Hallo,
bei mir sind gestern wieder über rund 45 Minuten mails eingegangen und
teilweise wegen Spam abgelehnt worden.
Als das das erste mal passiert ist, hab ich den Rat von Uwe befolgt und meine
main.cf so geändert:
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_use_pw_server = yes
#mit Greylisting
#smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination check_policy_service unix:private/policy permit
#ohne Greylisting
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
permit_tls_clientcerts
check_sender_access hash:/etc/postfix/whitelist
reject_non_fqdn_hostname
reject_unknown_reverse_client_hostname
reject_unauth_destination
reject_rbl_client cbl.abuseat.org
reject_rbl_client zen.spamhaus.org
smtpd_pw_server_security_options = login,gssapi,cram-md5
data_directory = /var/lib/postfix
smtpd_client_restrictions =
smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/tag_as_originating.re
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_data_restrictions = reject_unauth_pipelining
mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain,
liste.$mydomain, $mydomain
virtual_transport = virtual
Die Mails kommen mit sasl_username=ftp hier an. Beim (Sytem-Benutzer) ftp ist
Mail nicht aktiviert.
Das Mail sieht so aus:
Content type: Spam
Internal reference code for the message is 20536-07/3+yiMXOQhcE5
First upstream SMTP client IP address: [65.200.13.203]
According to a 'Received:' trace, the message apparently originated at:
[17.45.146.70], nico-lae.qr.32.de [17.45.146.70]
Return-Path: <[email protected]>
From:
co-operative-bank-p.l.c.uk....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk
Message-ID:
<[email protected]....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
X-Mailer: Stylatule-decouvrez 6.4
Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
Not quarantined.
The message WAS NOT relayed to:
<[email protected]>:
250 2.7.0 Ok, discarded, id=20536-07 - SPAM
SpamAssassin report:
Spam detection software, running on the system "mcgregor.admilon.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
[email protected] for details.
Content preview: ACCESS TO YOUR ACCOUNT HAS BEEN TEMPORARILY SUSPENDED. The
reason for this issue: - UNUSUAL NUMBER OF INVALID LOGIN ATTEMPTS ON YOUR
ACCOUNT To restore your account, please click below: [...]
Content analysis details: (13.0 points, 25.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE
-0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
[score: 0.3950]
1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.3 HTML_MESSAGE BODY: HTML included in message
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
4.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only
0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML
Return-Path: <[email protected]>
Received: from [128.2.1.64] (unknown [65.200.13.203])
by mcgregor.admilon.net (Postfix) with ESMTPA id 25AF01DBA536
for <[email protected]>; Mon, 17 Sep 2012 22:22:07 +0900 (JST)
X-TM-AS-Result: No--7.291-5.0-31-1
X-Recommended-Action: accept
X-IronPort-AV: E=Sophos;i="4.80,368,1344186000";
X-Envelope-From: [email protected]
Content-type: text/html
X-Proofpoint-Spam-Details: rule=notspam policy=default score=11 spamscore=11
suspectscore=3
X-SpamExpertAristo-Outgoing-Evidence: Combined (0.24)
X-SpamExpertAristo-Username: 61.8.92.97
X-Mailer: Stylatule-decouvrez 6.4
To: [email protected]
Date: Mon, 17 Sep 2012 13:22:08 GMT
X-Barracuda-Start-Time: 135755806806600
Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
X-Copfilter-Virus-Scanned: ClamAV 0.684.2
Received: from nico-lae.qr.32.de ([17.45.146.70]) by ghs-fw (Copfilter
0.84beta4)
X-IronPort-Anti-Spam-Filtered: true
From:
co-operative-bank-p.l.c.uk....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk
X-Filter-ID:
XtLePq6GTMn8G68F0comdleehesxkccwnpq66380849601991cmBIW/8OODKS1A/6t51a7Dur
X-Filtered-With: Copfilter Version 0.84beta4 (ProxSMTP 1.8)
X-Proofpoint-Virus-Version: vendor=fsecure
engine=2.50.10432:5.7.7855,1.0.431,0.0.000
X-OriginalArrivalTime: 04 Sep 2012 16:53:23.0515 (UTC)
FILETIME=[CBBBD8B0:01CD8ABD]
X-SpamExpertAristo-Domain: joomlabouwer.nl
Message-ID:
<[email protected]....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
X-Originating-IP: 61.8.92.97
X-imss-scan-details: No--7.291-5.0-31-1
X-Copfilter-Originating-IP: 89.105.199.76
X-SpamExpertAristo-Outgoing-Class: ham
X-TM-IMSS-Message-ID: <[email protected]>
X-IronPort-Anti-Spam-Result: tc597710475692009648zbf1847zhfdijebku$
X-TM-AS-Product-Ver: IMSS-7.0.0.6126-6.8.0.1017-19162.000
Authentication-Results: aristo-internet.nl;auth=pass () smtp.auth=61.8.92.97
Content-Transfer-Encoding: 7bit
Im Protokoll sieht das so aus:
Sep 17 22:22:05 mcgregor postfix/smtpd[20603]: connect from
unknown[65.200.13.203]
Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: NOQUEUE: filter: RCPT from
unknown[65.200.13.203]: <[email protected]>: Sender address triggers FILTER
smtp-amavis:[127.0.0.1]:10026; from=<[email protected]>
to=<[email protected]> proto=ESMTP helo=<[128.2.1.64]>
Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: 25AF01DBA536:
client=unknown[65.200.13.203], sasl_method=CRAM-MD5, sasl_username=ftp
Sep 17 22:22:17 mcgregor postfix/cleanup[20650]: 25AF01DBA536:
message-id=<[email protected]....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
Sep 17 22:22:17 mcgregor postfix/qmgr[505]: 25AF01DBA536:
from=<[email protected]>, size=3817, nrcpt=1 (queue active)
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) loaded policy bank
"ORIGINATING"
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) process_request: fileno
sock=12, STDIN=0, STDOUT=1
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ESMTP::10026
/var/amavis/tmp/amavis-20120917T221431-20536: <[email protected]> ->
<[email protected]> Received: from mcgregor.admilon.net ([127.0.0.1]) by
localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10026) with
ESMTP for <[email protected]>; Mon, 17 Sep 2012 22:22:17 +0900 (JST)
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) smtp connection cache, dt:
85.1, state: 0
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) body hash:
b55bb74e4d5c950db7ed42aa282aa202
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking: 3+yiMXOQhcE5
ORIGINATING [65.200.13.203] <[email protected]> -> <[email protected]>
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) 2822.From:
<co-operative-bank-p.l.c.uk....@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk>,
2821.Mail_From: <[email protected]>
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p001 1 Content-Type:
text/html, size: 1755 B, name:
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking for banned types
and filenames
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) INFO: unknown banned table
name ALT-RULES, [email protected]
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) collect banned table[0]:
[email protected], tables:
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p.path [email protected]:
"P=p001,L=1,M=text/html,T=html"
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ask_av Using (ClamAV-clamd):
CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Connecting to
socket /var/amavis/clamd
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Sending
CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n to UNIX socket
/var/amavis/clamd
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd): CLEAN
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd)
result: clean
Sep 17 22:22:18 mcgregor postfix/smtpd[20603]: disconnect from
unknown[65.200.13.203]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) spam_scan: score=13.043
autolearn=no
tests=[BAYES_40=-0.001,DKIM_ADSP_NXDOMAIN=0.9,HTML_IMAGE_ONLY_20=1.546,HTML_MESSAGE=0.3,MIME_HTML_ONLY=0.723,MSGID_MULTIPLE_AT=0.001,RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=4,RDNS_NONE=0.793,TO_EQ_FM_HTML_ONLY=0.001,TO_NO_BRKTS_NORDNS_HTML=0.001,TVD_PH_BODY_ACCOUNTS_PRE=2.393]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) blocking contents category
is (6) for [email protected]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) do_notify_and_quar:
ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll)
ccat_block=(6), qar_mth=
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) skip local delivery(3): <>
-> <spam-quarantine>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) SPAM, <[email protected]>
-> <[email protected]>, Yes, score=13.043 tag=-999 tag2=7 kill=12
tests=[BAYES_40=-0.001, DKIM_ADSP_NXDOMAIN=0.9, HTML_IMAGE_ONLY_20=1.546,
HTML_MESSAGE=0.3, MIME_HTML_ONLY=0.723, MSGID_MULTIPLE_AT=0.001,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=4,
RDNS_NONE=0.793, TO_EQ_FM_HTML_ONLY=0.001, TO_NO_BRKTS_NORDNS_HTML=0.001,
TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no, quarantine 3+yiMXOQhcE5
(spam-quarantine)
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: candidate originators:
2822.From:<[email protected]>, 2821.mail_from:<[email protected]>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: signing (author),
From: <[email protected]>, KEY.key_ind=>0, a=>rsa-sha256,
c=>relaxed/simple, d=>admilon.net, s=>default, ttl=>1814400, x=>1349702537.86839
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp session: setting up a
new session
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp creating socket by
IO::Socket::INET to [127.0.0.1]:10027
Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: connect from localhost[127.0.0.1]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to greeting: 220
mcgregor.admilon.net ESMTP Postfix
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> EHLO localhost
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to EHLO: 250
mcgregor.admilon.net\nPIPELINING\nSIZE 41943040\nVRFY\nETRN\nAUTH LOGIN
CRAM-MD5 GSSAPI\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) AUTH not needed, user='',
MTA offers 'LOGIN CRAM-MD5 GSSAPI'
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> MAIL
FROM:<[email protected]> [email protected]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> RCPT
TO:<[email protected]>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> DATA
Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: E8B861DBA541:
client=localhost[127.0.0.1]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to MAIL (pip): 250
2.1.0 Ok
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to RCPT (pip)
(<[email protected]>): 250 2.1.5 Ok
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to DATA: 354 End
data with <CR><LF>.<CR><LF>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> QUIT
irgendwo ist da also noch ein Loch, an welche Schraube muss ich denn drehen um
dem einen Riegel vorzuschieben?
Danke und Gruss
Matthias
_______________________________________________
postfix-users mailing list
[email protected]
http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
