LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-20-2006, 11:50 PM   #1
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Rep: Reputation: 15
strange postfix error message


Hey all,

I run Fedora Core 5 from Red Hat. I'm also running Postfix as my mail daemon, along with a program called LogWatch that mails a system log summary each day to my root account.

While browsing this log watch yesterday, the following snippet appeared in the Postfix section:

--------------------- postfix Begin ------------------------

5978 bytes transferred
2 messages sent
2 messages removed from queue

Relaying denied: 2 Time(s)

Unrecognized warning:
219-84-126-227-adsl-tpe.dynamic.so-net.net.tw[219.84.126.227] sent non-SMTP command: Subject:?erelay ok?f<my-ip-address-here> : 1 Time(s)
personaljames.com[82.165.30.80] sent non-SMTP command: From: "Chase Online" <online@chase.com> : 1 Time(s)

---------------------- postfix End --------------------------
(the field containing <my-ip-address-here> really did have my actual IP listed, which I am keeping confidential for security reasons.)

What exactly is that error message I see listed under "unrecognized warning?" I don't think it's a mail relay attempt, since it says just above that the system already denied two of those. Is this some kind of attempt to break into the system through the SMTP port, and if so, is there any indication the cracker was successful?

Thanks, Matt
 
Old 04-21-2006, 01:48 PM   #2
lucktsm
Member
 
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155

Rep: Reputation: 30
Looks like a spam attempt.

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 219.0.0.0 - 219.255.255.255
CIDR: 219.0.0.0/8
NetName: APNIC5
NetHandle: NET-219-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate:
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-04-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 82.0.0.0 - 82.255.255.255
CIDR: 82.0.0.0/8
NetName: 82-RIPE
NetHandle: NET-82-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2002-11-23
Updated: 2004-03-16

# ARIN WHOIS database, last updated 2006-04-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Most of the spam I see comes from these to subnets.
 
Old 04-22-2006, 12:53 AM   #3
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Original Poster
Rep: Reputation: 15
re: strange postfix error message

Thanks for your response. I have a number of questions about it, just some items that need clarification:

1. I notice that the message: 219-84-126-227-adsl-tpe.dynamic.so-net.net.tw[219.84.126.227] sent non-SMTP command: Subject:?erelay ok?f<my-ip-address-here> : 1 Time(s)

looks rather like, after being denied a relay, the spammer tried to connect a second time and "force" the server by sending a "relayOK" command. Am I assuming correctly?

2. I've configured Postfix to only forward the mail from the local box. The system is NOT the mail server for a LAN or network segment, but rather simply a stand-alone box being used for multiple purposes - web server, mail server, programming environment, etc. Given that, do you think this single configuration item is enough to bar spammers and others who would try to relay mail through the system? In other words, do you think I went far enough, or would you recommend additional security measures on Postfix? If so, what?

3. Is there a way for anyone to "crack" the system by getting in through the SMTP port? If so, how can I prevent this from happening? SMTP, to my knowledge, is one of only three ports open to the outside world - the other two being SSH and HTTP.

4. In addition to the relay attempts, the server has also suffered a large number of (failed) attacks via the SSH port recently. Without going into detail regarding all the measures I've taken to stop them, suffice it to say I want to BAN every IP address that has ever tried in any way to violate the system. When these banned IP's try to connect to the system, is there a way to for the server to "lie" to the inbound connection and conceal the fact that a mail server is running there in the first place?

5. How are these people finding the system in the first place, and how do they know that a mail server is running there if they haven't been able to crack in or use it to relay spam? Are they just ASSUMING that any Unix/Linux host is running a mail server? And again, what methods do crackers/spammers use to find systems like mine? I am a nobody, running a system on an obscure network not connected to a major ISP or other large concern.

Thanks, Matt
 
Old 06-07-2007, 08:44 AM   #4
Jobe1986
LQ Newbie
 
Registered: Jun 2007
Posts: 1

Rep: Reputation: 0
I think I can shed a little light on a few of your points.

For 1) you actually assumed incorrectly but I can see where you got the assumption from. What postfix was actually complaining about was that the relay scanner simply sent all the SMTP messages as if the message was successful without paying any attention to the replies from postfix regarding the validity of the MAIL FROM, RCPT TO and HELO/EHLO commands.

For example the following is a typical message as sent in raw format directly to the SMTP port:
Code:
HELO 
MAIL FROM: <[email-removed]>
RCPT TO: <[email-removed]>
DATA
Subject:ˇerelay okˇf[IP-removed]
MIME-Version: 1.0
Content-Type: text/html;charset="big5"
Content-Transfer-Encoding:7bit

ło«Ę«H relay from : [IP-removed]
The line Postfix complained about in your example was when the scanner sent the Subject: header expecting the DATA command to have been successful without even paying attention to any errors.

For 2) usually limiting who can relay through your server based on IP (not reverse hosts as they can easily be forged) is enough, especially if you allow only IP's such as those reserved for local area networks (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) or loopback (127.0.0.0/8)

For 5) about how they found your machine, various methods include running sequentially through IP subnets 1 at a time or from lists of open relays they already know.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange error message Tarekaz Linux - Newbie 6 02-16-2006 03:28 PM
What is this Strange Error message? sbleecker Linux - Software 1 01-12-2006 02:00 AM
What is this Strange Error message? sbleecker Linux - Newbie 3 01-11-2006 11:17 AM
strange mail error message marsguy Linux - Networking 3 07-31-2005 08:06 AM
Strange login error message Post Linux - General 2 04-25-2004 02:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration