Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:
Apr 29 16:57:02 ns1 postfix/local: EC2153565E3: to=<email@example.com>, orig_to=<firstname.lastname@example.org>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?
When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<email@example.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
Apr 29 17:25:55 ns1 dovecot: POP3(firstname.lastname@example.org): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....
Nothing personal, but you're unable to tell the difference between your smtp and pop3 daemon. I suggest you use one of the relay testers on the net to verify that you're not relaying. If you still are coming up as not an open relay then we need more examples to make a determination of what is happening and accurate logs from postfix, we really don't care what dovecot's pop3 is doing when you're talking about sending mail out.
A total of 112 Impacts were seen during this listing. <strong>Last was 2009/05/04 10:11 </strong>
Earliest date this IP can expire is 2009/06/01.
History:2008/03/27 22:28 listed
2008/04/24 23:30 expired
2008/07/06 11:15 listed
2008/08/03 11:30 expired
2008/10/25 21:59 listed
2008/11/22 21:03 expired
2008/11/28 13:20 listed
2008/12/26 14:03 expired
2009/01/18 12:24 listed
2009/02/15 13:05 expired
2009/02/26 22:00 listed
When ı saw this, immediately ı check maillog and ı saw there are suspect behaviours in the log..
(this is little sample.. every day event is same.. ı am testing and searching for three days)
That is log;
and when ı search any qmgr number "for example: 177BB3580F2 "
ı see another log line;
May 4 10:13:16 ns1 postfix/smtp: 177BB3580F2: to=<email@example.com>, relay=none, delay=29981, status=deferred (connect to mail.alestra.net.mx[18.104.22.168]: Connection timed out)
So ı noticed that exactly my server send spam.. after more carefully searching ı catch time while my server sends spam, and ı immediately open postfix mail queue from vritualmin and ı saw outgoing spam mails, after open any mail's content then ı noticed these mail's content to spam...
So ı want to ask you
1.) What is the meaning of blank from=<>
2.) How my server send mail by itself
3.) Which process trigger this mail sending process, and which log file help to show me trigger process