Can Anyone Make Sense of This Log Entry?
Greetings. I've got this log entry over the past few days at the same time I've been getting this really strange spam from worldswidedomainnames.com. This entry is appearing 50 or 60 times per day in the logs: 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refused to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages I don't know if the two are related. Does anyone have any insight they'd be willing to share? -- asai
Re: Can Anyone Make Sense of This Log Entry?
On Fri, 31 Oct 2008, Asai wrote: Greetings. I've got this log entry over the past few days at the same time I've been getting this really strange spam from worldswidedomainnames.com. This entry is appearing 50 or 60 times per day in the logs: 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages I don't know if the two are related. Does anyone have any insight they'd be willing to share? That's a message going OUT and it states the host mx.wmint.net is refusing your connection. Are you accepting messages destined for unknown accounts? Post the results of 'postconf -n'.
Re: Can Anyone Make Sense of This Log Entry?
Asai wrote: Greetings. I've got this log entry over the past few days at the same time I've been getting this really strange spam from worldswidedomainnames.com. This entry is appearing 50 or 60 times per day in the logs: 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refused to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages I don't know if the two are related. Does anyone have any insight they'd be willing to share? You are sending to mx.wmint.net. They may be having issues or you may be on their private blacklist. I don't have an issue: [EMAIL PROTECTED] ~ $ telnet 80.247.227.180 25 Trying 80.247.227.180... Connected to 80.247.227.180. Escape character is '^]'. 220 mx4.fr.wmint.net ESMTP Sendmail; Fri, 31 Oct 2008 17:09:53 +0100 EHLO scent-team.com 250-mx4.fr.wmint.net Hello mx1.scent-team.com [69.48.33.25], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 11048576 250-DSN 250-ETRN 250-DELIVERBY 250 HELP quit
Re: Can Anyone Make Sense of This Log Entry?
Duane Hill wrote: On Fri, 31 Oct 2008, Asai wrote: Greetings. I've got this log entry over the past few days at the same time I've been getting this really strange spam from worldswidedomainnames.com. This entry is appearing 50 or 60 times per day in the logs: 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages I don't know if the two are related. Does anyone have any insight they'd be willing to share? That's a message going OUT and it states the host mx.wmint.net is refusing your connection. Are you accepting messages destined for unknown accounts? Post the results of 'postconf -n'. Thanks Duane. Here's postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 600s message_size_limit = 0 minimal_backoff_time = 300s mydestination = $myhostname, localhost.$mydomain, localhost mydomain = globalchangemultimedia.net myhostname = triata.globalchangemultimedia.net newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix queue_run_delay = 300s readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname,reject_non_fqdn_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, check_policy_service inet:127.0.0.1:2501, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, permit smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_tls_cert_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/mail-cert.pem smtpd_tls_key_file = /etc/ssl/triata.globalchangemultimedia.net/mailserver/mail-key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = no smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual_aliases, mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1001 virtual_mailbox_base = /vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1001 virtual_uid_maps = static:1001 -- asai
Re: Can Anyone Make Sense of This Log Entry?
On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... -- Best regards, Charles
Re: Can Anyone Make Sense of This Log Entry?
On 10/31/2008 12:37 PM, Charles Marcus wrote: On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... Oh... add 'reject_unauth_destination BEFORE the permit... -- Best regards, Charles
Re: Can Anyone Make Sense of This Log Entry?
Charles Marcus wrote: On 10/31/2008 12:37 PM, Charles Marcus wrote: On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... Oh... add 'reject_unauth_destination BEFORE the permit... I was afraid of this. Thank you so much, Charles. -- asai
Re: Can Anyone Make Sense of This Log Entry?
Charles Marcus wrote: On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... No... smtpd_sender_restrictions cannot make you an open relay omitting unauth_destination. OP has reject_unauth_destination in smtpd_recipient_restrictions which is correct. Brian
Re: Can Anyone Make Sense of This Log Entry?
Brian Evans - Postfix List wrote: Charles Marcus wrote: On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... No... smtpd_sender_restrictions cannot make you an open relay omitting unauth_destination. OP has reject_unauth_destination in smtpd_recipient_restrictions which is correct. Brian Ok, well thanks anyway, Charles. Even so, do you guys have any other ideas about the log entry? -- asai
Re: Can Anyone Make Sense of This Log Entry?
Responding to the original message... On Fri, 31 Oct 2008, Asai wrote: Greetings. I've got this log entry over the past few days at the same time I've been getting this really strange spam from worldswidedomainnames.com. This entry is appearing 50 or 60 times per day in the logs: 1 Oct 30 18:59:19 triata postfix/smtp[14090]: EADE6FD8084: host mx.wmint.net[80.247.227.180] refuse d to talk to me: 554 mx4.fr.wmint.net ESMTP not accepting messages I don't know if the two are related. Does anyone have any insight they'd be willing to share? As Brian has already pointed out: They may be having issues or you may be on their private blacklist. worldswidedomainnames.com isn't even a registered domain name.
Re: Can Anyone Make Sense of This Log Entry?
Asai wrote: Brian Evans - Postfix List wrote: Charles Marcus wrote: On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote: smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit I do believe this makes you an open relay... No... smtpd_sender_restrictions cannot make you an open relay omitting unauth_destination. OP has reject_unauth_destination in smtpd_recipient_restrictions which is correct. Brian Ok, well thanks anyway, Charles. Even so, do you guys have any other ideas about the log entry? -- asai Please don't post html to the list. The log entry says the recipient mail system rejected your mail. For any further information, you will need to contact their postmaster. We don't have enough information to say for sure if this is related to your odd spam or not, but it seems unlikely. -- Noel Jones
Re: Can Anyone Make Sense of This Log Entry?
On Fri, 31 Oct 2008 18:09:37 + (UTC) Duane Hill [EMAIL PROTECTED] wrote: Responding to the original message... On Fri, 31 Oct 2008, Asai wrote: [snip] They may be having issues or you may be on their private blacklist. worldswidedomainnames.com isn't even a registered domain name. worldwidedomainnames.com *is* and I would want to blackhole them
Re: Can Anyone Make Sense of This Log Entry?
John Peach wrote: On Fri, 31 Oct 2008 18:09:37 + (UTC) Duane Hill [EMAIL PROTECTED] wrote: Responding to the original message... On Fri, 31 Oct 2008, Asai wrote: [snip] They may be having issues or you may be on their private blacklist. worldswidedomainnames.com isn't even a registered domain name. worldwidedomainnames.com *is* and I would want to blackhole them Ok, thanks guys. John, when you say blackhole them what do you mean? I've been looking for a way to blacklist conveniently using MySQL. Do you know of a way? -- asai
Re: Can Anyone Make Sense of This Log Entry?
On Fri, 31 Oct 2008 11:29:04 -0700 Asai [EMAIL PROTECTED] wrote: John Peach wrote: On Fri, 31 Oct 2008 18:09:37 + (UTC) Duane Hill [EMAIL PROTECTED] wrote: Responding to the original message... On Fri, 31 Oct 2008, Asai wrote: [snip] They may be having issues or you may be on their private blacklist. worldswidedomainnames.com isn't even a registered domain name. worldwidedomainnames.com *is* and I would want to blackhole them Ok, thanks guys. John, when you say blackhole them what do you mean? I've been looking for a way to blacklist conveniently using MySQL. Do you know of a way? Not with my*sql, per se, but you can reject them based on all sorts of criteria. host -t mx worldwidedomainnames.com worldwidedomainnames.com mail is handled by 0 dev.null. That would block them at a lot of sites... check_sender_mx_access hash:/etc/postfix/mx_access dev.nullREJECT host -t ns worldwidedomainnames.com worldwidedomainnames.com name server this-domain-for-sale.com. worldwidedomainnames.com name server ns.buydomains.com. check_sender_ns_access hash:/etc/postfix/ns_access this-domain-for-sale.comREJECT buydomains.com REJECT etc...
Re: Can Anyone Make Sense of This Log Entry?
Asai [EMAIL PROTECTED] wrote: John Peach wrote: On Fri, 31 Oct 2008 18:09:37 + (UTC) Duane Hill [EMAIL PROTECTED] wrote: Responding to the original message... On Fri, 31 Oct 2008, Asai wrote: [snip] They may be having issues or you may be on their private blacklist. worldswidedomainnames.com isn't even a registered domain name. worldwidedomainnames.com *is* and I would want to blackhole them Ok, thanks guys. John, when you say blackhole them what do you mean? I've been looking for a way to blacklist conveniently using MySQL. Do you know of a way? Not with my*sql, per se, but you can reject them based on all sorts of criteria. host -t mx worldwidedomainnames.com worldwidedomainnames.com mail is handled by 0 dev.null. That would block them at a lot of sites... check_sender_mx_access hash:/etc/postfix/mx_access dev.nullREJECT host -t ns worldwidedomainnames.com worldwidedomainnames.com name server this-domain-for-sale.com. worldwidedomainnames.com name server ns.buydomains.com. check_sender_ns_access hash:/etc/postfix/ns_access this-domain-for-sale.comREJECT buydomains.com REJECT etc... Thanks, John. I'll see if I can figure out how to convert those directives to a MySQL table. -- asai
