RE: Spammers abusing my postfix box

Tue, 11 Nov 2008 08:08:36 -0800 

Digging into the logfiles, I could not find the spammer (64.129.70.219) had
used SASL....

All SASL authentications seemed legitimate (coming from an ISP in the same
country), or from within my_networks.

It would have given me something like this right ? 
client=unknown[64.129.70.219], sasl_method=LOGIN, sasl_username=xxxxxxxxx

Unfortunately, the IP of the spammer is nowhere to be found in my postix
logs, except for my Amavis logs :

Nov  7 11:22:55 mail01.cq-link.sr /usr/local/sbin/amavisd[603]: (00603-16)
Passed CLEAN, [64.129.70.219] [64.129.70.219] <[EMAIL PROTECTED]> -> <
[EMAIL PROTECTED]>, Message-ID:
<[EMAIL PROTECTED]>, mail_id: 80bDaGSM6lUa, Hits:
2.852, size: 511, queued_as
: 0D90A5F457D, 3849 ms

And in the end amavis starts blocking him :

Nov 11 08:43:08 mail01.cq-link.sr /usr/local/sbin/amavisd[22027]: (22027-05)
Blocked MTA-BLOCKED, [64.129.70.219] [64.129.70.219] <[EMAIL PROTECTED]
gov> ->
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
m>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
hk>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
.com>, Message-ID: <[EMAIL PROTECTED]>,
 mail_id: pkABmjwsgQrI, Hits: 4.223, size: 1493, 39548 ms

appearantly the guy got himself on a blacklist there...

But how can I further trace how he got in ?



-----Original Message-----
From: Wietse Venema [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 11, 2008 12:34 PM
To: Jaap Westerbeek
Cc: postfix-users@postfix.org
Subject: Re: Spammers abusing my postfix box

Jaap Westerbeek:
> Supposing it IS a hacked SASL account, is there any way to stop that
> rewriting process ? Or to know which account was being abused ?
> Forcing all users to do a password change is not really an option with so
> many accounts.

Postfix logs the SASL user name to the maillog file.

        Wietse


-- 
I am using the free version of SPAMfighter.
We are a community of 5.6 million users fighting spam.
SPAMfighter has removed 920 of my spam emails to date.
Get the free SPAMfighter here: http://www.spamfighter.com/len

The Professional version does not have this message

Reply via email to