Invasão Postfix -spam

nonozim
(usa Slackware)

Enviado em 10/04/2008 - 14:26h

Boa tarde Colegas,

Na empresa onde trabalho nós usamos o Postfix com mysql e spamassassin etc... acontece que, volta e meia, eu e outros usuarios recebemos email com o dominio da minha empresa porem com um usuario desconhecido tipo: xjah@dominiodaminhaempresa.com.br.

Analisando o maillog do postfix encontrei essas linhas:

Apr 10 09:27:06 ns2 postfix/smtpd[10955]: warning: 85.20.126.147: hostname 85-20-126-147-dynamic.albacom.net verification failed: Name or service not known
Apr 10 09:27:06 ns2 postfix/smtpd[10955]: connect from unknown[85.20.126.147]
Apr 10 09:27:08 ns2 postfix/smtpd[10955]: 7E66D1380DA: client=unknown[85.20.126.147]
Apr 10 09:27:09 ns2 postfix/cleanup[30332]: 7E66D1380DA: message-id=<1dce01c89b16$c61e9d20$937e1455@medcomerce.com.br>
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: 7E66D1380DA: from=<nawavis@medcomerce.com.br>, size=2509, nrcpt=1 (queue active)
Apr 10 09:27:09 ns2 spamd[24230]: spamd: connection from localhost [127.0.0.1] at port 34096
Apr 10 09:27:09 ns2 spamd[24230]: spamd: setuid to clamav succeeded
Apr 10 09:27:09 ns2 spamd[24230]: spamd: processing message <1dce01c89b16$c61e9d20$937e1455@medcomerce.com.br> for clamav:1003
Apr 10 09:27:09 ns2 spamd[24230]: spamd: clean message (2.0/5.0) for clamav:1003 in 0.1 seconds, 2490 bytes.
Apr 10 09:27:09 ns2 spamd[24230]: spamd: result: . 1 - BAYES_00,BODY_ENHANCEMENT2,HELO_DYNAMIC_IPADDR2,HTML_MESSAGE scantime=0.1,size=2490,user=clamav,uid=1003,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=34096,mid=<1dce01c89b16$c61e9d20$937e1455@medcomerce.com.br>,bayes=1.11022302462516e-16,autolearn=no
Apr 10 09:27:09 ns2 spamd[23658]: prefork: child states: II
Apr 10 09:27:09 ns2 postfix/pickup[15064]: D72BC1380FF: uid=1003 from=<nawavis@medcomerce.com.br>
Apr 10 09:27:09 ns2 postfix/cleanup[18273]: D72BC1380FF: message-id=<1dce01c89b16$c61e9d20$937e1455@medcomerce.com.br>
Apr 10 09:27:09 ns2 postfix/pipe[30916]: 7E66D1380DA: to=<cpd@medcomerce.com.br>, relay=clamav, delay=2, delays=1.8/0/0/0.16, dsn=2.0.0, status=sent (delivered via clamav service)
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: 7E66D1380DA: removed
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: D72BC1380FF: from=<nawavis@medcomerce.com.br>, size=2867, nrcpt=1 (queue active)
Apr 10 09:27:09 ns2 postfix/virtual[28970]: D72BC1380FF: to=<cpd@medcomerce.com.br>, relay=virtual, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Apr 10 09:27:09 ns2 postfix/qmgr[14937]: D72BC1380FF: removed
Apr 10 09:27:10 ns2 postfix/smtpd[10955]: disconnect from unknown[85.20.126.147]

se nao me engano, esse ip 85.20.126.147 conecta na minha rede, manda os spams usando meu dominio e depois desconcta...é isso mesmo? O que pode causar isso? E qual seria a Solução?

m4tri_x
(usa Ubuntu)

Enviado em 10/04/2008 - 15:32h

fiu, cola ai seu main.cf

/etc/postfix/main.cf


;D

[]´s

nonozim
(usa Slackware)

Enviado em 10/04/2008 - 16:00h

m4tri_x ta ai meu main.cf, desde ja agradeço a atenção:

#======== CONFIGURAÇÕES ===============
queue_directory = /usr/var/spool/postfix/
#queue_directory = /var/spool/postfix/
program_directory=/usr/sbin
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
default_privs=nobody
default_transport=smtp
alias_maps=hash:/etc/postfix/aliases
alias_database=hash:/etc/postfix/aliases
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
manpage_directory = /usr/local/man
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
smtpd_banner=$myhostname ESMTP "Version not Available"
disable_vrfy_command=yes
home_mailbox=Maildir/
comand_time_limit = 1h

# ========== NOME DO DOMÍNIO ===========
myhostname=medcomerce.com.br
mydomain=medcomerce.com.br
myorigin= $mydomain
mydestination= $mydomain, $transport_maps
message_size_limit = 50720000
mailbox_size_limit= 507286400

#=====REDES p/ Relay======
# 10.0.0.0/24 = MINHA REDE
#
mynetworks=10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 200.199.231.0/24 200.181.62.0/24 189.10.82.0/24

obs: esses ips 2002.x.x.x ta ai no mynetworks pq temos filiais em outros estados e usamos o vetor da brt para fazer vpn.


#======== MYSQL ==============
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /postfix
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_uid_maps = static:108
virtual_gid_maps = static:108
transport_maps = mysql:/etc/postfix/mysql_transport_maps.cf

#======= Quota ============
virtual_mailbox_limit_inbox = no
virtual_mailbox_limit_maps= mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_extended = yes
virtual_create_maildirsize = yes
virtual_mailbox_limit = 2000000000
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
virtual_overquota_bounce = yes


#====== SASL ================
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#smtpd_client_restrictions= permit_mynetworks, reject_maps_rbl, reject_unknown_client
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining,reject_invalid_hostname, reject_multi_recipient_bounce, check_sender_access pcre:/etc/postfix/sender_check
smtpd_helo_required = yes
#maps_rbl_domains= relays.ordb.org blackholes.mail-abuse.org

#smtpd_recipient_restrictions =
# permit_sasl_authenticated,
# permit_mynetworks,
# check_relay_domains

# =======MAILDROP ==========
fallback_transport = maildrop
maildrop_destination_recipient_limit = 1
unknown_local_recipient_reject_code = 450

obs: quando habilito smtpd_recipient_restriction, demora pra enviar email e nao recebe nenhum de nenhum dominio, por isso comentei a linha.

#============================
#smtpd_recipient_restrictions =
# permit_sasl_authenticated,
# permit_mynetworks,
# reject_invalid_hostname,
# reject_non_fqdn_sender,
# reject_non_fqdn_recipient,
# reject_unknown_sender_domain
# reject_rbl_client relays.ordb.org,
# reject_rbl_client opm.blitzed.org,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client cbl.abuseat.org,
# reject_rbl_client dul.dnsbl.sorbs.net,
# reject_rbl_client bl.spamcop.net
# reject_rbl_client sbl-xbl.spamhaus.org,
# reject_unauth_destination,
# check_sender_access pcre:/etc/postfix/sender_check

anselmu
(usa Debian)

Enviado em 29/05/2008 - 19:12h

Isso me parece uma conexão remota utilizando ou um cliente de e-mail (como o Outlook, por exemplo) ou o webmail da sua empresa. Se os e-mails vindos deste mesmo IP forem sempre spam, você pode bloquear as conexoes vindas desta origem pelo IPtables ou ainda, se os spams sempre possuirem características semelhantes, você pode utilizar o comando sa_learn do spamassassin para que ele aprenda que este e-mail é spam.