Current time: 08-11-2022, 09:46 AM Hello There, Guest! (LoginRegister)


Post Reply 
[SOLUCIONADO] Problemas con spam
Author Message
djtenssy Offline
Junior Member
*

Posts: 85
Joined: Jun 2008
Reputation: 0
Post: #1
[SOLUCIONADO] Problemas con spam
Hola a todos,

Tengo un problema con spam, que se envía desde mi server, usando un subdominio que no existe (el dominio sí), y evidentemente desde una cuenta de correo inexistente. Usa las cuentas admin@www.dominio.com, además de info, www, mail y operator.

He intentado reconfigurar postfix para que no deje pasar los emails, pero todo en vano. Ahora mismo tengo parado el servicio, ya que me han metido en blacklist, y se van acumulando en la cola hasta 500 emails en poco tiempo.

Mi config de postfix es esta:

# Postfix directory settings; These are critical for normal Postfix MTA functionallity
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix

# Some common configuration parameters
inet_interfaces = all
mynetworks_style = host

myhostname = sv1.xxxxxxxx.com
mydomain = sv1.xxxxxxxx.local
myorigin = $myhostname

smtpd_banner = $myhostname ESMTP ispCP 1.0.6 OMEGA Managed
setgid_group = postdrop

# Receiving messages parameters
mydestination = $myhostname, $mydomain
append_dot_mydomain = no
append_at_myorigin = yes
local_transport = local
virtual_transport = virtual
transport_maps = hash:/etc/postfix/ispcp/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# Delivering local messages parameters
mail_spool_directory = /var/mail

# Mailboxquota
# => 0 for unlimited
# => 104857600 for 100 MB
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION"

# Message size limit
# => 0 for unlimited
# => 104857600 for 100 MB
message_size_limit = 0

biff = no
recipient_delimiter = +

local_destination_recipient_limit = 1
local_recipient_maps = unix:passwd.byname $alias_database

# ispCP Autoresponder parameters
ispcp-arpl_destination_recipient_limit = 1

# Delivering virtual messages parameters
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_limit = 0

virtual_mailbox_domains = hash:/etc/postfix/ispcp/domains
virtual_mailbox_maps = hash:/etc/postfix/ispcp/mailboxes

virtual_alias_maps = hash:/etc/postfix/ispcp/aliases

virtual_minimum_uid = 1000
virtual_uid_maps = static:1000
virtual_gid_maps = static:8

# SASL paramters
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname

smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/ispcp/sender-access,
reject

maps_rbl_domains = relays.ordb.org

smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:12525,
check_policy_service inet:127.0.0.1:60000,
check_sender_access hash:/etc/postfix/ispcp/sender-prohibido, <---- direcciones no autorizadas
permit

smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining

# TLS parameters; activate, if avaible/used
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 2
#smtpd_tls_cert_file = /etc/postfix/cert.pem
#smtpd_tls_key_file = /etc/postfix/privkey.pem
#smtpd_tls_auth_only = no
#smtpd_tls_received_header = yes

# AMaViS parameters; activate, if available/used
#content_filter = amavis:[127.0.0.1]:10024

# Quota support; activate, if available/used
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = "The user you're trying to reach is over mailbox quota."
#virtual_overquota_bounce = yes


El contenido de sender-prohibido:

admin@www.dominio.com REJECT
info@www.dominio.com REJECT
www@www.dominio.com REJECT
mail@www.dominio.com REJECT
operator@www.dominio.com REJECT

He llegado a intentarlo también desde fail2ban, pero no logro que me coja la dirección de email o aunque sea solo el subdominio.

Un ejemplo del mail.log:

Aug 16 08:44:00 sv1 postfix/qmgr[4033]: A784D12099: from=<mail@www.domain.com>, size=696, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 90ED712095: from=<admin@www.domain.com>, size=757, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/smtp[4046]: 2EDE212087: to=<seximarcio@hotmail.com>, relay=mx2.hotmail.com[65.54.188.110]:25, conn_use=4, delay=13413, delays=13412/0.01/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064358.2EDE212087@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 56D2512004: from=<mail@www.domain.com>, size=739, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 2EDE212087: removed
Aug 16 08:44:00 sv1 postfix/smtp[4088]: 0785912039: to=<daddy2185@hotmail.com>, relay=mx3.hotmail.com[65.54.188.94]:25, conn_use=3, delay=19499, delays=19499/0/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064359.0785912039@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/smtp[4164]: F1B7F1200B: to=<dafkenn@hotmail.com>, relay=mx2.hotmail.com[65.54.188.94]:25, conn_use=4, delay=11567, delays=11567/0.01/0.15/0.3, dsn=2.0.0, status=sent (250 <20110816064358.F1B7F1200B@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: AA52A12017: from=<mail@www.domain.com>, size=634, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/cleanup[4079]: 7D81D12007: message-id=<20110816064400.7D81D12007@sv1.xxxxxxxx.com>
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: F1B7F1200B: removed
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 0785912039: removed
Aug 16 08:44:00 sv1 postfix/smtpd[4178]: disconnect from snt0-omc4-s46.snt0.hotmail.com[65.54.51.97]
Aug 16 08:44:00 sv1 postfix/bounce[4059]: B4C491202A: sender non-delivery notification: 7D81D12007
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B984A1209E: from=<info@www.domain.com>, size=753, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B4C491202A: removed
Aug 16 08:44:00 sv1 postfix/smtp[4180]: AE3D112083: to=<gentlman196@hotmail.com>, relay=mx2.hotmail.com[65.54.188.94]:25, conn_use=4, delay=462, delays=461/0.02/0.17/0.3, dsn=2.0.0, status=sent (250 <20110816064359.AE3D112083@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 95D6A12080: from=<admin@www.domain.com>, size=659, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: AE3D112083: removed
Aug 16 08:44:00 sv1 postfix/smtp[4167]: E7C461202F: to=<streetsweeper2@yahoo.com>, relay=k.mx.mail.yahoo.com[98.139.54.60]:25, delay=18744, delays=18739/3.5/0.33/0.74, dsn=2.0.0, status=sent (250 ok dirdel)
Aug 16 08:44:00 sv1 postfix/smtp[4040]: 613DB12021: to=<g-pm@live.com>, relay=mx4.hotmail.com[65.55.37.72]:25, delay=9439, delays=9438/0.08/0.44/0.32, dsn=2.0.0, status=sent (250 <20110816064358.613DB12021@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: BF7C112025: from=<www@www.domain.com>, size=700, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 613DB12021: removed
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: E7C461202F: removed
Aug 16 08:44:00 sv1 postfix/smtp[4181]: D4E98120A6: to=<saher_alleali_666@hotmail.com>, relay=mx3.hotmail.com[65.55.37.72]:25, conn_use=6, delay=17790, delays=17789/0.02/0.18/0.32, dsn=2.0.0, status=sent (250 <20110816064358.D4E98120A6@sv1.xxxxxxxx.com> Queued mail for delivery)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 7F23612026: from=<admin@www.domain.com>, size=697, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: D4E98120A6: removed
Aug 16 08:44:00 sv1 postfix/smtp[4170]: 6887D760100: to=<jitrokasm@mail.com>, relay=mx0.gmx.com[74.208.5.90]:25, delay=3128, delays=3127/0.08/0.37/0.37, dsn=5.1.1, status=bounced (host mx0.gmx.com[74.208.5.90] said: 550 5.1.1 <jitrokasm@mail.com>... User is unknown {mx-us002} (in reply to RCPT TO command))
Aug 16 08:44:00 sv1 postfix/smtp[4050]: 5A9761208E: to=<sunilkddn@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.229.27]:25, conn_use=4, delay=13523, delays=13521/0.48/0.02/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1313477036 o52si17855340weq.89)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: B67471209D: from=<admin@www.domain.com>, size=743, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 5A9761208E: removed
Aug 16 08:44:00 sv1 postfix/smtp[4047]: 33B611203D: to=<polischeck.1@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.229.27]:25, delay=12715, delays=12711/1.3/0.11/3, dsn=5.1.1, status=bounced (host gmail-smtp-in.l.google.com[209.85.229.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answe...nswer=6596 y56si17844043wec.111 (in reply to RCPT TO command))
Aug 16 08:44:00 sv1 postfix/smtp[4063]: C582A12052: to=<jthompson348@tampabay.rr.com>, relay=hrndva-smtpin01.mail.rr.com[71.74.56.243]:25, delay=5799, delays=5796/0.11/2.9/0.52, dsn=2.0.0, status=sent (250 OK 75/E0-09707-BA11A4E4)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: 0C0DC12015: from=<admin@www.domain.com>, size=766, nrcpt=1 (queue active)
Aug 16 08:44:00 sv1 postfix/qmgr[4033]: C582A12052: removed

Alguna idea de cómo parar esto?

Gracias y salu2.-

-------------------------------------------------------------------

Hola de nuevo,

Ya está solucionado todo, tenía el enemigo en casa.

El problema ha sido que se estaba enviando desde dentro. Al parecer existe una vulnerabilidad en algunos themes de wordpress de woothemes, y uno de los blogs (el del dominio que estaba enviando) tenía un theme de woothemes.

La solución, o cambiar de theme o actualizarlo. Además me ha ocurrido también con otro servidor del trabajo, también tenía un theme de woothemes (no el mismo), y al actualizarlo se ha acabado todo.

Si alguno tiene wordpress en los servers, que eche un vistazo al mail.log, que puede ser que esté enviando spam sin saberlo.

Salu2.-
(This post was last modified: 08-16-2011 07:59 PM by djtenssy.)
08-16-2011 05:37 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)