Linode Forum
https://forum.linode.com/

Email compromised?
https://forum.linode.com/viewtopic.php?f=11&t=10386		 Page 1 of 1
Author:  crazyfruitbat [ Sun Sep 01, 2013 12:54 am ]
Post subject:  Email compromised?
Hi guys,

Today I received some spam from myself so I've been digging around online trying to find some answers but I have limited knowledge of mail systems. I hope someone can help me out please?

I'm running postfix/dovecot on lucid 10.04

Here's some of the logs:

Code:
Aug 30 11:34:32 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=126.253.164.22, lip=173.230.147.71, TLS
Aug 30 11:34:53 skynet postfix/anvil[24176]: statistics: max connection rate 1/60s for (submission:153.129.162.175) at Aug 30 11:31:32
Aug 30 11:34:53 skynet postfix/anvil[24176]: statistics: max connection count 1 for (submission:153.129.162.175) at Aug 30 11:31:32
Aug 30 11:34:53 skynet postfix/anvil[24176]: statistics: max cache size 1 at Aug 30 11:31:32
Aug 30 11:41:33 skynet postfix/smtpd[24335]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 11:41:34 skynet postfix/smtpd[24335]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 11:44:54 skynet postfix/anvil[24337]: statistics: max connection rate 1/60s for (submission:153.129.162.175) at Aug 30 11:41:33
Aug 30 11:44:54 skynet postfix/anvil[24337]: statistics: max connection count 1 for (submission:153.129.162.175) at Aug 30 11:41:33
Aug 30 11:44:54 skynet postfix/anvil[24337]: statistics: max cache size 1 at Aug 30 11:41:33
Aug 30 11:51:32 skynet postfix/smtpd[24482]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 11:51:33 skynet postfix/smtpd[24482]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 11:54:36 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=992/2303
Aug 30 11:54:41 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=126.253.164.22, lip=173.230.147.71, TLS
Aug 30 11:54:43 skynet postfix/smtpd[24510]: connect from mx-pool8.wsoleads.com[86.106.137.122]
Aug 30 11:54:43 skynet postfix/smtpd[24510]: disconnect from mx-pool8.wsoleads.com[86.106.137.122]
Aug 30 11:55:14 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected for inactivity bytes=133/1226
Aug 30 11:58:03 skynet postfix/anvil[24484]: statistics: max connection rate 1/60s for (submission:153.129.162.175) at Aug 30 11:51:32
Aug 30 11:58:03 skynet postfix/anvil[24484]: statistics: max connection count 1 for (submission:153.129.162.175) at Aug 30 11:51:32
Aug 30 11:58:03 skynet postfix/anvil[24484]: statistics: max cache size 1 at Aug 30 11:51:32
[b]Aug 30 11:58:17 skynet postfix/smtpd[24575]: warning: 122.169.98.187: hostname ABTS-mum-static-187.98.169.122.airtelbroadband.in verification failed: Name or service not known
Aug 30 11:58:17 skynet postfix/smtpd[24575]: connect from unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/smtpd[24575]: 02929EA11C: client=unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/cleanup[24579]: 02929EA11C: message-id=<7738664762.TA37UXVI282574@qavsrxxyjavc.hqlyupitgzjaco.org>
Aug 30 11:58:18 skynet postfix/qmgr[2353]: 02929EA11C: from=<exudesfr43@superbikeclub.com>, size=960, nrcpt=1 (queue active)
Aug 30 11:58:18 skynet postfix/pipe[24580]: 02929EA11C: to=<chris@pixelatedphotographer.com>, relay=dovecot, delay=0.33, delays=0.32/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 30 11:58:18 skynet postfix/qmgr[2353]: 02929EA11C: removed
Aug 30 11:58:18 skynet postfix/smtpd[24575]: disconnect from unknown[122.169.98.187][/b]
Aug 30 11:58:45 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Aug 30 12:01:32 skynet postfix/smtpd[24669]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 12:01:33 skynet postfix/smtpd[24669]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 12:01:47 skynet dovecot: imap-login: Disconnected: Inactivity (no auth attempts): rip=153.129.162.175, lip=173.230.147.71, TLS
Aug 30 12:03:48 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Aug 30 12:03:52 skynet dovecot: imap-login: Login: user=<junkstuff@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Aug 30 12:04:00 skynet dovecot: IMAP(junkstuff@pixelatedphotographer.com): Disconnected: Logged out bytes=277/969
Aug 30 12:04:53 skynet postfix/anvil[24577]: statistics: max connection rate 1/60s for (smtp:122.169.98.187) at Aug 30 11:58:17
Aug 30 12:04:53 skynet postfix/anvil[24577]: statistics: max connection count 1 for (smtp:122.169.98.187) at Aug 30 11:58:17
Aug 30 12:04:53 skynet postfix/anvil[24577]: statistics: max cache size 1 at Aug 30 11:58:17
Aug 30 12:05:35 skynet postfix/smtpd[24700]: connect from mx-pool42.zoolists.com[86.106.137.68]
Aug 30 12:05:35 skynet postfix/smtpd[24700]: disconnect from mx-pool42.zoolists.com[86.106.137.68]
Aug 30 12:08:55 skynet postfix/anvil[24702]: statistics: max connection rate 1/60s for (smtp:86.106.137.68) at Aug 30 12:05:35
Aug 30 12:08:55 skynet postfix/anvil[24702]: statistics: max connection count 1 for (smtp:86.106.137.68) at Aug 30 12:05:35
Aug 30 12:08:55 skynet postfix/anvil[24702]: statistics: max cache size 1 at Aug 30 12:05:35
Aug 30 12:11:32 skynet postfix/smtpd[24829]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 12:11:33 skynet postfix/smtpd[24829]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Aug 30 12:14:53 skynet postfix/anvil[24831]: statistics: max connection rate 1/60s for (submission:153.129.162.175) at Aug 30 12:11:32
Aug 30 12:14:53 skynet postfix/anvil[24831]: statistics: max connection count 1 for (submission:153.129.162.175) at Aug 30 12:11:32
Aug 30 12:14:53 skynet postfix/anvil[24831]: statistics: max cache size 1 at Aug 30 12:11:32


As you can see in bold, this one is doing something it shouldn't - I checked the header in the email and compared it to check to see if its the same one and it is.

Can anyone share any light into what to do next? I'm still very much a newb at this stuff and I'm finding it a little overwhelming. Any help would be appreciated.

Oh btw, I am the one in marunouchi.tokyo.

Many thanks,
Chris
Author:  crazyfruitbat [ Sun Sep 01, 2013 12:56 am ]
Post subject:  Re: Email compromised?
ahh the bold's not showing in code- basically here:
Aug 30 11:58:17 skynet postfix/smtpd[24575]: warning: 122.169.98.187: hostname ABTS-mum-static-187.98.169.122.airtelbroadband.in verification failed: Name or service not known
Aug 30 11:58:17 skynet postfix/smtpd[24575]: connect from unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/smtpd[24575]: 02929EA11C: client=unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/cleanup[24579]: 02929EA11C: message-id=<7738664762.TA37UXVI282574@qavsrxxyjavc.hqlyupitgzjaco.org>
Aug 30 11:58:18 skynet postfix/qmgr[2353]: 02929EA11C: from=<exudesfr43@superbikeclub.com>, size=960, nrcpt=1 (queue active)
Aug 30 11:58:18 skynet postfix/pipe[24580]: 02929EA11C: to=<chris@pixelatedphotographer.com>, relay=dovecot, delay=0.33, delays=0.32/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
Aug 30 11:58:18 skynet postfix/qmgr[2353]: 02929EA11C: removed
Aug 30 11:58:18 skynet postfix/smtpd[24575]: disconnect from unknown[122.169.98.187]
Author:  ken-ji [ Sun Sep 01, 2013 2:17 am ]
Post subject:  Re: Email compromised?
Well
Code:
Aug 30 11:58:17 skynet postfix/smtpd[24575]: warning: 122.169.98.187: hostname ABTS-mum-static-187.98.169.122.airtelbroadband.in verification failed: Name or service not known

This means your mail server did preliminary RDNS checking for the connecting mail server.

However
Code:
Aug 30 11:58:17 skynet postfix/smtpd[24575]: connect from unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/smtpd[24575]: 02929EA11C: client=unknown[122.169.98.187]
Aug 30 11:58:18 skynet postfix/cleanup[24579]: 02929EA11C: message-id=<7738664762.TA37UXVI282574@qavsrxxyjavc.hqlyupitgzjaco.org>

your server allowed them through.

You are not compromised. but your anti-spam settings need work.
You probably need to check your smtp sender settings re:http://www.postfix.org/SMTPD_ACCESS_README.html

You may want to post the contents of your config files so people can look them over.
Author:  crazyfruitbat [ Sun Sep 01, 2013 10:09 am ]
Post subject:  Re: Email compromised?
Thanks Ken-ji,
I'll go through that doc tomorrow.

I'll paste my postfix conf here - is there any other configs I can copy over to help? please let me know which ones.

Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = skynet.pixelatedphotographer.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = skynet.pixelatedphotographer.com, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
html_directory = /usr/share/doc/postfix/html
message_size_limit = 30720000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_maps =
   proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
   proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

smtpd_sasl_auth_enable          = yes
#smtpd_sasl_local_domain        = $myhostname
smtpd_sasl_exceptions_networks  = $mynetworks
smtpd_sasl_security_options     = noanonymous
broken_sasl_auth_clients        = yes
smtpd_sasl_type                 = dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path                 = private/auth
notify_classes = bounce, resource
smtpd_client_restrictions = reject_rhsbl_client medexltd.com
Author:  ken-ji [ Sun Sep 01, 2013 11:08 am ]
Post subject:  Re: Email compromised?
I see your using
Code:
smtpd_client_restrictions = reject_rhsbl_client medexltd.com


Which in the http://www.postfix.org/postconf.5.html# ... sbl_client

Code:
reject_rhsbl_client rbl_domain=d.d.d.d
    Reject the request when the client hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the client hostname is listed with any A record under rbl_domain. See the reject_rbl_client description above for additional RBL related configuration parameters. This feature is available in Postfix 2.0 and later; with Postfix version 2.8 and later, reject_rhsbl_reverse_client will usually produce better results.


But since this RBL server returned no record the message was able to get through.

You might want to try other RBLs. See http://www.anti-abuse.org/multi-rbl-check/
They list some of the more commonly used RBLs and use them like this:
Code:
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org


This should cause most spambots to be dropped as soon as they connect.
Author:  crazyfruitbat [ Mon Sep 02, 2013 8:56 am ]
Post subject:  Re: Email compromised?
Thanks Ken-ji,
Thanks very much for that - certainly I think the amount of spam I've been getting has reduced since adding this as you recommended:
Code:
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org


Do you think this is looking healthier? I'll be honest, I don't know what to look for here...

Code:
Sep  2 19:40:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected for inactivity bytes=151/1533
Sep  2 19:40:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=612/133267
Sep  2 19:40:31 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected for inactivity bytes=369/932
Sep  2 19:40:31 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected for inactivity bytes=283/1977
Sep  2 19:41:30 skynet postfix/anvil[9261]: statistics: max connection rate 1/60s for (smtp:208.117.50.137) at Sep  2 19:38:07
Sep  2 19:41:30 skynet postfix/anvil[9261]: statistics: max connection count 1 for (smtp:208.117.50.137) at Sep  2 19:38:07
Sep  2 19:41:30 skynet postfix/anvil[9261]: statistics: max cache size 1 at Sep  2 19:38:07
Sep  2 19:41:35 skynet postfix/smtpd[9344]: warning: 58.19.191.89: address not listed for hostname 58.19.arpa.hb.cnc.cn
Sep  2 19:41:35 skynet postfix/smtpd[9344]: connect from unknown[58.19.191.89]
Sep  2 19:41:36 skynet postfix/smtpd[9344]: NOQUEUE: reject: RCPT from unknown[58.19.191.89]: 554 5.7.1 Service unavailable; Client host [58.19.191.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=58.19.191.89; from=<be@ie.net> to=<www-data@skynet.pixelatedphotographer.com> proto=ESMTP helo=<ie.net>
Sep  2 19:41:36 skynet postfix/smtpd[9344]: lost connection after RCPT from unknown[58.19.191.89]
Sep  2 19:41:36 skynet postfix/smtpd[9344]: disconnect from unknown[58.19.191.89]
Sep  2 19:41:37 skynet postfix/smtpd[9344]: warning: 58.19.191.89: address not listed for hostname 58.19.arpa.hb.cnc.cn
Sep  2 19:41:37 skynet postfix/smtpd[9344]: connect from unknown[58.19.191.89]
Sep  2 19:41:37 skynet postfix/smtpd[9344]: NOQUEUE: reject: RCPT from unknown[58.19.191.89]: 554 5.7.1 Service unavailable; Client host [58.19.191.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=58.19.191.89; from=<ezhyp@bj.org> to=<www-data@skynet.pixelatedphotographer.com> proto=ESMTP helo=<bj.org>
Sep  2 19:41:38 skynet postfix/smtpd[9344]: lost connection after RCPT from unknown[58.19.191.89]
Sep  2 19:41:38 skynet postfix/smtpd[9344]: disconnect from unknown[58.19.191.89]
Sep  2 19:44:58 skynet postfix/anvil[9346]: statistics: max connection rate 2/60s for (smtp:58.19.191.89) at Sep  2 19:41:37
Sep  2 19:44:58 skynet postfix/anvil[9346]: statistics: max connection count 1 for (smtp:58.19.191.89) at Sep  2 19:41:35
Sep  2 19:44:58 skynet postfix/anvil[9346]: statistics: max cache size 1 at Sep  2 19:41:35
Sep  2 19:47:52 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 19:55:12 skynet postfix/smtpd[9532]: connect from unknown[41.143.198.88]
Sep  2 19:55:13 skynet postfix/smtpd[9532]: NOQUEUE: reject: RCPT from unknown[41.143.198.88]: 554 5.7.1 Service unavailable; Client host [41.143.198.88] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=41.143.198.88; from=<chris318@antoinegonin.com> to=<chris@pixelatedphotographer.com> proto=ESMTP helo=<[41.143.198.88]>
Sep  2 19:55:13 skynet postfix/smtpd[9532]: disconnect from unknown[41.143.198.88]
Sep  2 19:58:34 skynet postfix/anvil[9535]: statistics: max connection rate 1/60s for (smtp:41.143.198.88) at Sep  2 19:55:12
Sep  2 19:58:34 skynet postfix/anvil[9535]: statistics: max connection count 1 for (smtp:41.143.198.88) at Sep  2 19:55:12
Sep  2 19:58:34 skynet postfix/anvil[9535]: statistics: max cache size 1 at Sep  2 19:55:12
Sep  2 19:58:46 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 19:58:50 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 19:59:08 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected: Logged out bytes=471/2258
Sep  2 19:59:08 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected: Logged out bytes=285/1630
Sep  2 19:59:37 skynet dovecot: imap-login: Login: user=<junkstuff@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 19:59:40 skynet dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 19:59:46 skynet dovecot: IMAP(junkstuff@pixelatedphotographer.com): Disconnected: Logged out bytes=277/969
Sep  2 20:00:56 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:04:00 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected: Logged out bytes=984/2953
Sep  2 20:04:25 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected in IDLE bytes=551/2103
Sep  2 20:04:27 skynet dovecot: IMAP(m@pixelatedphotographer.com): Connection closed bytes=6833/10614
Sep  2 20:04:27 skynet dovecot: IMAP(m@pixelatedphotographer.com): Connection closed bytes=107/2020
Sep  2 20:04:27 skynet dovecot: IMAP(m@pixelatedphotographer.com): Connection closed bytes=63/1280
Sep  2 20:04:29 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:04:30 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:04:30 skynet dovecot: IMAP(m@pixelatedphotographer.com): Connection closed bytes=19/332
Sep  2 20:04:31 skynet dovecot: imap-login: Login: user=<m@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:05:52 skynet dovecot: last message repeated 2 times
Sep  2 20:16:02 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=984/2533
Sep  2 20:16:08 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:19:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=352/1548
Sep  2 20:21:38 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:26:44 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=352/1523
Sep  2 20:33:26 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:34:39 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected for inactivity bytes=810/22027
Sep  2 20:37:28 skynet dovecot: imap-login: Login: user=<junkstuff@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:37:32 skynet dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:37:39 skynet dovecot: IMAP(junkstuff@pixelatedphotographer.com): Disconnected: Logged out bytes=277/969
Sep  2 20:38:52 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected in IDLE bytes=898/2720
Sep  2 20:41:42 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=352/1523
Sep  2 20:45:28 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected for inactivity bytes=1767/50948
Sep  2 20:50:28 skynet dovecot: IMAP(m@pixelatedphotographer.com): Disconnected for inactivity bytes=9328/15990
Sep  2 20:51:33 skynet postfix/smtpd[10553]: connect from unknown[89.137.130.186]
Sep  2 20:51:34 skynet postfix/smtpd[10553]: NOQUEUE: reject: RCPT from unknown[89.137.130.186]: 554 5.7.1 Service unavailable; Client host [89.137.130.186] blocked using dnsbl.sorbs.net; Exploitable Server See: http://www.sorbs.net/lookup.shtml?89.137.130.186 / Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?89.137.130.186; from=<chris12@ahchamber.org> to=<chris@pixelatedphotographer.com> proto=ESMTP helo=<ADA-PC>
Sep  2 20:51:34 skynet postfix/smtpd[10553]: disconnect from unknown[89.137.130.186]
Sep  2 20:54:54 skynet postfix/anvil[10555]: statistics: max connection rate 1/60s for (smtp:89.137.130.186) at Sep  2 20:51:33
Sep  2 20:54:54 skynet postfix/anvil[10555]: statistics: max connection count 1 for (smtp:89.137.130.186) at Sep  2 20:51:33
Sep  2 20:54:54 skynet postfix/anvil[10555]: statistics: max cache size 1 at Sep  2 20:51:33
Sep  2 20:55:42 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 20:55:52 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=352/1523
Sep  2 21:05:19 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:08:25 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=552/1799
Sep  2 21:10:56 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:10:56 skynet postfix/smtpd[10839]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Sep  2 21:10:57 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:10:57 skynet postfix/smtpd[10839]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Sep  2 21:10:58 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:11:01 skynet dovecot: last message repeated 2 times
Sep  2 21:11:01 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=19/332
Sep  2 21:14:17 skynet postfix/anvil[10843]: statistics: max connection rate 1/60s for (submission:153.129.162.175) at Sep  2 21:10:56
Sep  2 21:14:17 skynet postfix/anvil[10843]: statistics: max connection count 1 for (submission:153.129.162.175) at Sep  2 21:10:56
Sep  2 21:14:17 skynet postfix/anvil[10843]: statistics: max cache size 1 at Sep  2 21:10:56
Sep  2 21:20:07 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:20:19 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=352/1523
Sep  2 21:22:05 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:28:02 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected in IDLE bytes=579/436553
Sep  2 21:30:38 skynet dovecot: imap-login: Login: user=<junkstuff@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:30:41 skynet dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:30:56 skynet dovecot: IMAP(junkstuff@pixelatedphotographer.com): Disconnected: Logged out bytes=277/969
Sep  2 21:32:45 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Disconnected: Logged out bytes=514/1343
Sep  2 21:39:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=107/1146
Sep  2 21:39:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=415/1361
Sep  2 21:39:30 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=283/1829
Sep  2 21:39:42 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:39:43 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:39:44 skynet postfix/smtpd[11357]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Sep  2 21:39:44 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:39:45 skynet postfix/smtpd[11357]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Sep  2 21:39:45 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:39:46 skynet dovecot: imap-login: Login: user=<chris@pixelatedphotographer.com>, method=PLAIN, rip=153.129.162.175, lip=173.230.147.71, TLS
Sep  2 21:39:47 skynet dovecot: IMAP(chris@pixelatedphotographer.com): Connection closed bytes=19/332
Sep  2 21:39:47 skynet postfix/smtpd[11357]: connect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]
Sep  2 21:39:48 skynet postfix/smtpd[11357]: disconnect from p5175-ipngn4101marunouchi.tokyo.ocn.ne.jp[153.129.162.175]


Looking at the link you sent over yesterday regarding the conf file - I noticed it has a restriction list example.
Would you recommend these (copy and pasted here)?
Code:
 Examples of simple restriction lists are:

/etc/postfix/main.cf:
    # Allow connections from trusted networks only.
    smtpd_client_restrictions = permit_mynetworks, reject

    # Don't talk to mail systems that don't know their own hostname.
    # With Postfix < 2.3, specify reject_unknown_hostname.
    smtpd_helo_restrictions = reject_unknown_helo_hostname

    # Don't accept mail from domains that don't exist.
    smtpd_sender_restrictions = reject_unknown_sender_domain

    # Relay control (Postfix 2.10 and later): local clients and
    # authenticated clients may specify any destination domain.
    smtpd_relay_restrictions = permit_mynetworks, 
   permit_sasl_authenticated,
   reject_unauth_destination

    # Spam control: exclude local clients and authenticated clients
    # from DNSBL lookups.
    smtpd_recipient_restrictions = permit_mynetworks, 
   permit_sasl_authenticated,
   # reject_unauth_destination is not needed here if the mail
   # relay policy is specified under smtpd_relay_restrictions
   # (available with Postfix 2.10 and later).
   reject_unauth_destination
   reject_rbl_client zen.spamhaus.org,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org

    # Block clients that speak too early.
    smtpd_data_restrictions = reject_unauth_pipelining

    # Enforce mail volume quota via policy service callouts.
    smtpd_end_of_data_restrictions = check_policy_service unix:private/policy


Thanks very much for all your help!
Author:  ken-ji [ Mon Sep 02, 2013 11:46 am ]
Post subject:  Re: Email compromised?
Nice to see that the advice helped - it's rather suprising how much can be stopped using the client restriction rule.

The log is the healthier kind since:
Code:
Sep  2 19:41:35 skynet postfix/smtpd[9344]: warning: 58.19.191.89: address not listed for hostname 58.19.arpa.hb.cnc.cn
Sep  2 19:41:35 skynet postfix/smtpd[9344]: connect from unknown[58.19.191.89]
Sep  2 19:41:36 skynet postfix/smtpd[9344]: NOQUEUE: reject: RCPT from unknown[58.19.191.89]: 554 5.7.1 Service unavailable; Client host [58.19.191.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=58.19.191.89; from=<be@ie.net> to=<www-data@skynet.pixelatedphotographer.com> proto=ESMTP helo=<ie.net>
Sep  2 19:41:36 skynet postfix/smtpd[9344]: lost connection after RCPT from unknown[58.19.191.89]
Sep  2 19:41:36 skynet postfix/smtpd[9344]: disconnect from unknown[58.19.191.89]
Sep  2 19:41:37 skynet postfix/smtpd[9344]: warning: 58.19.191.89: address not listed for hostname 58.19.arpa.hb.cnc.cn
Sep  2 19:41:37 skynet postfix/smtpd[9344]: connect from unknown[58.19.191.89]
Sep  2 19:41:37 skynet postfix/smtpd[9344]: NOQUEUE: reject: RCPT from unknown[58.19.191.89]: 554 5.7.1 Service unavailable; Client host [58.19.191.89] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=58.19.191.89; from=<ezhyp@bj.org> to=<www-data@skynet.pixelatedphotographer.com> proto=ESMTP helo=<bj.org>
Sep  2 19:41:38 skynet postfix/smtpd[9344]: lost connection after RCPT from unknown[58.19.191.89]
Sep  2 19:41:38 skynet postfix/smtpd[9344]: disconnect from unknown[58.19.191.89]

shows a dual attempt by a single spambot (or similar) sending from two diffent sources be@ie.net and ezhyp@bj.org which is fairly certain to be nonsensical. So yes, your mail server with be getting a lot less spam - but if a newly infected machine manages to target you at once, it will be able to get in.

As for the other restrictions you've seen; they can help with tuning other details and catching other kinds of spammers - the manual kind. Here's a quick how they work: each restriction takes effect at a certain phase of the handshake.
  • smtp_client_restrictions take effect as soon as the sender declares the envelope using RCPT TO and MAIL FROM
  • smtp_helo_restrictions takes effect as soon as the client connects and sends a HELO or EHLO to the mail server.
  • smtpd_sender_restrictions = reject_unknown_sender_domain; this will kick out anybody who sets a "unknown" from header as soon as they issue the FROM part of the handshake but I don't quite remember how a domain becomes "unknown" (maybe via DNS resolution)
  • smtpd_data_restrictions = reject_unauth_pipelining; a client that tries to stuff as manay commands into the buffer as possible (pipelining) is rejected
  • smtpd_end_of_data_restrictions = check_policy_service unix:private/policy: this will take effect once the whole message has been received and requires a daemon listening to the policy socket to make decisions about the entire email message

That said, if your client IP or IP block ever gets listed by a BL, you won't be able to email in the current config. You'll need to:
  • setup a whitelist of IPs (if your client IP is static) and use the permit_mynetworks
  • or setup SMTP+STARTTLS or SMTP+SSL at certain standard ports 587 and 465 respectively; then use permit_sasl_authenticated.
  • or setup some VPN like openVPN and tunnel SMTP access through that via a trusted subnet again using permit_mynmetworks

I'm a little sorry but I don't have a handy example where the client needs to be authenticated before they can send as a local user; this also prevents anybody else from sending mail as you; unless they can login as you,
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/