-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wietse Venema
Sent: Tuesday, November 11, 2008 1:30 PM
To: Postfix users
Subject: Re: Spammers abusing my postfix box
What is the output of:
grep 6F38E5F4595 /the/maillog/file
grep D8AFD5F4526 /the/maillog/f
What is the output of:
grep 6F38E5F4595 /the/maillog/file
grep D8AFD5F4526 /the/maillog/file
One is before Amavis, one is after Amavis.
Wietse
On 11/11/2008 11:07 AM, Jaap Westerbeek wrote:
> Digging into the logfiles, I could not find the spammer (64.129.70.219) had
> used SASL
So if he didn't get in through sasl_auth, obviously he must have gotten
in through a hole in your
check_recipient_access hash:/etc/postfix/access_recipient,
ED]
Sent: Tuesday, November 11, 2008 12:34 PM
To: Jaap Westerbeek
Cc: postfix-users@postfix.org
Subject: Re: Spammers abusing my postfix box
Jaap Westerbeek:
> Supposing it IS a hacked SASL account, is there any way to stop that
> rewriting process ? Or to know which account was being abused ?
Jaap Westerbeek:
> Supposing it IS a hacked SASL account, is there any way to stop that
> rewriting process ? Or to know which account was being abused ?
> Forcing all users to do a password change is not really an option with so
> many accounts.
Postfix logs the SASL user name to the maillog file
rg
Subject: Re: Spammers abusing my postfix box
On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote:
> I changed the order.
>
Note, my money is on "permit_sasl_authenticated" and weak credentials
(like user "test" password "test", ...) or stolen cre
On Tue, Nov 11, 2008 at 11:31:38AM -0300, Jaap Westerbeek wrote:
> I changed the order.
>
Note, my money is on "permit_sasl_authenticated" and weak credentials
(like user "test" password "test", ...) or stolen credentials (users
victims of phishing). In which case you really should address that.
I changed the order.
Thanks Wietse, I'll keep you posted :)
-Original Message-
From: Wietse Venema [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2008 11:09 AM
To: Jaap Westerbeek
Cc: postfix-users@postfix.org
Subject: Re: Spammers abusing my postfix box
Jaap Weste
Jaap Westerbeek:
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> check_recipient_access hash:/etc/postfix/access_recipient,
There is your open relay. Put it below
> reject_unauth_destination,
Wietse
Jaap Westerbeek wrote:
Ok the (or some) spammer came back.
For some reason everything seems to originate from localhost, which isn't
telling me much.
Where to look , what to do ?
its NOT orginitating from localhost, thats just the last step from you
amavis...
This is the amavis tags...
d_data_restrictions = reject_unauth_pipelining
-Original Message-
From: Wietse Venema [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2008 10:07 AM
To: Jaap Westerbeek
Cc: postfix-users@postfix.org
Subject: Re: Spammers abusing my postfix box
Jaap Westerbeek:
> Received: from
Jaap Westerbeek:
> Received: from User (unknown [64.129.70.219])
> by mail01.cq-link.sr (Postfix) with ESMTP id D8AFD5F4526;
> Fri, 7 Nov 2008 18:55:47 -0300 (SRT)
There's your spammer.
Wietse
On Tue, 11 Nov 2008 09:39:32 -0300
"Jaap Westerbeek" <[EMAIL PROTECTED]> wrote:
> Ok the (or some) spammer came back.
>
> For some reason everything seems to originate from localhost, which isn't
> telling me much.
> Where to look , what to do ?
>
[snip]
You need the log entries for the email BE
Ok the (or some) spammer came back.
For some reason everything seems to originate from localhost, which isn't
telling me much.
Where to look , what to do ?
Postcat gives me this :
*** ENVELOPE RECORDS deferred/6/6F38E5F4595 ***
message_size:20911231 9
0
messa
Jaap Westerbeek wrote:
Hi All,
Lately some spammer has been able to relay spam through my server.
I think they use a valid (hacked) account and then rewrite the sender
e-mail address.
My setup is :
Debian Etch server
postfix-mysql 2.3.8-2+etch1
amavisd-new-2.6.1
spama
Jaap Westerbeek wrote:
Hi All,
Lately some spammer has been able to relay spam through my server.
I think they use a valid (hacked) account and then rewrite the sender
e-mail address.
My setup is :
Debian Etch server
postfix-mysql 2.3.8-2+etch1
amavisd-new-2.6.1
spamassass
Jaap Westerbeek:
> Hi All,
>
> Lately some spammer has been able to relay spam through my server.
> I think they use a valid (hacked) account and then rewrite the sender
> e-mail address.
I suggest that you identify the broken application or the comprimised
account (use weblogs and mail logs)
Hi All,
Lately some spammer has been able to relay spam through my server.
I think they use a valid (hacked) account and then rewrite the sender
e-mail address.
My setup is :
Debian Etch server
postfix-mysql 2.3.8-2+etch1
amavisd-new-2.6.1
spamassassin
cyrus imap serv
18 matches
Mail list logo