 PM, Wietse Venema wrote:

> Kirk Bocek:
>> I inadvertently set open relay on my server sometime ago. I've fixed it
>> but I am now bombarded with spam messages. I'm seeing messages like:
>>
>> 6C5C41FCB3   5940 Sun Sep 24 11:10:12  [hidden email]
>> (delivery temporarily suspended: lost connection with
>> mx-tw.mail.gm0.yahoodns.net[27.123.206.55] while sending RCPT TO)
>
> Why did your server ACCEPT this email? Seach the logs for 6C5C41FCB3,
> then find out why it was accepted.
>
> Wierse
>

That's a good question.

Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497
from=<[hidden email]>
Sep 24 11:10:12 amber postfix/cleanup[10504]: 6C5C41FCB3:
message-id=<[hidden email]>
Sep 24 11:10:12 amber postfix/qmgr[10597]: 6C5C41FCB3:
from=<[hidden email]>, size=5940, nrcpt=16 (queue active)

Blocking receipt from sfilc.com would help. I have it in my
sender_access file but it's still coming through. I also have com.tw
entered. Should I add that hash to smtpd_helo_restrictions? Would that help?
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Wietse Venema
Kirk Bocek:
> Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497
> from=<[hidden email]>

They are spamming through some local aplication, perhaps a web
service. What process is running as UID=497?

$ grep '497:' /etc/passwd

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Wietse Venema
Wietse Venema:
> Kirk Bocek:
> > Sep 24 11:10:12 amber postfix/pickup[12058]: 6C5C41FCB3: uid=497
> > from=<[hidden email]>
>
> They are spamming through some local aplication, perhaps a web
> service. What process is running as UID=497?
>
> $ grep '497:' /etc/passwd

In other words the SPAM does not come in via SMTP.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Benny Pedersen-2
In reply to this post by Kirk Bocek-2
Kirk Bocek skrev den 2017-09-25 00:21:

> Several complex things are happening. I need to accept mail from
> localhost for messages from an array controller. This host needs to
> relay mail from workstations on the LAN. This host is also accepting
> mail from several listed domains via the router.

grep bocek.org main.cf | wc -l

simple rule is that domain names is final destination for postfix, so if
you have bocek.org in mydestination AND in virtual_domain it does not
work as you want

keep mydestination as minimal as possible, and then all public domains
as virtual you get more control of what happens, aswell for system
accouns that basicly should be in mydestination (tip here is that
domains in this lists cant be used in public)

to make system accounts works in public use virtual alias mapping

> This part always confuses me in Postfix.

how ?

have you edit relay as suggested ?, if yes what error is there now ?
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2


On 9/25/2017 3:28 AM, Benny Pedersen wrote:

> grep bocek.org main.cf | wc -l
>
> simple rule is that domain names is final destination for postfix, so if
> you have bocek.org in mydestination AND in virtual_domain it does not
> work as you want

So I need to receive email from bocek.org and then relay it elsewhere.
That's why I put that there. Is that wrong?

>
> keep mydestination as minimal as possible, and then all public domains
> as virtual you get more control of what happens, aswell for system
> accouns that basicly should be in mydestination (tip here is that
> domains in this lists cant be used in public)
>
> to make system accounts works in public use virtual alias mapping
>
>> This part always confuses me in Postfix.
>
> how ?
>
> have you edit relay as suggested ?, if yes what error is there now ?

So I modified my recipient restrictions:

smtpd_recipient_restrictions =
     check_recipient_access hash:/etc/postfix/access,
     check_helo_access hash:/etc/postfix/sender_access,
     check_recipient_access hash:/etc/postfix/sender_access,
     check_sender_access hash:/etc/postfix/sender_access,
     permit_mynetworks,
     reject_unauth_pipelining,
     reject_non_fqdn_recipient,
     reject_unknown_recipient_domain,
     reject_unauth_destination,
     reject_unknown_helo_hostname
     check_policy_service unix:postgrey/socket,
     permit_sasl_authenticated,
     reject_non_fqdn_hostname,
     reject_non_fqdn_sender,
     reject_non_fqdn_recipient,
     #reject_unknown_sender_domain,
     reject_rbl_client zen.spamhaus.org,
     reject_rbl_client cbl.abuseat.org,
     reject_rbl_client dnsbl.sorbs.net,
     reject_rbl_client dnsbl-1.uceprotect.net,
     reject_rbl_client dnsbl-2.uceprotect.net,
     reject_rbl_client dnsbl-3.uceprotect.net,
     reject_rbl_client b.barracudacentral.org,
     reject_unlisted_recipient,
     reject_unverified_recipient,
     permit

by adding the sender_access lines. This seems to help. I realize I have
two check_recipient_access lines. Is this an issue.
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Benny Pedersen-2
Kirk Bocek skrev den 2017-09-25 16:04:

> So I need to receive email from bocek.org and then relay it elsewhere.
> That's why I put that there. Is that wrong?

yes each domain must not be listed in both places, sinc postfix need to
know how to deliver and route it to there destinations

dont fokus on sender access yet, fokus on recipient works before solve
sender access

[snip]

> smtpd_recipient_restrictions =

[snip]

with that config you are on your own, since i cant see logs, and thus
not helping with the problem to be solved

if you like to get postfix stable dont use so many access hash files, it
hides your real problem

> by adding the sender_access lines. This seems to help. I realize I
> have two check_recipient_access lines. Is this an issue.

sadly it helps you get more questions on faults aswell
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2


On 9/25/2017 7:34 AM, Benny Pedersen wrote:
>
> yes each domain must not be listed in both places, sinc postfix need
> to know how to deliver and route it to there destinations

Okay, I set it back to

mydestination = $myhostname, localhost.$mydomain, localhost

The other stuff was me trying to get local delivery working.

>
> dont fokus on sender access yet, fokus on recipient works before solve
> sender access
>
> [snip]
>
>> smtpd_recipient_restrictions =
>
> [snip]
>
> with that config you are on your own, since i cant see logs, and thus
> not helping with the problem to be solved

Well, I can but my log files are *huge* due to all the spam traffic
being denied.

>
> if you like to get postfix stable dont use so many access hash files,
> it hides your real problem
>

But is it okay to have all the "check" configuration lines in a single
section?

Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2
In reply to this post by Benny Pedersen-2


On 9/25/2017 7:34 AM, Benny Pedersen wrote:

> Kirk Bocek skrev den 2017-09-25 16:04:
>
>> So I need to receive email from bocek.org and then relay it elsewhere.
>> That's why I put that there. Is that wrong?
>
> yes each domain must not be listed in both places, sinc postfix need
> to know how to deliver and route it to there destinations
>
> dont fokus on sender access yet, fokus on recipient works before solve
> sender access
>

Thank you Benny and Wietse. Things are better now. However I have lots
of log entries like:

Sep 26 11:57:52 amber postfix/smtpd[11213]: NOQUEUE: reject: RCPT from
unknown[10.0.2.1]:
554 5.7.1 <[hidden email]>: Sender address rejected: No
Spam; from=<bjzudixref
[hidden email]> to=<[hidden email]> proto=SMTP helo=<My IP>

First off, at what stage is this rejection happening? Obviously, I want
it to happen during HELO to keep the bandwidth down.

Second, this server is sitting behind a firewall (10.0.2.1). Is there
anyway to get the sending IP address instead of the firewall?

Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Matus UHLAR - fantomas
On 26.09.17 12:02, Kirk Bocek wrote:
>Thank you Benny and Wietse. Things are better now. However I have
>lots of log entries like:
>
>Sep 26 11:57:52 amber postfix/smtpd[11213]: NOQUEUE: reject: RCPT
>from unknown[10.0.2.1]:
>554 5.7.1 <[hidden email]>: Sender address rejected: No
>Spam; from=<bjzudixref
>[hidden email]> to=<[hidden email]> proto=SMTP helo=<My IP>

Looks like sender address rejection. the error message seems to be
custom, which means you should search for check_sender_access in your config
file.
if this still applies:
https://marc.info/?l=postfix-users&m=150628487603535&w=2
then you have:
check_sender_access hash:/etc/postfix/sender_access,

which means the sender is listed in /etc/postfix/sender_access

>First off, at what stage is this rejection happening? Obviously, I
>want it to happen during HELO to keep the bandwidth down.

you can't reject sender at HELO stage, because at that stage the sender is
not known yet.

>Second, this server is sitting behind a firewall (10.0.2.1). Is there
>anyway to get the sending IP address instead of the firewall?

configure your firewall to do destination NAT, so you see the real
source. Hiding real source causes big problems to spam detection.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: Bombarded With Spam

Kirk Bocek-2


On 9/27/2017 3:02 AM, Matus UHLAR - fantomas wrote:
>
> Looks like sender address rejection. the error message seems to be
> custom, which means you should search for check_sender_access in your
> config
> file.
>

Yes. Custom messages in sender_access

> you can't reject sender at HELO stage, because at that stage the
> sender is
> not known yet.

Well that answers that.

>
>> Second, this server is sitting behind a firewall (10.0.2.1). Is there
>> anyway to get the sending IP address instead of the firewall?
>
> configure your firewall to do destination NAT, so you see the real
> source. Hiding real source causes big problems to spam detection.

Did some searching and I'm not finding this. I have been doing
masquerade for outbound connections. I never thought to do it on inbound
connections. I'm having trouble finding out how to do it on firewalld
but I'll keep looking