Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am new to web hosting. I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.
I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.
Maillog is full of this kind of records:
Quote:
May 10 23:29:10 s2 sendmail[24894]: alias database /etc/aliases rebuilt by root
May 10 23:29:10 s2 sendmail[24894]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
May 10 23:29:10 s2 postfix/postfix-script: starting the Postfix mail system
May 10 23:29:10 s2 postfix/master[24940]: daemon started -- version 2.3.3, configuration /etc/postfix
May 10 23:29:10 s2 postfix/qmgr[24943]: EF8FB104715: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 12BB110476C: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: DD321104AA3: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1F1C31049C8: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: B4256104A91: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 16087104ABA: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 7C140104A30: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1DBF8104763: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 3EF34104A94: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 10524104B1D: from=<>, size=4283, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: D7476104739: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1B061104A63: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 20B4A1049BF: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1AE4F104A3E: from=<info@santandersupernet.es>, size=3322, nrcpt=49 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: E83FD1048F8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1F6591046ED: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: B2B1910470C: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1190610463F: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 7FDF11049C6: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 150BB104940: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 6C9B3104A3B: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1E5E210470F: from=<oficina@banestnet.es>, size=2466, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 18B78104A20: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 19F8F104913: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: EA5E21048A8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1EC44104978: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 37BD41046F1: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1849B1048E5: from=<>, size=8177, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 87D4B1049E9: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1AD35104B0A: from=<>, size=11424, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 863FA104ACF: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11766104B27: from=<>, size=5173, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 53AF210478E: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 18F8D10482E: from=<>, size=7066, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1098C104A85: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1A565104971: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 14EAE1047B1: from=<>, size=10543, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 16CCE104B24: from=<>, size=5388, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1C4411048D8: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 17C83104791: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 14407104A0A: from=<>, size=8067, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 154FD10478F: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11328104A44: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 1686C104A03: from=<>, size=10161, nrcpt=1 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 164DC104757: from=<info@bancaja.es>, size=2411, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 17EF5104A8B: from=<info@banesnet.es>, size=2453, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 11E691049A5: from=<info@santandersupernet.es>, size=3322, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 12D171048E4: from=<info@bancaja.es>, size=2395, nrcpt=50 (queue active)
May 10 23:29:10 s2 postfix/qmgr[24943]: 10D321046CE: from=<>, size=8321, nrcpt=1 (queue active)
and more:
Quote:
May 10 23:29:11 s2 postfix/qmgr[24943]: 0817B104877: from=<info@bancaja.es>, size=2395, nrcpt=49 (queue active)
May 10 23:29:11 s2 postfix/qmgr[24943]: 0C0C7104A14: from=<>, size=5170, nrcpt=1 (queue active)
May 10 23:29:11 s2 postfix/qmgr[24943]: 052E9104717: from=<>, size=5478, nrcpt=1 (queue active)
May 10 23:29:11 s2 postfix/smtp[24960]: connect to primera.net.uniovi.es[156.35.11.21]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24952]: 12BB110476C: host mxav2.loschatosdelturia.com[62.193.206.40] refused to talk to me: 554 av3.amenworld.com AMEN AMEN requires that all mail servers must have a P
TR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement.
May 10 23:29:11 s2 postfix/smtp[24965]: connect to correo0.uma.es[150.214.40.111]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24961]: connect to mailhost.inves.es[62.97.103.145]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24961]: DD321104AA3: to=<juandi@inves.es>, relay=none, delay=303490, delays=303490/0.14/0.2/0, dsn=4.4.1, status=deferred (connect to mailhost.inves.es[62.97.103.145]:
Connection refused)
May 10 23:29:11 s2 postfix/smtp[24952]: 12BB110476C: to=<loschatosdelturia@loschatosdelturia.com>, relay=mxav1.loschatosdelturia.com[62.193.206.39]:25, delay=393754, delays=393754/0.07/0.29/0, dsn=4.0
.0, status=deferred (host mxav1.loschatosdelturia.com[62.193.206.39] refused to talk to me: 554 av3.amenworld.com AMEN AMEN requires that all mail servers must have a PTR record with a valid Reverse D
NS entry. Currently your mail server does not fill that requirement.)
May 10 23:29:11 s2 postfix/smtp[25011]: connect to correo0.uma.es[150.214.40.111]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24951]: 12BB110476C: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...4df38e2b4e03c3c373833e4b5a3b5ae3cf83779a6 3c78a5bc39e635b5ef7f7bb132ad
3bef7d3afabdfdb...
May 10 23:29:11 s2 postfix/smtp[24953]: 12BB110476C: host mxav2.loscorleone.com[62.193.206.42] refused to talk to me: 554 av4.amenworld.com AMEN AMEN requires that all mail servers must have a PTR rec
ord with a valid Reverse DNS entry. Currently your mail server does not fill that requirement.
May 10 23:29:11 s2 postfix/smtp[25032]: connect to mailhost-antispam.ttd.net[213.0.184.65]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[25032]: 1DBF8104763: to=<danidaniel@jumpy.es>, relay=none, delay=307199, delays=307199/0.45/0.09/0, dsn=4.4.1, status=deferred (connect to mailhost-antispam.ttd.net[213
.0.184.65]: Connection refused)
May 10 23:29:11 s2 postfix/smtp[24986]: connect to mail-av.celbio.it[217.194.7.78]: Connection refused (port 25)
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=19elf signed certificate in certificate chain
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=24:invalid CA certificate
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=26:unsupported certificate purpose
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es: num=10:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24963]: certificate verification failed for mx.terra.es:certificate has expired
May 10 23:29:11 s2 postfix/smtp[24948]: EF8FB104715: to=<oportunidade.vaga@terra.com.br>, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=368659, delays=368658/0.06/0.53/0, dsn=4.7.1, status=de
ferred (host vip-us-br-mx.terra.com[208.84.244.133] refused to talk to me: 450 4.7.1 Client host rejected: cannot find your hostname, [87.226.13.245])
May 10 23:29:11 s2 postfix/smtp[25002]: 16087104ABA: to=<mirandajose@mixmail.com>, relay=ing.wanadoo.es[62.36.20.73]:25, delay=303410, delays=303409/0.32/0.28/0, dsn=4.0.0, status=deferred (host ing.w
anadoo.es[62.36.20.73] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
May 10 23:29:11 s2 postfix/smtp[24962]: DD321104AA3: to=<juanfernandez1973@orangemail.es>, relay=inc.wanadoo.es[62.36.20.20]:25, delay=303491, delays=303490/0.14/0.47/0, dsn=4.0.0, status=deferred (ho
st inc.wanadoo.es[62.36.20.20] refused to talk to me: 550 Reverse DNS lookup failed for host 87.226.13.245.)
I have tested my server for OPEN Relay on some site and got the answer:
>Unable to relay: Invalid response code received from server
> This server is NOT Open Relay
set-up your servers with some form of authentication for users to send email most likely if you do not get your users to login or authenticate then your server is open to relay. While your at it might as well implement encryption for email transfer at same time.
You might also want to think about using a different port number rather than the standard 25 for SMTP (this is not much protection, but makes you a slightly less easy target).
Thanks guys for so quick replies - I really appreciate your help!
Unfortunately I cannot provide postconf -n now, I will do it today later. But I can provide now my main.cf:
I have AUTH enabled. All my customers have own username and password for authentication on SMTP server. May be one of accounts is hacked? How do I check it?
Don't worry about postconf -n then, main.cf is OK. Doesn't look like an open relay.
I think you will need to trawl through the logs and work out what connection is sending those mails. I think your guess of a hacked customer is probably correct.
Is this correct that someone is using one of my customers username and password to send spam through my mail server? I did trawl through logs, but I can not understand, how to work out, what connection is sending those mails. Is there should be login attempts to SMTP?
I had this problem last year with a non-profit client. One of their 'volunteers' had answered a nigerian spam - their password was their first name and the nigerian took over thier email account and started sending spam off of our mail servers, which got our entire cluster blacklisted for a day.
I actually found out which email account was sending the offending spam from the blacklist provider themselves. The various ISP's (Verizon, Earthlink, etc) were all very helpful in helping us nail down the spammer as well, so don't be afraid to ask them for help on which account is sending the spam.
It took about 24 hours to resolve the issue and get removed from the blacklists, so keep at it and don't be afraid to ask the ISP or the blacklist moderator for info on the spam. They will gladly help you stem the tide of spam.
If they are authenticating, the authentication is surely being recorded in the appropriate log, whichever that may be, and if it's spam, there will be plenty of them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.