Hello, I am experiencing something very similar to, or exactly the same as, what is described at http://www.tolaris.com/2009/07/15/stopping-spam-botnets-with-fail2ban/ .
Basically, someone/something has been attempting to relay mail through my server (at least I believe that to be what's happening). I'm confused because this server should *not* be configured as an open relay, yet it seems that Postfix attempts to deliver this outgoing mail to its final destination (thousands of @hotmail.com users, in this case). At a minimum, Postfix is connecting to the recipient's mail server to the end result that both Hotmail and Yahoo have black-listed my server because of these messages. I had over 106,000 deferred messages in my Postfix queue this morning. It seems that some of these messages are rejected with "Relay access denied" (correctly so): postfix/smtpd[27811]: NOQUEUE: reject: RCPT from unknown[189.84.21.206]: 554 5.7.1 <parana...@gmail.com>: Relay access denied; from=<gp...@example.com> to=< (where example.com is a *Web* domain on my server, but there is no email service configured for it, and the local part, "gpusv", is invalid/fake/random). It bears mention that the sender local part and domain change periodically, but all of the domains are legitimate and have DNS records that point to this server (some Web, some email, etc.). Yet, at the same time, I see log entries that make it seem as though this bot is actually able to push-through outgoing mail (I apologize for the wrapping; see link at end of message for better formatting): May 28 06:30:01 example2 amavis[21173]: (21173-12-9) ESMTP::10024 /var/lib/amavis/tmp/amavis-20130528T062825-21173: <d...@example.com> -> <filipe-s-carva...@hotmail.com>,<linoguz...@hotmail.com> SIZE=1348 Received: from example2.com ([127.0.0.1]) by localhost (example2.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Tue, 28 May 2013 06:30:01 -0700 (PDT) May 28 06:30:01 example2 amavis[21173]: (21173-12-9) Checking: AodNAbQyfJVE [189.84.21.206] <d...@example.com> -> <filipe-s-carva...@hotmail.com>,<linoguz...@hotmail.com> May 28 06:30:01 example2 amavis[21173]: (21173-12-9) Open relay? Nonlocal recips but not originating: filipe-s-carva...@hotmail.com, linoguz...@hotmail.com May 28 06:30:01 example2 amavis[21173]: (21173-12-9) cached bb4750473febfc3a2c5e49a67135b953 from <d...@example.com> (0,1) May 28 06:30:01 example2 amavis[21173]: (21173-12-9) p001 1 Content-Type: text/plain, size: 912 B, name: May 28 06:30:01 example2 postfix/smtpd[12536]: A163122A43E6: client=localhost.localdomain[127.0.0.1] May 28 06:30:01 example2 postfix/cleanup[21166]: A163122A43E6: message-id=<20130528133001.a163122a4...@example2.com> May 28 06:30:01 example2 postfix/qmgr[32248]: A163122A43E6: from=<d...@example.com>, size=1741, nrcpt=2 (queue active) May 28 06:30:01 example2 amavis[21173]: (21173-12-9) FWD via SMTP: <d...@example.com> -> <filipe-s-carva...@hotmail.com>,<linoguz...@hotmail.com>, 250 2.0.0 Ok, id=21173-12-9, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A163122A43E6 May 28 06:30:01 example2 amavis[21173]: (21173-12-9) Passed CLEAN, [189.84.21.206] [189.84.21.206] <d...@example.com> -> <filipe-s-carva...@hotmail.com>,<linoguz...@hotmail.com>, mail_id: AodNAbQyfJVE, Hits: 21.996, size: 1348, queued_as: A163122A43E6, 124 ms May 28 06:30:01 example2 postfix/smtp[21338]: 84D7022A43E9: to=<filipe-s-carva...@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=9, delay=9.7, delays=1.9/7.7/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21173-12-9, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A163122A43E6) May 28 06:30:01 example2 postfix/smtp[21338]: 84D7022A43E9: to=<linoguz...@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=9, delay=9.7, delays=1.9/7.7/0/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=21173-12-9, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A163122A43E6) May 28 06:30:01 example2 postfix/qmgr[32248]: 84D7022A43E9: removed May 28 06:30:01 example2 postfix/error[21283]: A163122A43E6: to=<filipe-s-carva...@hotmail.com>, relay=none, delay=0.04, delays=0.03/0.01/0/0, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx3.hotmail.com[65.54.188.94] while sending RCPT TO) May 28 06:30:01 example2 amavis[21173]: (21173-12-9) TIMING [total 130 ms] - lookup_sql: 4 (3%)3, lookup_sql: 3 (2%)5, SMTP pre-DATA-flush: 1 (1%)6, SMTP DATA: 32 (25%)30, check_init: 1 (1%)31, digest_hdr: 1 (1%)32, digest_body_dkim: 1 (0%)33, gen_mail_id: 1 (1%)34, mime_decode: 11 (8%)42, get-file-type1: 20 (15%)57, parts_decode: 0 (0%)57, check_header: 2 (1%)59, spam-wb-list: 3 (3%)61, update_cache: 1 (1%)62, decide_mail_destiny: 2 (1%)63, fwd-connect: 4 (3%)66, fwd-mail-pip: 14 (10%)77, fwd-rcpt-pip: 1 (1%)78, fwd-data-chkpnt: 3 (3%)80, write-header: 1 (1%)81, fwd-data-contents: 0 (0%)81, fwd-end-chkpnt: 10 (7%)89, prepare-dsn: 1 (1%)89, main_log_entry: 9 (7%)97, update_snmp: 2 (2%)99, SMTP pre-response: 0 (0%)99, SMTP response: 1 (0%)99, unlink-1-files: 0 (0%)99, rundown: 1 (1%)100 Has anyone seen this before? Is this a misconfiguration on my part? Or has one of my user's accounts been compromised? Log excerpts and relevant configuration details can be found in my post here: http://www.howtoforge.com/forums/showpost.php?p=297832&postcount=5 I really appreciate any help. Thank you!
