Linode Forum :: Spam on new unused server

Linode Forum https://forum.linode.com/

Spam on new unused server https://forum.linode.com/viewtopic.php?f=11&t=10179	Page 1 of 1

Author:

PcComputerGuy [ Mon Jun 24, 2013 11:57 pm ]

Post subject:

Spam on new unused server

Howdy All,
After a month off and on of hacking away and using the great linode guides and workaround.org guide I was finally able to get my mailserver running.

I haven't completed everything, such as spam assassin and such, so I haven't made the server "live" yet by pointing my MX record to the server.

Therefore, if I connect directly to the IP, I can send mail out with outlook (or telnet), but I can't receive anything from the outside world. I CAN receive messages from myself to myself IF sent from the linode, and as far as I know that's the only way I can receive messages.... or so I thought.

The server has been up for all of maybe 6 hours and I now have a single Chinese spam message in my inbox. I'm puzzled by this, and want to ensure I am not somehow missing something with security as I don't want to allow spammers (or unauthenticated relays) from my server.

So I'm unsure how I received this piece of Chinese spam on my linode inbox... since I myself cant send myself a message unless I originate it from my linode.

Here is my mail.log at the same time I received the message in my inbox. I noticed there are a couple things such as a message from no one <>, and to root. How is someone logging in and sending a message from no one since I (at least believe) have SMTP authentication on?

I tried with outlook to untick the "my server requires authentication" on the outgoing, and sending fails. When I tick that back on, sending succeeds, which implies to me it is indeed correctly setup to require authentication.

Code:

Jun 24 23:09:02 PcComputerGuy postfix/pickup[3989]: 4D23B249E2: uid=0 from=<root>
Jun 24 23:09:02 PcComputerGuy postfix/cleanup[4111]: 4D23B249E2: message-id=<20130625030902.4D23B249E2@PcComputerGuy.com>
Jun 24 23:09:02 PcComputerGuy postfix/qmgr[3398]: 4D23B249E2: from=<root@Ronin>, size=1208, nrcpt=1 (queue active)
Jun 24 23:09:02 PcComputerGuy postfix/smtp[4113]: 4D23B249E2: to=<root@Ronin>, orig_to=<root>, relay=none, delay=0.2, delays=0.03/0.01/0.15/0, dsn=5.4.4, status=bounce$
Jun 24 23:09:02 PcComputerGuy postfix/cleanup[4111]: 7E900249E3: message-id=<20130625030902.7E900249E3@PcComputerGuy.com>
Jun 24 23:09:02 PcComputerGuy postfix/bounce[4114]: 4D23B249E2: sender non-delivery notification: 7E900249E3
Jun 24 23:09:02 PcComputerGuy postfix/qmgr[3398]: 7E900249E3: from=<>, size=3088, nrcpt=1 (queue active)
Jun 24 23:09:02 PcComputerGuy postfix/qmgr[3398]: 4D23B249E2: removed
Jun 24 23:09:02 PcComputerGuy postfix/smtp[4113]: 7E900249E3: to=<root@Ronin>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name n$
Jun 24 23:09:02 PcComputerGuy postfix/qmgr[3398]: 7E900249E3: removed
Jun 24 23:39:01 PcComputerGuy postfix/pickup[4128]: 8DD1C249E2: uid=0 from=<root>
Jun 24 23:39:01 PcComputerGuy postfix/cleanup[4143]: 8DD1C249E2: message-id=<20130625033901.8DD1C249E2@PcComputerGuy.com>
Jun 24 23:39:01 PcComputerGuy postfix/qmgr[3398]: 8DD1C249E2: from=<root@Ronin>, size=1208, nrcpt=1 (queue active)
Jun 24 23:39:01 PcComputerGuy postfix/smtp[4145]: 8DD1C249E2: to=<root@Ronin>, orig_to=<root>, relay=none, delay=0.13, delays=0.04/0.01/0.09/0, dsn=5.4.4, status=bounc$
Jun 24 23:39:01 PcComputerGuy postfix/cleanup[4143]: AD6F5249E3: message-id=<20130625033901.AD6F5249E3@PcComputerGuy.com>
Jun 24 23:39:01 PcComputerGuy postfix/bounce[4146]: 8DD1C249E2: sender non-delivery notification: AD6F5249E3
Jun 24 23:39:01 PcComputerGuy postfix/qmgr[3398]: AD6F5249E3: from=<>, size=3088, nrcpt=1 (queue active)

Thanks for your suggestions and for the great linode community.

Author:	Vance [ Tue Jun 25, 2013 12:19 am ]
Post subject:	Re: Spam on new unused server
Easy; someone just connected to your SMTP server at random and submitted a spam message addressed to root. The fact that you haven't pointed an MX record toward it just means that you won't get spam pointed toward @whateveryouhave.tld. Anyone can still connect to port 25 on your server and attempt to submit mail. See this thread for some generic recommendations on setting up Postfix. Note: don't be tempted to block or bit-bucket mail with a null sender <>; some valid mail will come from this address.

Author:	PcComputerGuy [ Tue Jun 25, 2013 12:39 am ]
Post subject:	Re: Spam on new unused server
Awesome thanks! Can you answer a couple follow ups? 1. I considered the "just sending to root" deal, and tried that myself to see if it would (somehow) end up in my test@example.com inbox, and it didn't. So how did the message sent to root end up in test@example.com, when my text message did not replicate the same thing? 2. Reading the linked forum sounds like I can possible use the "reject_unlisted_recipient"? Or would root be listed? If so, how can I disable root from getting mail, or is this a bad thing to do?

Author:	dcraig [ Tue Jun 25, 2013 12:45 am ]
Post subject:	Re: Spam on new unused server
An MX record is not necessary to receive mail if the A record for yourdomain.com points to an IP that is configured to handle mail for your domain.

Author:	PcComputerGuy [ Tue Jun 25, 2013 12:56 am ]
Post subject:	Re: Spam on new unused server
I think Vance was on the right track. I receive no other mail to that address, as far as the world is concerned, it doesn't exist via it's domain, only IP.

Author:	Vance [ Thu Jun 27, 2013 4:04 am ]
Post subject:	Re: Spam on new unused server
I can't really give answers to your questions not knowing your specific configuration, but I can try to give you some hints. 1. Somehow Postfix has been configured to take (some) mail addressed to root and deliver it to test@example.com. This could be in /etc/aliases, your virtual alias config, or your virtual mailbox config. I would guess it's one of the latter two, since it seems to be treating mail differently based on whether it's submitted locally or externally. 2. Yes, root is probably considered "listed" although this depends on your exact configuration (see especially the values for local_recipient_maps, virtual_alias_maps, virtual_mailbox_maps, relay_domains). Cron jobs and many daemons expect to be able to send mail to root in case of trouble, so disabling it is probably not a good idea. I would suggest making sure that delivery is working properly to all the addresses you'd like to receive mail before using reject_unlisted_recipient. In short, the best way to prevent root from getting spam is to set up your mail server so that all recipients get a minimum of spam. In descending order of my personal preference, methods to do this include the Postfix sanity checks, greylisting, DNSBLs, and content filtering (Spamassassin). You don't want to put super-duper filtering on mail to root (and may in fact want less), since when things go wrong, that's probably where the notification is going. You may be throwing that notification away if you're too aggressive on filtering.

Author:	PcComputerGuy [ Thu Jun 27, 2013 9:52 am ]
Post subject:	Re: Spam on new unused server
Alrighty, thanks for the tips! Have a great day.

Author:	sleddog [ Thu Jun 27, 2013 5:17 pm ]
Post subject:	Re: Spam on new unused server
If you post you postfix configuration, troubleshooting would be easier...

Author:

PcComputerGuy [ Thu Jun 27, 2013 5:56 pm ]

Post subject:

Re: Spam on new unused server

Sure thing.

Here is my main.cf

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = PcComputerGuy.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, localhost.$mydomain, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_unlisted_recipient

Here is my master.cf

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
465       inet  n       -       n       -       -       smtpd

#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=REMOVED:REMOVED argv=/usr/lib/dovecot/deliver -d ${recipient}
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
   -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=REMOVED argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix   -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Here is my Dovecot.conf

Code:

protocols = imap imaps pop3 pop3s


disable_plaintext_auth = no


log_path = /var/log/dovecotErrors


info_log_path = /var/log/dovecotInfo


log_timestamp = "%Y-%m-%d %H:%M:%S "



mail_location = maildir:/var/vmail/%d/%n/Maildir 


namespace private {
 
}


mail_privileged_group = mail



protocol imap {
 
}
  


protocol pop3 {

  pop3_uidl_format = %08Xu%08Xv

  
}


protocol managesieve {
}

protocol lda {
    log_path = /var/vmail/dovecot-deliver.log
    auth_socket_path = /var/run/dovecot/auth-master
    postmaster_address = MyEmailAddressRemoved
    # mail_plugins = cmusieve
    mail_plugins = sieve
  
 
}



auth default {
 
  mechanisms = plain login

 

 
  passdb sql {
    # Path for SQL configuration file
    args = /etc/dovecot/dovecot-sql.conf
   }

  # LDAP database </usr/share/doc/dovecot-common/wiki/AuthDatabase.LDAP.txt>
  #passdb ldap {
    # Path for LDAP configuration file
    #args = /etc/dovecot/dovecot-ldap.conf
  #}

 

  
  userdb passwd {
   
  }

  # passwd-like file with specified location
  # </usr/share/doc/dovecot-common/wiki/AuthDatabase.PasswdFile.txt>
  #userdb passwd-file {
    # [username_format=<format>] <Path for passwd-file>
    #args =
  #}

  # checkpassword executable user database lookup
  # </usr/share/doc/dovecot-common/wiki/AuthDatabase.CheckPassword.txt>
  #userdb checkpassword {
    # Path for checkpassword binary
    #args = 
  #}

  # static settings generated from template </usr/share/doc/dovecot-common/wiki/UserDatabase.Static.txt>
  userdb static {
  
    args = uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
   
  }

  # SQL database </usr/share/doc/dovecot-common/wiki/AuthDatabase.SQL.txt>
  #userdb sql {
    # Path for SQL configuration file
    #args = /etc/dovecot/dovecot-sql.conf
  #}

  # LDAP database </usr/share/doc/dovecot-common/wiki/AuthDatabase.LDAP.txt>
  #userdb ldap {
    # Path for LDAP configuration file
    #args = /etc/dovecot/dovecot-ldap.conf
  #}

  # vpopmail </usr/share/doc/dovecot-common/wiki/AuthDatabase.VPopMail.txt>
  #userdb vpopmail {
  #}

 
  user = root

 

  # It's possible to export the authentication interface to other programs:
  socket listen {
    master {
     
      path = /var/run/dovecot/auth-master
      mode = 0600
      user = REMOVED
    }
    client {
      
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = REMOVED
      group = REMOVED
    }
  }
}



dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-quota.conf
  #expire = db:/var/lib/dovecot/expire.db
}




plugin {

}

Thanks!

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/