How to prevent spoofing from Postfix/local part

nihal · 04-29-2009, 10:51 AM

Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....

But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
....
Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed

Do you have any idea to solve this problem?

How can the spammer connect to Postfix/local part? My mail server not open relay. i test it.

rweaver · 04-30-2009, 04:51 PM

Nothing personal, but you're unable to tell the difference between your smtp and pop3 daemon. I suggest you use one of the relay testers on the net to verify that you're not relaying. If you still are coming up as not an open relay then we need more examples to make a determination of what is happening and accurate logs from postfix, we really don't care what dovecot's pop3 is doing when you're talking about sending mail out.

billymayday · 04-30-2009, 05:27 PM

I would assume that entry is simply postfix delivering to local for local delivery rather than relaying. There should be a log entry prior to this to tell you the IP the server is connected to.

emetib · 05-02-2009, 12:30 PM

here's a relay test that you can use-
telnet rt.njabl.org 2500

rweaver · 05-04-2009, 09:37 AM

Quote:

Originally Posted by emetib

here's a relay test that you can use-
telnet rt.njabl.org 2500

For reference, you type that into a console on the machine you want to test, and port 25 needs to be forwarded to the machine if it's behind a firewall.

nihal · 05-05-2009, 02:08 AM

When i start "telnet rt.njabl.org 2500" it gives this error:
rt.njabl.org/2500: Name or service not know

But i want to say my problem with more details:

I am sharing symptoms..

1. I looked http://www.backscatterer.org and saw this messages;

Code:

A total of 112 Impacts were seen during this listing. <strong>Last was 2009/05/04 10:11 </strong>
Earliest date this IP can expire is 2009/06/01. 

History:2008/03/27 22:28 listed 
2008/04/24 23:30 expired 
2008/07/06 11:15 listed 
2008/08/03 11:30 expired 
2008/10/25 21:59 listed 
2008/11/22 21:03 expired 
2008/11/28 13:20 listed 
2008/12/26 14:03 expired 
2009/01/18 12:24 listed 
2009/02/15 13:05 expired 
2009/02/26 22:00 listed

When ı saw this, immediately ı check maillog and ı saw there are suspect behaviours in the log..
(this is little sample.. every day event is same.. ı am testing and searching for three days)
That is log;

Code:

May  4 10:11:16 ns1 postfix/qmgr[22585]: 208313582F7: from=<>, size=3511, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: B73073573D5: from=<>, size=4174, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 6A21B357FE3: from=<>, size=19676, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 608DB3565C2: from=<>, size=5814, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D0233358286: from=<>, size=4649, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: DFE6D357A5E: from=<>, size=2637, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: D6973357E8F: from=<>, size=7928, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: CBE3F3578A7: from=<>, size=4142, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A5D06357AAF: from=<>, size=19281, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: A8520356E10: from=<>, size=3708, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 4A4E93578E3: from=<>, size=3538, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 177BB3580F2: from=<>, size=3568, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 10DAF357893: from=<>, size=2507, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 73C083573B4: from=<>, size=20001, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 7922335809A: from=<>, size=2559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 38F5D357CB1: from=<>, size=3559, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3B20B357598: from=<>, size=3527, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 3DEA5357C4A: from=<>, size=19171, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 32FB7357D4A: from=<>, size=7820, nrcpt=1 (queue active)
May  4 10:11:16 ns1 postfix/qmgr[22585]: 890673580F9: from=<>, size=3624, nrcpt=1 (queue active)

and when ı search any qmgr number "for example: 177BB3580F2 "
ı see another log line;

Code:

May  4 10:13:16 ns1 postfix/smtp[18790]: 177BB3580F2: to=<goaled10@bbvacash-mx.com>, relay=none, delay=29981, status=deferred (connect to mail.alestra.net.mx[207.248.224.151]: Connection timed out)

So ı noticed that exactly my server send spam.. after more carefully searching ı catch time while my server sends spam, and ı immediately open postfix mail queue from vritualmin and ı saw outgoing spam mails, after open any mail's content then ı noticed these mail's content to spam...

So ı want to ask you

1.) What is the meaning of blank from=<>
2.) How my server send mail by itself
3.) Which process trigger this mail sending process, and which log file help to show me trigger process

My main.cf is attached.

emetib · 05-05-2009, 11:38 AM

you're being an open relay right now.
you have to fix your main.cf big time.

first-
fix your myhostname mydomainname myorigin

second-
fix your mynetworks=xxx.xxx.xxx.xxx/29,127.0.0.1
this right here is your biggest problem. you have to get rid of the xxx shit, just use 127.0.0.1/8

uncomment your relayhost and have it empty

start with that.

do you have a hostname? a domain name?

nihal · 05-06-2009, 04:08 AM

so i change mynetworks value like below

Code:

mynetworks=127.0.0.1/8

i change

Code:

myhostname=ns1.mydomain.com

like this. Bu what is the meaning of this?

And i open

Code:

relayhost=

with empty value. But what is the meaning of this?

Sorry, my english is not good.

what must i do now?

billymayday · 05-06-2009, 04:39 AM

Relayhost is simply the next port of call for non-local deliveries.

emetib · 05-06-2009, 11:10 AM

myorigin = $mydomain
mydomain = domainname http://en.wikipedia.org/wiki/Domain_name
myhostname = fqdn http://en.wikipedia.org/wiki/FQDN

do you have a registered domain name?
if you don't have a fqdn, you won't be able to set this up.