[SOLUCIONADO] Problemas con spam - Printable Version +- ispCP - Board - Support (http://www.isp-control.net/forum) +-- Forum: ispCP Omega International Area (/forum-22.html) +--- Forum: Spanish Corner (/forum-29.html) +--- Thread: [SOLUCIONADO] Problemas con spam (/thread-14947.html)

[SOLUCIONADO] Problemas con spam - djtenssy - 08-16-2011 05:37 PM Hola a todos, Tengo un problema con spam, que se envía desde mi server, usando un subdominio que no existe (el dominio sí), y evidentemente desde una cuenta de correo inexistente. Usa las cuentas admin@www.dominio.com, además de info, www, mail y operator. He intentado reconfigurar postfix para que no deje pasar los emails, pero todo en vano. Ahora mismo tengo parado el servicio, ya que me han metido en blacklist, y se van acumulando en la cola hasta 500 emails en poco tiempo. Mi config de postfix es esta: # Postfix directory settings; These are critical for normal Postfix MTA functionallity command_directory = /usr/sbin daemon_directory = /usr/lib/postfix # Some common configuration parameters inet_interfaces = all mynetworks_style = host myhostname = sv1.xxxxxxxx.com mydomain = sv1.xxxxxxxx.local myorigin = $myhostname smtpd_banner = $myhostname ESMTP ispCP 1.0.6 OMEGA Managed setgid_group = postdrop # Receiving messages parameters mydestination = $myhostname, $mydomain append_dot_mydomain = no append_at_myorigin = yes local_transport = local virtual_transport = virtual transport_maps = hash:/etc/postfix/ispcp/transport alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # Delivering local messages parameters mail_spool_directory = /var/mail # Mailboxquota # => 0 for unlimited # => 104857600 for 100 MB mailbox_size_limit = 0 mailbox_command = procmail -a "$EXTENSION" # Message size limit # => 0 for unlimited # => 104857600 for 100 MB message_size_limit = 0 biff = no recipient_delimiter = + local_destination_recipient_limit = 1 local_recipient_maps = unix:passwd.byname $alias_database # ispCP Autoresponder parameters ispcp-arpl_destination_recipient_limit = 1 # Delivering virtual messages parameters virtual_mailbox_base = /var/mail/virtual virtual_mailbox_limit = 0 virtual_mailbox_domains = hash:/etc/postfix/ispcp/domains virtual_mailbox_maps = hash:/etc/postfix/ispcp/mailboxes virtual_alias_maps = hash:/etc/postfix/ispcp/aliases virtual_minimum_uid = 1000 virtual_uid_maps = static:1000 virtual_gid_maps = static:8 # SASL paramters smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/ispcp/sender-access, reject maps_rbl_domains = relays.ordb.org smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:12525, check_policy_service inet:127.0.0.1:60000, check_sender_access hash:/etc/postfix/ispcp/sender-prohibido, <---- direcciones no autorizadas permit smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining # TLS parameters; activate, if avaible/used #smtpd_tls_security_level = may #smtpd_tls_loglevel = 2 #smtpd_tls_cert_file = /etc/postfix/cert.pem #smtpd_tls_key_file = /etc/postfix/privkey.pem #smtpd_tls_auth_only = no #smtpd_tls_received_header = yes # AMaViS parameters; activate, if available/used #content_filter = amavis:[127.0.0.1]:10024 # Quota support; activate, if available/used #virtual_create_maildirsize = yes #virtual_mailbox_extended = yes #virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf #virtual_mailbox_limit_override = yes #virtual_maildir_limit_message = "The user you're trying to reach is over mailbox quota." #virtual_overquota_bounce = yes El contenido de sender-prohibido: admin@www.dominio.com REJECT info@www.dominio.com REJECT www@www.dominio.com REJECT mail@www.dominio.com REJECT operator@www.dominio.com REJECT He llegado a intentarlo también desde fail2ban, pero no logro que me coja la dirección de email o aunque sea solo el subdominio. Un ejemplo del mail.log: Aug 16 08:44:00 sv1 postfix/qmgr[4033]: A784D12099: from=<mail@www.domain.com>, size=696, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 90ED712095: from=<admin@www.domain.com>, size=757, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/smtp[4046]: 2EDE212087: to=<seximarcio@hotmail.com>, relay=mx2.hotmail.com[65.54.188.110]:25, conn_use=4, delay=13413, delays=13412/0.01/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064358.2EDE212087@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 56D2512004: from=<mail@www.domain.com>, size=739, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 2EDE212087: removed Aug 16 08:44:00 sv1 postfix/smtp[4088]: 0785912039: to=<daddy2185@hotmail.com>, relay=mx3.hotmail.com[65.54.188.94]:25, conn_use=3, delay=19499, delays=19499/0/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064359.0785912039@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/smtp[4164]: F1B7F1200B: to=<dafkenn@hotmail.com>, relay=mx2.hotmail.com[65.54.188.94]:25, conn_use=4, delay=11567, delays=11567/0.01/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064358.F1B7F1200B@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: AA52A12017: from=<mail@www.domain.com>, size=634, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/cleanup[4079]: 7D81D12007: message-id=<20110816064400.7D81D12007@sv1.xxxxxxxx.com> Aug 16 08:44:00 sv1 postfix/qmgr[4033]: F1B7F1200B: removed Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 0785912039: removed Aug 16 08:44:00 sv1 postfix/smtpd[4178]: disconnect from snt0-omc4-s46.snt0.hotmail.com[65.54.51.97] Aug 16 08:44:00 sv1 postfix/bounce[4059]: B4C491202A: sender non-delivery notification: 7D81D12007 Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B984A1209E: from=<info@www.domain.com>, size=753, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B4C491202A: removed Aug 16 08:44:00 sv1 postfix/smtp[4180]: AE3D112083: to=<gentlman196@hotmail.com>, relay=mx2.hotmail.com[65.54.188.94]:25, conn_use=4, delay=462, delays=461/0.02/0.17/0.3, dsn=2.0.0, status=sent (250 <20110816064359.AE3D112083@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 95D6A12080: from=<admin@www.domain.com>, size=659, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: AE3D112083: removed Aug 16 08:44:00 sv1 postfix/smtp[4167]: E7C461202F: to=<streetsweeper2@yahoo.com>, relay=k.mx.mail.yahoo.com[98.139.54.60]:25, delay=18744, delays=18739/3.5/0.33/0.74, dsn=2.0.0, status=sent (250 ok dirdel) Aug 16 08:44:00 sv1 postfix/smtp[4040]: 613DB12021: to=<g-pm@live.com>, relay=mx4.hotmail.com[65.55.37.72]:25, delay=9439, delays=9438/0.08/0.44/0.32, dsn=2.0.0, status=sent (250 <20110816064358.613DB12021@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: BF7C112025: from=<www@www.domain.com>, size=700, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 613DB12021: removed Aug 16 08:44:00 sv1 postfix/qmgr[4033]: E7C461202F: removed Aug 16 08:44:00 sv1 postfix/smtp[4181]: D4E98120A6: to=<saher_alleali_666@hotmail.com>, relay=mx3.hotmail.com[65.55.37.72]:25, conn_use=6, delay=17790, delays=17789/0.02/0.18/0.32, dsn=2.0.0, status=sent (250 <20110816064358.D4E98120A6@sv1.xxxxxxxx.com> Queued mail for delivery) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 7F23612026: from=<admin@www.domain.com>, size=697, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: D4E98120A6: removed Aug 16 08:44:00 sv1 postfix/smtp[4170]: 6887D760100: to=<jitrokasm@mail.com>, relay=mx0.gmx.com[74.208.5.90]:25, delay=3128, delays=3127/0.08/0.37/0.37, dsn=5.1.1, status=bounced (host mx0.gmx.com[74.208.5.90] said: 550 5.1.1 <jitrokasm@mail.com>... User is unknown {mx-us002} (in reply to RCPT TO command)) Aug 16 08:44:00 sv1 postfix/smtp[4050]: 5A9761208E: to=<sunilkddn@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.229.27]:25, conn_use=4, delay=13523, delays=13521/0.48/0.02/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1313477036 o52si17855340weq.89) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B67471209D: from=<admin@www.domain.com>, size=743, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 5A9761208E: removed Aug 16 08:44:00 sv1 postfix/smtp[4047]: 33B611203D: to=<polischeck.1@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.229.27]:25, delay=12715, delays=12711/1.3/0.11/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[209.85.229.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y56si17844043wec.111 (in reply to RCPT TO command)) Aug 16 08:44:00 sv1 postfix/smtp[4063]: C582A12052: to=<jthompson348@tampabay.rr.com>, relay=hrndva-smtpin01.mail.rr.com[71.74.56.243]:25, delay=5799, delays=5796/0.11/2.9/0.52, dsn=2.0.0, status=sent (250 OK 75/E0-09707-BA11A4E4) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 0C0DC12015: from=<admin@www.domain.com>, size=766, nrcpt=1 (queue active) Aug 16 08:44:00 sv1 postfix/qmgr[4033]: C582A12052: removed Alguna idea de cómo parar esto? Gracias y salu2.- ------------------------------------------------------------------- Hola de nuevo, Ya está solucionado todo, tenía el enemigo en casa. El problema ha sido que se estaba enviando desde dentro. Al parecer existe una vulnerabilidad en algunos themes de wordpress de woothemes, y uno de los blogs (el del dominio que estaba enviando) tenía un theme de woothemes. La solución, o cambiar de theme o actualizarlo. Además me ha ocurrido también con otro servidor del trabajo, también tenía un theme de woothemes (no el mismo), y al actualizarlo se ha acabado todo. Si alguno tiene wordpress en los servers, que eche un vistazo al mail.log, que puede ser que esté enviando spam sin saberlo. Salu2.-