Re: My post mail server is used for spam

To: debian-user@lists.debian.org
Subject: Re: My post mail server is used for spam
From: Olivier BATARD <obatard@gmail.com>
Date: Tue, 15 Nov 2011 12:44:04 +0100
Message-id: <[🔎] CALvL=TMab58ntQqtBTaVCQ0T500MxNirneQKbpLqK0xvdV7FHg@mail.gmail.com>
In-reply-to: <CALvL=TPLtPeAZ4-qzNjHnHs59T1m2gvVwSbeDcLzPwiAhC0EHA@mail.gmail.com>
References: <[🔎] CALvL=TNtZBrqQbtuXSNNOvj3445FWQtOfMZ4+_HLuCX5dsqCxg@mail.gmail.com> <[🔎] 4EC22EE4.3090801@familyross.net> <[🔎] 4EC23128.4060501@familyross.net> <CALvL=TPLtPeAZ4-qzNjHnHs59T1m2gvVwSbeDcLzPwiAhC0EHA@mail.gmail.com>

Thanks for the answer, when I run a grep -e "connect from" on the
syslog I got this :

Nov 15 12:32:47 VOLTALIAMSG postfix/smtpd[31110]: disconnect from
unknown[192.168.150.254]
Nov 15 12:32:49 VOLTALIAMSG postfix/smtpd[31102]: connect from
unknown[192.168.150.254]
Nov 15 12:32:53 VOLTALIAMSG postfix/smtpd[31129]: disconnect from
unknown[192.168.150.254]
Nov 15 12:32:56 VOLTALIAMSG postfix/smtpd[31110]: connect from
unknown[192.168.150.254]

the 192.168.150.254 is my router. Seems that postfix consider it like
a internal host.

Anyway we have a router which uses NAT to forward smtp data to our
server. How can we configure postfix and router to send mail only from
my domain and not sending and accepting spam ?

Thanks,

Olivier

2011/11/15 Olivier BATARD <obatard@gmail.com>:
> Thanks for the answer, when I run a grep -e "connect from" on the
> syslog I got this :
>
> Nov 15 12:32:47 VOLTALIAMSG postfix/smtpd[31110]: disconnect from
> unknown[192.168.150.254]
> Nov 15 12:32:49 VOLTALIAMSG postfix/smtpd[31102]: connect from
> unknown[192.168.150.254]
> Nov 15 12:32:53 VOLTALIAMSG postfix/smtpd[31129]: disconnect from
> unknown[192.168.150.254]
> Nov 15 12:32:56 VOLTALIAMSG postfix/smtpd[31110]: connect from
> unknown[192.168.150.254]
>
> the 192.168.150.254 is my router. Seems that postfix consider it like
> a internal host.
>
> Anyway we have a router which uses NAT to forward smtp data to our
> server. How can we configure postfix and router to send mail only from
> my domain and not sending and accepting spam ?
>
> Thanks,
>
> Olivier
>
>
> 2011/11/15 Kevin Ross <kevin@familyross.net>:
>> On 11/15/2011 01:20 AM, Kevin Ross wrote:
>>>
>>> On 11/15/2011 12:41 AM, Olivier BATARD wrote:
>>>>
>>>> HI,
>>>>
>>>>
>>>> I'm a little in double because my postfix server is used to send an
>>>> huge amount of spam, generating huge logs like that :
>>>>
>>>> postfix/error[2120]: 993AE145D: to=<xbeefon@yahoo.com.tw>, relay=none,
>>>> delay=101, delays=100/0.07/0/0.31, dsn=4.7.0, status=deferred
>>>> (delivery temporarily suspended: host
>>>> mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421
>>>> 4.7.0 [TS01] Messages from 62.161.100.158 temporarily deferred due to
>>>> user complaints - 4.16.55.1; see
>>>> http://postmaster.yahoo.com/421-ts01.html)
>>>>
>>>> I'm running squeeze, my account are secured with strong password, town
>>>> can I stop that ?
>>>>
>>>> thanks,
>>>
>>> Some log entries from when the message was submitted from the spammer into
>>> your mail system would be more useful, instead of the log entries from when
>>> your mail server then tried to deliver it.
>>>
>>> Is it possible you have an account on your system with an easy to guess
>>> (or empty) password?  Look in your system log for when the connection came
>>> in from the spammer, and see if it shows they actually authenticated with
>>> your server.  It will look something like this:
>>>
>>> Nov 15 00:50:09 xxx postfix/smtpd[9910]: connect from xx.xx.xx.xx
>>> Nov 15 00:50:10 xxx postfix/smtpd[9910]: 8513115A13: client=xx.xx.xx.xx,
>>> sasl_method=PLAIN, sasl_username=kevin
>>>
>>> Followed by some lines detailing the specifics of the message that was
>>> submitted to your mail server for delivery.  If they authenticated, then you
>>> need to change the password for that user (or disable the user).  If they
>>> didn't authenticate, then you're an open relay (doesn't seem likely, looking
>>> at your main.cf).
>>>
>>> Hope this helps!
>>> -- Kevin
>>
>> Actually, looking more closely at your main.cf, it looks like you have
>> authentication disabled for incoming connections, meaning it will only
>> forward email for clients connected from the local network (*any* mail
>> submitted from the local network).  So is it possible there is some proxy
>> service running on your network where the spam could be coming from?  An
>> unsecured wi-fi router on your network?  A webmail server, with an easy to
>> guess password on a user account?
>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject
>> of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: [🔎] 4EC23128.4060501@familyross.net">http://lists.debian.org/[🔎] 4EC23128.4060501@familyross.net
>>
>>
>

Reply to:

Follow-Ups:
- Re: My post mail server is used for spam
  - From: Stan Hoeppner <stan@hardwarefreak.com>

References:
- My post mail server is used for spam
  - From: Olivier BATARD <obatard@gmail.com>
- Re: My post mail server is used for spam
  - From: Kevin Ross <kevin@familyross.net>
- Re: My post mail server is used for spam
  - From: Kevin Ross <kevin@familyross.net>

Prev by Date: Re: GNOME3 Ugh! Reverted to XFCE4
Next by Date: Re: UCARP Behind NAT
Previous by thread: Re: My post mail server is used for spam
Next by thread: Re: My post mail server is used for spam
Index(es):
- Date
- Thread