NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-12

Server being used to send spam?

From: Alan Hibberd (alannmmx.net)
Date: Wed Dec 12 2007 - 12:00:01 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I think my server is being used to send spam,
I am getting around 800 emails a day, bounced emails ones saying no
such user etc..

From looking at the headers of the email it seems the email is being
sent from
<random stuff>xerver.co.uk and the bounced emails come back to alanzalera.nmmx.net

zalera.nmmx.net is the hostname of the server running postfix but it
also hosts email for xerver.co.uk

An example of one of these bounced emails from maillog

Dec 12 17:13:31 zalera postfix/smtpd[31853]: connect from
dsl85-238-87-157.pool.tvnet.hu[85.238.87.157]
Dec 12 17:13:32 zalera postfix/smtpd[31853]: 33705630E35:
client=dsl85-238-87-157.pool.tvnet.hu[85.238.87.157]
Dec 12 17:13:32 zalera postfix/cleanup[31856]: 33705630E35: message-
id=<BC8C2102.EA665592gishap.outstandingdistribution.com>
Dec 12 17:13:32 zalera postfix/qmgr[30938]: 33705630E35: from=<Helle-Kendallgishap.outstandingdistribution.com
>, size=1544, nrcpt=1 (queue active)
Dec 12 17:13:32 zalera postfix/local[31857]: 33705630E35: to=<alanzalera.nmmx.net
>, orig_to=<bulldogcoeducationxerver.co.uk>, relay=local,
delay=0.79, delays=0.78/0/0/0.01, dsn=2.0.0, status=sent (delivered to
mailbox)
Dec 12 17:13:32 zalera postfix/qmgr[30938]: 33705630E35: removed
Dec 12 17:13:32 zalera postfix/smtpd[31853]: disconnect from
dsl85-238-87-157.pool.tvnet.hu[85.238.87.157]

There is a catch all on nmmx.net zalera.nmmx.net and xerver.co.uk
all sent to alan.

And here is my postfix config

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_helo_required = yes
smtpd_help_restrictions =
         reject_invalid_hostname,
         reject_non_fqdn_hostname
smtpd_sender_restrictions =
          reject_non_fqdn_sender,
         reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions =
         permit_sasl_authenticated,
          permit_mynetworks,
         reject_unauth_destination,
         reject_rbl_client list.dsbl.org,
         reject_rbl_client sbl-xbl.spamhaus.org,
         reject_rbl_client cbl.abuseat.org,
          reject_rbl_client dul.dnsbl.sorbs.net
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
virtual_mailbox_domains = hash:/etc/postfix/domains
virtual_alias_maps = hash:/etc/postfix/virtual

The only other thing to note is, checking at abuse.net the relay test
ok (meaning it could not relay) but also in my maillog I cant see
anything sending mail its only the bounced ones.

Many thanks,
Alan.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]