understanding postfix log
Hello, I have searched around trying to understand the postfix log message because I found that my server is being abused by the spammer which the spammer sending me the message with the sender as my email. I have a form that allow user to send message to their friends about my website link, but when I checked the apache log files, I did not see the spammer abusing that dynamic link. What are the possibilities that the spammer could use my mail server to spam ? I have googled on how to understand the postfix log file but not much useful information that I got, do you know any good one ? Thank you very much. Best regards, William Kisman
Re: understanding postfix log
Dear J.P. Trosclair, Thank you for your prompt reply and your help. Before I could locate the an intance where a spam passed through, how can I locate that ? Below are my test, there is no open relay. (my real domain had been replaced to mydomain.com as well as a dummy IP address) *Mail relay testing* Connecting to mail.mydomain.com for anonymous test ... 220 mail.mydomain.com ESMTP Postfix HELO www.abuse.net 250 mail.mydomain.com Relay test 1 RSET 250 2.0.0 Ok MAIL FROM:spamt...@abuse.net 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 2 RSET 250 2.0.0 Ok MAIL FROM:spamtest 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 3 RSET 250 2.0.0 Ok MAIL FROM: 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 4 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 5 RSET 250 2.0.0 Ok MAIL FROM:spamt...@[123.123.123.11] 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 6 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securitytest%abuse@mydomain.com 554 5.7.1 securitytest%abuse@mydomain.com: Relay access denied Relay test 7 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securitytest%abuse@[123.123.123.11] 554 5.7.1 securitytest%abuse@[123.123.123.11]: Relay access denied Relay test 8 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 9 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securitytest%abuse.net 554 5.7.1 securitytest%abuse.net: Relay access denied Relay test 10 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securityt...@abuse.net@mydomain.com 554 5.7.1 securityt...@abuse.net@mydomain.com: Relay access denied Relay test 11 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securityt...@abuse.net@mydomain.com 554 5.7.1 securityt...@abuse.net@mydomain.com: Relay access denied Relay test 12 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:securityt...@abuse.net@[123.123.123.11] 554 5.7.1 securityt...@abuse.net@[123.123.123.11]: Relay access denied Relay test 13 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:@mydomain.com:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 14 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:@[123.123.123.11]:securityt...@abuse.net 554 5.7.1 securityt...@abuse.net: Relay access denied Relay test 15 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:abuse.net!securitytest 554 5.7.1 abuse.net!securitytest: Relay access denied Relay test 16 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:abuse.net!securityt...@mydomain.com 554 5.7.1 abuse.net!securityt...@mydomain.com: Relay access denied Relay test 17 RSET 250 2.0.0 Ok MAIL FROM:spamt...@mydomain.com 250 2.1.0 Ok RCPT TO:abuse.net!securityt...@[123.123.123.11] 554 5.7.1 abuse.net!securityt...@[123.123.123.11]: Relay access denied Relay test result All tests performed, no relays accepted. Thank you On Fri, Jan 2, 2009 at 11:56 PM, J.P. Trosclair jptroscl...@judelawfirm.com wrote: William Kisman wrote: What are the possibilities that the spammer could use my mail server to spam ? First check if your server is an open relay using this service: http://www.abuse.net/relay.html Also if you think that a sasl user/pass has been compromised, change the password. You can look through the mail log for an instance where a spam passed through and get the id: Jan 2 07:05:04 mail1 postfix/smtp[26253]: 0B2DC6A009B: -- This is the id Once you get the id, you can grep that specific id to get all of the log entries related to it at which point you can see where the connection came from and if it was authenticated: Jan 2 01:05:03 mail1 postfix/smtpd[25860]: 0B2DC6A009B: client= mail1.xxx.com[x.x.x.x], sasl_method=LOGIN, sasl_username=johndoe If the connection was authenticated and you know it should not have been and the message should have been rejected, then a password has possibly been compromised. J.P. -- Best regards, William Kisman
Re: understanding postfix log
Thank you IBBoard, that is a nice idea, I am trying to understand it. Now I understand, thank you very much. This is the first time I make use of my evolution mail menu to view the message headers, so the header does show the SMTP id as well and I can use that to grep it in postfix log. Return-path: i...@qwestcz.cz X-original-to: i...@mydomain.com Delivered-to: i...@mydomain.com Received: from conaxedition (unknown [88.229.53.253]) by mail.mydomain.com(Postfix) with SMTP id 2D1A31980003 for i...@mydomain.com; Thu, 1 Jan 2009 11:04:47 -0800 (PST) To: i...@mydomain.com Subject: nhmt i...@mydomain.com Thu, 1 Jan 2009 09:05:34 +0200 70%0FF fqnjw From: Viagra.com i...@mydomain.com Mime-version: 1.0 Content-type: text/html Message-id: 20090101190448.2d1a31980...@mail.mydomain.com Date: Thu, 1 Jan 2009 11:04:47 -0800 (PST) (Fri, 03:04 MYT) X-evolution-source: imap://will...@mail.mydomain.com/ Jan 1 11:04:48 www postfix/smtpd[18133]: 2D1A31980003: client=unknown[88.229.53.253] Jan 1 11:04:49 www postfix/cleanup[18139]: 2D1A31980003: message-id= 20090101190448.2d1a31980...@mail.mydomain.com Jan 1 11:04:49 www postfix/qmgr[28143]: 2D1A31980003: from=i...@qwestcz.cz, size=2162, nrcpt=1 (queue active) Jan 1 11:04:49 www postfix/local[18143]: 2D1A31980003: to= will...@mydomain.com, orig_to=i...@mydomain.com, relay=local, delay=1.9, delays=1.9/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir) Jan 1 11:04:49 www postfix/qmgr[28143]: 2D1A31980003: removed One more thing, here is a log that show three trials but actually there are at least 30 trials of that, when I grep that queue ID it does not show the client address that is trying to send the message, is that a spammer that trying to use my mail server to send message to some one ? How can I block it ? or What should I do ? Dec 28 01:03:25 www postfix/qmgr[32221]: B041D198056F: from=, size=4247, nrcpt=1 (queue active) Dec 28 01:04:16 www postfix/smtp[25721]: B041D198056F: to= tizia...@barak.net, relay=none, delay=62670, delays=62618/0.21/51/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=barak.net type=MX: Host not found, try again) Dec 28 02:26:44 www postfix/qmgr[32221]: B041D198056F: from=, size=4247, nrcpt=1 (queue active) Dec 28 02:27:35 www postfix/smtp[21822]: B041D198056F: to= tizia...@barak.net, relay=none, delay=67669, delays=67618/0.02/51/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=barak.net type=MX: Host not found, try again) Dec 28 03:50:04 www postfix/qmgr[32221]: B041D198056F: from=, size=4247, nrcpt=1 (queue active) Dec 28 03:50:56 www postfix/smtp[28421]: B041D198056F: to= tizia...@barak.net, relay=none, delay=72670, delays=72618/1.1/51/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=barak.net type=MX: Host not found, try again) Jan 1 07:54:32 www postfix/qmgr[28143]: B041D198056F: from=, status=expired, returned to sender Jan 1 07:54:32 www postfix/qmgr[28143]: B041D198056F: removed On Sat, Jan 3, 2009 at 1:07 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Fri, Jan 02, 2009 at 11:42:17PM +0800, William Kisman wrote: Hello, I have searched around trying to understand the postfix log message because I found that my server is being abused by the spammer which the spammer sending me the message with the sender as my email. Email sender addresses are easily forged. Nothing new here. I have a form that allow user to send message to their friends about my website link, but when I checked the apache log files, I did not see the spammer abusing that dynamic link. What are the possibilities that the spammer could use my mail server to spam ? How is this related to receiving email with forged sender addresses? Do check the headers of the forged email, if it arrived from outside, no point in checking web logs, I have googled on how to understand the postfix log file but not much useful information that I got, do you know any good one ? First take the time to understand that email envelope and sender information is unauthenticated and subject to forgery. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. -- Thank you Best regards, William Kisman
