RE: Spammers abusing my postfix box - solved

2008-11-11 Thread Jaap Westerbeek
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wietse Venema Sent: Tuesday, November 11, 2008 1:30 PM To: Postfix users Subject: Re: Spammers abusing my postfix box What is the output of: grep 6F38E5F4595 /the/maillog/file grep D8AFD5F4526 /the/maillog/f

Re: Spammers abusing my postfix box

2008-11-11 Thread Wietse Venema
What is the output of: grep 6F38E5F4595 /the/maillog/file grep D8AFD5F4526 /the/maillog/file One is before Amavis, one is after Amavis. Wietse

Re: Spammers abusing my postfix box

2008-11-11 Thread Charles Marcus
On 11/11/2008 11:07 AM, Jaap Westerbeek wrote: > Digging into the logfiles, I could not find the spammer (64.129.70.219) had > used SASL So if he didn't get in through sasl_auth, obviously he must have gotten in through a hole in your check_recipient_access hash:/etc/postfix/access_recipient,

RE: Spammers abusing my postfix box

2008-11-11 Thread Jaap Westerbeek
ED] Sent: Tuesday, November 11, 2008 12:34 PM To: Jaap Westerbeek Cc: postfix-users@postfix.org Subject: Re: Spammers abusing my postfix box Jaap Westerbeek: > Supposing it IS a hacked SASL account, is there any way to stop that > rewriting process ? Or to know which account was being abused ?

Re: Spammers abusing my postfix box

2008-11-11 Thread Wietse Venema
Jaap Westerbeek: > Supposing it IS a hacked SASL account, is there any way to stop that > rewriting process ? Or to know which account was being abused ? > Forcing all users to do a password change is not really an option with so > many accounts. Postfix logs the SASL user name to the maillog file

RE: Spammers abusing my postfix box

2008-11-11 Thread Jaap Westerbeek
rg Subject: Re: Spammers abusing my postfix box On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote: > I changed the order. > Note, my money is on "permit_sasl_authenticated" and weak credentials (like user "test" password "test", ...) or stolen cre

Re: Spammers abusing my postfix box

2008-11-11 Thread Victor Duchovni
On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote: > I changed the order. > Note, my money is on "permit_sasl_authenticated" and weak credentials (like user "test" password "test", ...) or stolen credentials (users victims of phishing). In which case you really should address that.

RE: Spammers abusing my postfix box

2008-11-11 Thread Jaap Westerbeek
I changed the order. Thanks Wietse, I'll keep you posted :) -Original Message- From: Wietse Venema [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 11:09 AM To: Jaap Westerbeek Cc: postfix-users@postfix.org Subject: Re: Spammers abusing my postfix box Jaap Weste

Re: Spammers abusing my postfix box

2008-11-11 Thread Wietse Venema
Jaap Westerbeek: > smtpd_recipient_restrictions = > permit_sasl_authenticated, > check_recipient_access hash:/etc/postfix/access_recipient, There is your open relay. Put it below > reject_unauth_destination, Wietse

Re: Spammers abusing my postfix box

2008-11-11 Thread Johan Andersson
Jaap Westerbeek wrote: Ok the (or some) spammer came back. For some reason everything seems to originate from localhost, which isn't telling me much. Where to look , what to do ? its NOT orginitating from localhost, thats just the last step from you amavis... This is the amavis tags...

RE: Spammers abusing my postfix box

2008-11-11 Thread Jaap Westerbeek
d_data_restrictions = reject_unauth_pipelining -Original Message- From: Wietse Venema [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2008 10:07 AM To: Jaap Westerbeek Cc: postfix-users@postfix.org Subject: Re: Spammers abusing my postfix box Jaap Westerbeek: > Received: from

Re: Spammers abusing my postfix box

2008-11-11 Thread Wietse Venema
Jaap Westerbeek: > Received: from User (unknown [64.129.70.219]) > by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526; > Fri, 7 Nov 2008 18:55:47 -0300 (SRT) There's your spammer. Wietse

Re: Spammers abusing my postfix box

2008-11-11 Thread John Peach
On Tue, 11 Nov 2008 09:39:32 -0300 "Jaap Westerbeek" <[EMAIL PROTECTED]> wrote: > Ok the (or some) spammer came back. > > For some reason everything seems to originate from localhost, which isn't > telling me much. > Where to look , what to do ? > [snip] You need the log entries for the email BE

RE: Spammers abusing my postfix box

2008-11-11 Thread Jaap Westerbeek
Ok the (or some) spammer came back. For some reason everything seems to originate from localhost, which isn't telling me much. Where to look , what to do ? Postcat gives me this : *** ENVELOPE RECORDS deferred/6/6F38E5F4595 *** message_size:20911231 9 0 messa

Re: Spammers abusing my postfix box

2008-11-02 Thread mouss
Jaap Westerbeek wrote: Hi All, Lately some spammer has been able to relay spam through my server. I think they use a valid (hacked) account and then rewrite the sender e-mail address. My setup is : Debian Etch server postfix-mysql 2.3.8-2+etch1 amavisd-new-2.6.1 spama

Re: Spammers abusing my postfix box

2008-10-31 Thread Randy
Jaap Westerbeek wrote: Hi All, Lately some spammer has been able to relay spam through my server. I think they use a valid (hacked) account and then rewrite the sender e-mail address. My setup is : Debian Etch server postfix-mysql 2.3.8-2+etch1 amavisd-new-2.6.1 spamassass

Re: Spammers abusing my postfix box

2008-10-31 Thread Wietse Venema
Jaap Westerbeek: > Hi All, > > Lately some spammer has been able to relay spam through my server. > I think they use a valid (hacked) account and then rewrite the sender > e-mail address. I suggest that you identify the broken application or the comprimised account (use weblogs and mail logs)

Spammers abusing my postfix box

2008-10-31 Thread Jaap Westerbeek
Hi All, Lately some spammer has been able to relay spam through my server. I think they use a valid (hacked) account and then rewrite the sender e-mail address. My setup is : Debian Etch server postfix-mysql 2.3.8-2+etch1 amavisd-new-2.6.1 spamassassin cyrus imap serv