LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-29-2009, 10:51 AM   #1
nihal
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Rep: Reputation: 0
How to prevent spoofing from Postfix/local part


Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....



But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
....
Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed


Do you have any idea to solve this problem?

How can the spammer connect to Postfix/local part? My mail server not open relay. i test it.
 
Old 04-30-2009, 04:51 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Nothing personal, but you're unable to tell the difference between your smtp and pop3 daemon. I suggest you use one of the relay testers on the net to verify that you're not relaying. If you still are coming up as not an open relay then we need more examples to make a determination of what is happening and accurate logs from postfix, we really don't care what dovecot's pop3 is doing when you're talking about sending mail out.

Last edited by rweaver; 04-30-2009 at 04:53 PM.
 
Old 04-30-2009, 05:27 PM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I would assume that entry is simply postfix delivering to local for local delivery rather than relaying. There should be a log entry prior to this to tell you the IP the server is connected to.
 
Old 05-02-2009, 12:30 PM   #4
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
here's a relay test that you can use-
telnet rt.njabl.org 2500
 
Old 05-04-2009, 09:37 AM   #5
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by emetib View Post
here's a relay test that you can use-
telnet rt.njabl.org 2500
For reference, you type that into a console on the machine you want to test, and port 25 needs to be forwarded to the machine if it's behind a firewall.
 
Old 05-05-2009, 02:08 AM   #6
nihal
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Original Poster
Rep: Reputation: 0
When i start "telnet rt.njabl.org 2500" it gives this error:
rt.njabl.org/2500: Name or service not know

But i want to say my problem with more details:

I am sharing symptoms..

1. I looked http://www.backscatterer.org and saw this messages;

Code:
A total of 112 Impacts were seen during this listing. <strong>Last was 2009/05/04 10:11 </strong>
Earliest date this IP can expire is 2009/06/01. 

History:2008/03/27 22:28 listed 
2008/04/24 23:30 expired 
2008/07/06 11:15 listed 
2008/08/03 11:30 expired 
2008/10/25 21:59 listed 
2008/11/22 21:03 expired 
2008/11/28 13:20 listed 
2008/12/26 14:03 expired 
2009/01/18 12:24 listed 
2009/02/15 13:05 expired 
2009/02/26 22:00 listed
When ı saw this, immediately ı check maillog and ı saw there are suspect behaviours in the log..
(this is little sample.. every day event is same.. ı am testing and searching for three days)
That is log;

Code:
May  4 10:11:16 ns1 postfix/qmgr[22585]: 208313582F7: from=<>, size=3511, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: B73073573D5: from=<>, size=4174, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 6A21B357FE3: from=<>, size=19676, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 608DB3565C2: from=<>, size=5814, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D0233358286: from=<>, size=4649, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: DFE6D357A5E: from=<>, size=2637, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D6973357E8F: from=<>, size=7928, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: CBE3F3578A7: from=<>, size=4142, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A5D06357AAF: from=<>, size=19281, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A8520356E10: from=<>, size=3708, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 4A4E93578E3: from=<>, size=3538, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 177BB3580F2: from=<>, size=3568, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 10DAF357893: from=<>, size=2507, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 73C083573B4: from=<>, size=20001, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 7922335809A: from=<>, size=2559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 38F5D357CB1: from=<>, size=3559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3B20B357598: from=<>, size=3527, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3DEA5357C4A: from=<>, size=19171, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 32FB7357D4A: from=<>, size=7820, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 890673580F9: from=<>, size=3624, nrcpt=1 (queue active)
and when ı search any qmgr number "for example: 177BB3580F2 "
ı see another log line;

Code:
May  4 10:13:16 ns1 postfix/smtp[18790]: 177BB3580F2: to=<goaled10@bbvacash-mx.com>, relay=none, delay=29981, status=deferred (connect to mail.alestra.net.mx[207.248.224.151]: Connection timed out)
So ı noticed that exactly my server send spam.. after more carefully searching ı catch time while my server sends spam, and ı immediately open postfix mail queue from vritualmin and ı saw outgoing spam mails, after open any mail's content then ı noticed these mail's content to spam...

So ı want to ask you

1.) What is the meaning of blank from=<>
2.) How my server send mail by itself
3.) Which process trigger this mail sending process, and which log file help to show me trigger process


My main.cf is attached.
Attached Files
File Type: txt maincf1.txt (28.3 KB, 6 views)

Last edited by nihal; 05-05-2009 at 02:11 AM.
 
Old 05-05-2009, 11:38 AM   #7
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
you're being an open relay right now.
you have to fix your main.cf big time.

first-
fix your myhostname mydomainname myorigin

second-
fix your mynetworks=xxx.xxx.xxx.xxx/29,127.0.0.1
this right here is your biggest problem. you have to get rid of the xxx shit, just use 127.0.0.1/8

uncomment your relayhost and have it empty

start with that.

do you have a hostname? a domain name?
 
Old 05-06-2009, 04:08 AM   #8
nihal
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Original Poster
Rep: Reputation: 0
so i change mynetworks value like below

Code:
mynetworks=127.0.0.1/8
i change
Code:
myhostname=ns1.mydomain.com
like this. Bu what is the meaning of this?

And i open
Code:
relayhost=
with empty value. But what is the meaning of this?

Sorry, my english is not good.

what must i do now?

Last edited by nihal; 05-06-2009 at 04:17 AM.
 
Old 05-06-2009, 04:39 AM   #9
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Relayhost is simply the next port of call for non-local deliveries.
 
Old 05-06-2009, 11:10 AM   #10
emetib
Member
 
Registered: Feb 2003
Posts: 482

Rep: Reputation: 33
myorigin = $mydomain
mydomain = domainname http://en.wikipedia.org/wiki/Domain_name
myhostname = fqdn http://en.wikipedia.org/wiki/FQDN

do you have a registered domain name?
if you don't have a fqdn, you won't be able to set this up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables: prevent spoofing with multiple internal nets? oasisbhrnw99 Linux - Security 2 04-21-2009 12:36 PM
solution to prevent arp spoofing h725 Linux - Security 2 01-22-2009 04:20 PM
how to make postfix send email to another postfix in local network (LAN)? h4k33m Linux - Server 7 01-19-2009 04:26 PM
Disabling sender spoofing localy in postfix barghota Linux - Server 1 10-18-2006 08:36 AM
Prevent mailbombing in Postfix Nicke Linux - Software 6 09-18-2003 04:20 PM


All times are GMT -5. The time now is 12:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration