Spam Attack on my outgoing server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Spam Attack on my outgoing server

Damian Rivas
Hello everyone,

I have a Postfix box basically configured to send mail from my organization to the Internet. Today I received a warning message telling me that the mail queue was full.

It seems that some Spammer is using my server as an Open Relay, so I used the "check_sender_access" function to only allow my domains to send mail to the outside, but it is not working and I don't know what to do, perhaps you can give me some tips.

Postconf -n output:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination =
mydomain = cht.com.ar
myhostname = xxx.cht.com.ar
mynetworks = 127.0.0.0/8, xxx.xx.xx.xx/29, xxx.xxx.xx.xx/29
myorigin = cht.com.ar
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = cht.com.ar, skalbue.com.ar, ci-educ.com.ar, hispanoamericana.com.ar, aaovyt.com.ar, consulthouse.travel, consul.travel
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    reject_non_fqdn_hostname,                                                     reject_invalid_hostname,       permit
smtpd_sender_restrictions = permit_mynetworks,        check_sender_access = hash                                             :/etc/postfix/sender_map,               reject_non_fqdn_sender, reject_unknown_s                                             ender_domain,   permit
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

sender_map:

cht.com.ar              OK
aaovyt.com.ar           OK
hispanoamericana.com.ar OK
cht.tur.ar              OK
consulthouse.travel     OK

If you need anything else, please let me know.

Regards.-

Damián
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

brian moore-11
On Mon, 11 Jan 2010 15:27:05 -0300
"Damian Rivas" <[hidden email]> wrote:

> Hello everyone,
>
> I have a Postfix box basically configured to send mail from my organization to the Internet. Today I received a warning message telling me that the mail queue was full.
>
> It seems that some Spammer is using my server as an Open Relay, so I used the "check_sender_access" function to only allow my domains to send mail to the outside, but it is not working and I don't know what to do, perhaps you can give me some tips.


You seem to be allowing anyone forging one of your domains to relay.

That is not good.



> smtpd_sender_restrictions = permit_mynetworks,
   check_sender_access = hash:/etc/postfix/sender_map,
   reject_non_fqdn_sender, reject_unknown_sender_domain,   permit

That 'check_sender_access' is evil.  Please remove it.

Replace it with:
   reject_unauth_destination


Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

Brian Evans - Postfix List
In reply to this post by Damian Rivas
On 1/11/2010 1:27 PM, Damian Rivas wrote:
> Hello everyone,
>
> I have a Postfix box basically configured to send mail from my organization to the Internet. Today I received a warning message telling me that the mail queue was full.
>
> It seems that some Spammer is using my server as an Open Relay, so I used the "check_sender_access" function to only allow my domains to send mail to the outside, but it is not working and I don't know what to do, perhaps you can give me some tips.
>
>  

check_sender_access is not the right tool IMO.
Saying OK in the wrong place will make you an even bigger open relay.
Anyone could easily say they were "MAIL FROM" your domain with a simple
telnet or script.

What you really want is to enable SASL and tell your users to utilize it
to provide extra security while minimizing risk.
Bad/common passwords can still be guessed by spammers

See http://www.postfix.org/SASL_README.html for details.

Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

Noel Jones-2
In reply to this post by brian moore-11
On 1/11/2010 1:00 PM, brian moore wrote:

> On Mon, 11 Jan 2010 15:27:05 -0300
> "Damian Rivas"<[hidden email]>  wrote:
>
>> Hello everyone,
>>
>> I have a Postfix box basically configured to send mail from my organization to the Internet. Today I received a warning message telling me that the mail queue was full.
>>
>> It seems that some Spammer is using my server as an Open Relay, so I used the "check_sender_access" function to only allow my domains to send mail to the outside, but it is not working and I don't know what to do, perhaps you can give me some tips.
>
>
> You seem to be allowing anyone forging one of your domains to relay.
>
> That is not good.
>
>
>
>> smtpd_sender_restrictions = permit_mynetworks,
>     check_sender_access = hash:/etc/postfix/sender_map,
>     reject_non_fqdn_sender, reject_unknown_sender_domain,   permit
>
> That 'check_sender_access' is evil.  Please remove it.
>
> Replace it with:
>     reject_unauth_destination
>
>

Damian,

Please ignore the above bad advice.  An OK in
smtpd_sender_restrictions can not possibly make you an open
relay.  Likely it didn't work as expected because the mail
isn's submitted via SMTP.

Before you waste time on any other bad advice you may get,
examine your logs to see where the mail comes from.  Once you
know the problem, a solution is much easier.

Post logs here if you don't know how to evaluate them.

My wild guess is that you have an abused web form, but check
the logs before you go running around telling everyone your
web server is hacked.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

Noel Jones-2
In reply to this post by Brian Evans - Postfix List
On 1/11/2010 1:11 PM, Brian Evans - Postfix List wrote:

> On 1/11/2010 1:27 PM, Damian Rivas wrote:
>> Hello everyone,
>>
>> I have a Postfix box basically configured to send mail from my organization to the Internet. Today I received a warning message telling me that the mail queue was full.
>>
>> It seems that some Spammer is using my server as an Open Relay, so I used the "check_sender_access" function to only allow my domains to send mail to the outside, but it is not working and I don't know what to do, perhaps you can give me some tips.
>>
>>
>
> check_sender_access is not the right tool IMO.
> Saying OK in the wrong place will make you an even bigger open relay.
> Anyone could easily say they were "MAIL FROM" your domain with a simple
> telnet or script.

The OK in smtpd_sender_restrictions is fine, but probably
doesn't address the real problem.

At any rate, it would prevent the MTA from receiving any
outside mail.  That's OK if this is a outbound-only relay.

>
> What you really want is to enable SASL and tell your users to utilize it
> to provide extra security while minimizing risk.
> Bad/common passwords can still be guessed by spammers
>
> See http://www.postfix.org/SASL_README.html for details.
>

While SASL is generally a good idea, it probably doesn't
address the problem.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Spam Attack on my outgoing server

Damian Rivas
In reply to this post by Noel Jones-2

>Damian,
>
>Please ignore the above bad advice.  An OK in
>smtpd_sender_restrictions can not possibly make you an open
>relay.  Likely it didn't work as expected because the mail
>isn's submitted via SMTP.

>Before you waste time on any other bad advice you may get,
>examine your logs to see where the mail comes from.  Once you
>know the problem, a solution is much easier.

>Post logs here if you don't know how to evaluate them.

>My wild guess is that you have an abused web form, but check
>the logs before you go running around telling everyone your
>web server is hacked.
>
>
>   -- Noel Jones
>

Thanks to everyone for your quick answers.

Noel, it's not my web server the problem, or I guess it isn't, it's my
outgoing mail server that has the problem and it is because I'm not
finding a way to properly check my valid senders.

In an inconming mail relay built on Postfix you can build a list of
valid recipients and reject the invalid ones. Isn't there a similar
option to validate senders? And, is there a way validate if that sender
has come out from my network? I was thinking in those two things to stop
this.

Anyway, I'm posting some logs from the mailqueue:

----
Jan 11 16:42:43 impcht3 postfix/qmgr[29558]: DC2C94D86B:
from=<[hidden email]>, size=6006, nrcpt=1 (queue active)
Jan 11 16:42:43 impcht3 postfix/error[29904]: D1CD350F60:
to=<[hidden email]>, relay=none, delay=220465,
delays=220453/0.64/0/12, dsn=4.7.0, status=deferred (delivery
temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused
to talk to me: 421 4.7.0 [TS01] Messages from 200.55.14.253 temporarily
deferred due to user complaints - 4.16.55.1; see
http://postmaster.yahoo.com/421-ts01.html)
Jan 11 16:42:43 impcht3 postfix/error[30919]: DCEFB46E53:
to=<[hidden email]>, relay=none, delay=229978,
delays=229976/0.78/0/0.41, dsn=4.7.0, status=deferred (delivery
temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused
to talk to me: 421 4.7.0 [TS01] Messages from 200.55.14.253 temporarily
deferred due to user complaints - 4.16.55.1; see
http://postmaster.yahoo.com/421-ts01.html)
Jan 11 16:42:43 impcht3 postfix/error[30949]: D472A47F38:
to=<[hidden email]>, relay=none, delay=225147,
delays=225138/2.5/0/6.3, dsn=4.7.0, status=deferred (delivery
temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused
to talk to me: 421 4.7.0 [TS01] Messages from 200.55.14.253 temporarily
deferred due to user complaints - 4.16.55.1; see
http://postmaster.yahoo.com/421-ts01.html)
Jan 11 16:42:43 impcht3 postfix/error[30976]: D9875481D6:
to=<[hidden email]>, relay=none, delay=205984, delays=205980/3.5/0/0.49,
dsn=4.0.0, status=deferred (delivery temporarily suspended: host
msg.963.net[202.96.154.167] refused to talk to me: 554 IP is rejected:
188.)
Jan 11 16:42:43 impcht3 postfix/smtp[29668]: D89044B978: host
hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554
5.7.1 - ERROR: Mail refused - <200.55.14.253> - See
http://security.rr.com/cgi-bin/block-lookup?200.55.14.253
Jan 11 16:42:43 impcht3 postfix/error[30941]: D73DF58B14:
to=<[hidden email]>, relay=none, delay=165707, delays=165706/0.17/0/0.47,
dsn=4.0.0, status=deferred (delivery temporarily suspended: host
msg.963.net[202.96.154.167] refused to talk to me: 554 IP is rejected:
188.)
----

As you can see, Yahoo and some others have already blocked my IP and
that mail address [hidden email] has filled up my mail queue not only with
mails sent but also with bounces.

Just ask if you want to know anything else.

Regards,
Damian



Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

/dev/rob0
In reply to this post by Damian Rivas
On Mon, Jan 11, 2010 at 03:27:05PM -0300, Damian Rivas wrote:
> I have a Postfix box basically configured to send mail from my
> organization to the Internet. Today I received a warning message
> telling me that the mail queue was full.

Who/what sent you that warning?

> It seems that some Spammer is using my server as an Open Relay, so
> I used the "check_sender_access" function to only allow my domains
> to send mail to the outside, but it is not working and I don't know
> what to do, perhaps you can give me some tips.

No evidence below suggests that you might be an open relay. LOGS!

> Postconf -n output:

> mynetworks = 127.0.0.0/8, xxx.xx.xx.xx/29, xxx.xxx.xx.xx/29

These are the hosts allowed to relay. Don't mung the IP addresses.
They can probably be looked up anyway, using the domain names that
weren't hidden (good).

> relay_domains = cht.com.ar, skalbue.com.ar, ci-educ.com.ar,
> hispanoamericana.com.ar, aaovyt.com.ar, consulthouse.travel,
> consul.travel

If this is outgoing only, why are there relay_domains ?

> smtpd_sender_restrictions = permit_mynetworks, check_sender_access
> = hash :/etc/postfix/sender_map, reject_non_fqdn_sender,
> reject_unknown_sender_domain, permit

The second "=" is not correct syntax. Except for the two reject_*
restrictions, this stage does nothing. And as documented, it CANNOT
permit relaying; this is controlled only in
smtpd_recipient_restrictions .

> sender_map:
>
> cht.com.ar              OK
> aaovyt.com.ar           OK
> hispanoamericana.com.ar OK
> cht.tur.ar              OK
> consulthouse.travel     OK
>
> If you need anything else, please let me know.

A cup of tea, please. :)

YOU need to stop the spam, and if you need help in determining how
your system was allowing it, please see:
    http://www.postfix.org/DEBUG_README.html#mail
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

/dev/rob0
In reply to this post by Damian Rivas
On Mon, Jan 11, 2010 at 04:44:23PM -0300, Damian Rivas wrote:
Noel Jones
> >Post logs here if you don't know how to evaluate them.
>
> >My wild guess is that you have an abused web form, but check
> >the logs before you go running around telling everyone your
> >web server is hacked.
>
> Noel, it's not my web server the problem, or I guess it isn't, it's
> my outgoing mail server that has the problem and it is because I'm
> not finding a way to properly check my valid senders.

Your guess is not correct. The logs we would need to see are ones
where suspected spam arrives. You showed the ones going out, not
useful at all.

> In an inconming mail relay built on Postfix you can build a list of
> valid recipients and reject the invalid ones. Isn't there a similar
> option to validate senders?

Yes, but this is not the problem you are seeing.

> And, is there a way validate if that sender has come out from my
> network? I was thinking in those two things to stop this.

This is Postfix default behavior.
 
> Anyway, I'm posting some logs from the mailqueue:
>
> ----
> Jan 11 16:42:43 impcht3 postfix/qmgr[29558]: DC2C94D86B:
> from=<[hidden email]>, size=6006, nrcpt=1 (queue active)

Do you suspect this one is spam? Find when queue ID DC2C94D86B first
appeared in your logs, and the correlated smtpd "Connect from" line
which preceded it, or postfix/pickup line if Noel's guess was right
(I bet it was.) Repeat for one or two other suspects. Post results.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

Noel Jones-2
In reply to this post by Damian Rivas
On 1/11/2010 1:44 PM, Damian Rivas wrote:

>
>> Damian,
>>
>> Please ignore the above bad advice.  An OK in
>> smtpd_sender_restrictions can not possibly make you an open
>> relay.  Likely it didn't work as expected because the mail
>> isn's submitted via SMTP.
>
>> Before you waste time on any other bad advice you may get,
>> examine your logs to see where the mail comes from.  Once you
>> know the problem, a solution is much easier.
>
>> Post logs here if you don't know how to evaluate them.
>
>> My wild guess is that you have an abused web form, but check
>> the logs before you go running around telling everyone your
>> web server is hacked.
>>
>>
>>    -- Noel Jones
>>
>
> Thanks to everyone for your quick answers.
>
> Noel, it's not my web server the problem, or I guess it isn't, it's my
> outgoing mail server that has the problem and it is because I'm not
> finding a way to properly check my valid senders.
>
> In an inconming mail relay built on Postfix you can build a list of
> valid recipients and reject the invalid ones. Isn't there a similar
> option to validate senders? And, is there a way validate if that sender
> has come out from my network? I was thinking in those two things to stop
> this.
>
> Anyway, I'm posting some logs from the mailqueue:
>

You need to show where the mail ENTERS postfix.  These will be
logged as "postfix/smtpd" for SMTP mail, or "postfix/pickup"
for command-line mail.

To limit valid SMTP senders, you can use check_sender_access.
  Your "postconf -n" output looked a little odd, maybe your
syntax is wrong or maybe the mail didn't arrive via SMTP.

The logs will show where the mail arrived from.  Kill the spam
at the source as shown in the logs.  Forcing your local domain
as sender will just encourage the spammer to use your own
domain, further damaging your reputation.

> smtpd_sender_restrictions = permit_mynetworks,        check_sender_access = hash                                             :/etc/postfix/sender_map,               reject_non_fqdn_sender, reject_unknown_s                                             ender_domain,   permit

Assuming this is an outbout-only relay, and valid senders are
listed in sender_map, your smtpd_sender_restrictions should
look like:
smtpd_sender_restrictions =
   check_sender_access hash:/etc/postfix/sender_map,
   reject


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Spam Attack on my outgoing server

Damian Rivas
In reply to this post by /dev/rob0


>De: [hidden email] [mailto:owner-postfix->[hidden email]] En nombre de /dev/rob0
>Enviado el: lunes, 11 de enero de 2010 16:50
>Para: [hidden email]
>Asunto: Re: Spam Attack on my outgoing server

>>On Mon, Jan 11, 2010 at 03:27:05PM -0300, Damian Rivas wrote:
>> I have a Postfix box basically configured to send mail from my
>> organization to the Internet. Today I received a warning message
>> telling me that the mail queue was full.

>Who/what sent you that warning?

My apologies, I haven't expressed myself correctly. What I received was a Postfix message telling me that the hard disk was full (it is a small 4GB disk). When I checked a bit the queue, I was bombarded by this [hidden email]'s guy, I had thousands of deferred mails from this address.
There were also some mails like "[hidden email]", the guy has some nice humour after all, he he. Other messages where from the null sender <>, just bounces to [hidden email].

Now the address has changed to [hidden email].

>> It seems that some Spammer is using my server as an Open Relay, so
>> I used the "check_sender_access" function to only allow my domains
>> to send mail to the outside, but it is not working and I don't know
>> what to do, perhaps you can give me some tips.

>No evidence below suggests that you might be an open relay. LOGS!

>> Postconf -n output:

>> mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29

>These are the hosts allowed to relay. Don't mung the IP addresses.
>They can probably be looked up anyway, using the domain names that
>weren't hidden (good).

Yeah you are totally right, I'm a bit silly today, sorry about that.

>> relay_domains = cht.com.ar, skalbue.com.ar, ci-educ.com.ar,
>> hispanoamericana.com.ar, aaovyt.com.ar, consulthouse.travel,
>> consul.travel

>If this is outgoing only, why are there relay_domains?

That's because I was copying a config file from another postfix server (for relaying incoming mail) to rewrite this one, but I was in a rush because of the situation and I forgot to remove that line. Same as before, I'm totally dumb today.

>> smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>> = hash :/etc/postfix/sender_map, reject_non_fqdn_sender,
>> reject_unknown_sender_domain, permit

>The second "=" is not correct syntax. Except for the two reject_*
>restrictions, this stage does nothing. And as documented, it CANNOT
>permit relaying; this is controlled only in
>smtpd_recipient_restrictions .

I took a very quick and bad guess of what really was happening, I knew it was impossible to be an Open Relay, but when I found no clues I didn't know what to think. Probably it's because is Monday and I'm taking vacations next week, so, my mind is in another place.

Noel suggested a problem with the web server, a vulnerable form. I talked with the webmaster and he told me that the forms are possibly unsecure but I also was reported that the web was down during the weekend AND the mailing issue started during weekend. Well it could be a coincidence or not, gotta check.

I started to search in the web access logs, there was no trace of the spammer IP during the weekend. So, there was no evidence pointing a problem on the web server. Time to get back to Postfix.

I have corrected the main.cf to adapt to what Noel suggested. Until that moment I was not receiving any postfix/stmpd message in the logs, but after that they started to appear "magically" and I discover something interesting.

All mailing incomes seem to come from ns1.cht.com.ar, which is a gateway for the internal mail server, this is by the way, where they are normally sent. There were no smtpd outputs before because the Spam was cycling and there was no room for any new mail. (I deleted all the spammer mails, of course they keep coming).

I have checked the internal mail server today and there were no clues to point out that spam was generated inside and sent to the Postfix box.
But now, at this precise moment, I'm watching a lot of junk being generated on the server so, there is the source of the problem, I have a worm on my internal web server, no postfix issue.

Thank you all for your help I'm going to solve this now.

Regards.-
Damián


Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

/dev/rob0
On Mon, Jan 11, 2010 at 06:15:21PM -0300, Damian Rivas wrote:
> >> mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29
>
> >These are the hosts allowed to relay. Don't mung the IP addresses.
snip

> All mailing incomes seem to come from ns1.cht.com.ar, which is a
> gateway for the internal mail server, this is by the way, where

ns1.cht.com.ar.         3600    IN      A       200.55.14.250

Indeed, this host is in your $mynetworks. Exclude it using the "!"
syntax, see example at postconf.5.html#mynetworks .

> they are normally sent. There were no smtpd outputs before because
> the Spam was cycling and there was no room for any new mail. (I
> deleted all the spammer mails, of course they keep coming).

Stop this at once! The ongoing abuse has probably gotten you
blacklisted. The sooner you stop it, the better your chances of
repairing the damage.

> But now, at this precise moment, I'm watching a lot of junk being
> generated on the server so, there is the source of the problem, I
> have a worm on my internal web server, no postfix issue.

Another possibility, as you mentioned that this is the gateway for
Postfix, is that it has a misconfigured firewall that is doing both
source and destination NAT of port 25 to your Postfix. I just tested
this, and was unable to connect to 200.55.14.250:25, so if that was
the case, it is probably fixed now.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

RE: Spam Attack on my outgoing server

Damian Rivas
>>>On Mon, Jan 11, 2010 at 06:15:21PM -0300, Damian Rivas wrote:
> >> mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29
>
> >These are the hosts allowed to relay. Don't mung the IP addresses.
snip

>> All mailing incomes seem to come from ns1.cht.com.ar, which is a
>> gateway for the internal mail server, this is by the way, where

>ns1.cht.com.ar.         3600    IN      A       200.55.14.250

>Indeed, this host is in your $mynetworks. Exclude it using the "!"
>syntax, see example at postconf.5.html#mynetworks .

I cannot exclude that address, it is one of the two gateways the users in the organization use, I fixed the problem with other solution.

>> they are normally sent. There were no smtpd outputs before because
>> the Spam was cycling and there was no room for any new mail. (I
>> deleted all the spammer mails, of course they keep coming).

>Stop this at once! The ongoing abuse has probably gotten you
>blacklisted. The sooner you stop it, the better your chances of
>repairing the damage.

Yeah, yesterday I immediately stopped the Postfix system as well as the internal server Outgoing queue while searching for a way to get out of that situation, fortunately we were apparently only banned by Yahoo!, gotta check Hotmail. I've checked the host's IP on mxtoolbox today and we were not blacklisted anywhere. Luckily it was not harmful enough to rotten the host. :)

>> But now, at this precise moment, I'm watching a lot of junk being
>> generated on the server so, there is the source of the problem, I
>> have a worm on my internal web server, no postfix issue.

>Another possibility, as you mentioned that this is the gateway for
>Postfix, is that it has a misconfigured firewall that is doing both
>source and destination NAT of port 25 to your Postfix. I just tested
>this, and was unable to connect to 200.55.14.250:25, so if that was
>the case, it is probably fixed now.

Yeah, I've figured out that the problem was a Firewall vulnerability issue, port 25 was open to anyone. I've fixed that and problem solved!

Thanks to you all for your help and my apologies because it was not a Postfix issue at all,
Regards,
Damián
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

/dev/rob0
On Tue, Jan 12, 2010 at 11:50:19AM -0300, Damian Rivas wrote:
> >Another possibility, as you mentioned that this is the gateway for
> >Postfix, is that it has a misconfigured firewall that is doing
> >both source and destination NAT of port 25 to your Postfix. I just
> >tested this, and was unable to connect to 200.55.14.250:25, so if
> >that was the case, it is probably fixed now.
>
> Yeah, I've figured out that the problem was a Firewall
> vulnerability issue, port 25 was open to anyone. I've fixed that
> and problem solved!

Ha! Good work. You read the logs, identified and fixed the problem,
without waiting to be given the answer.

> Thanks to you all for your help and my apologies because it was not
> a Postfix issue at all,

No problem, I'm glad you caught it and got it fixed quickly. It's a
pleasure to help those who are working to help themselves.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Spam Attack on my outgoing server

Terry Carmen
In reply to this post by Damian Rivas
On 01/12/2010 09:50 AM, Damian Rivas wrote:
> Yeah, I've figured out that the problem was a Firewall vulnerability issue, port 25 was open to anyone. I've fixed that and problem solved!
>
> Thanks to you all for your help and my apologies because it was not a Postfix issue at all,

Don't feel bad.  It's almost never a postfix issue.

Terry