Re: [postfix-users] Postfix + Squirrelmail + Spam

[Achmad Sunandar]

Kalo pengalaman saya, beberapa kali spammer yg bisa menyusup melalui 
webmail adalah karena "weak password".
Misal user = john , password = john atau password 12345, 123456, ...etc.

Untuk memperkuat dugaan diatas, pada saat spam itu masih diqueue, coba 
lihat header salah satu sample spam itu menggunakan "postcat -q [queue ID]".
Biasanya di header ada informasi, authentikasi webmail itu menggunakan 
user mana.
Kalaupun tidak ketahuan, coba lihat IP source dari si spammer dan 
cocokkan dengan informasi di log squirrelmail IP tsb authentikasi 
menggunakan user mana.

Salam,

-Nandar-



Andri wrote:
Rekan2 Yth,

Mohon masukkannya untuk masalah yg sedang saya hadapi saat ini.

kami mempunyai webmail (squirrelmail 1.4.9a + postfix-2.3.4) yg 
terkoneksi ke exchange server dimana user login ke webmail menggunakan 
autentikasi active directory. baru2 ini webmail tsb dibanjiri oleh 
spam dengan log spt dibawah ini :

Aug 30 05:05:06 webmail postfix/smtpd[1470]: connect from 
localhost.localdomain[127.0.0.1]
Aug 30 05:05:06 webmail postfix/smtpd[1470]: 5621323FA7: 
client=localhost.localdomain[127.0.0.1]
Aug 30 05:05:06 webmail postfix/cleanup[1473]: 5621323FA7: 
message-id=<7a2d144cd865d8824ecac6ef0cc92afb.squir...@domain kami>
Aug 30 05:05:06 webmail postfix/qmgr[1155]: 5621323FA7: 
from=<i...@email.com>, size=1501, nrcpt=201 (queue active)
Aug 30 05:05:07 webmail postfix/smtpd[1470]: disconnect from 
localhost.localdomain[127.0.0.1]
Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7: 
to=<christophergilbert...@hotmail.com>, relay=192.168.0.10[192.168.0.
10]:25, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent 
(250 2.0.0 Ok: queued as 9FC34C8065)
Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7: 
to=<chri...@hotmail.co.uk>, relay=192.168.0.10[192.168.0.10]:25, del
ay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 2.0.0 
Ok: queued as 9FC34C8065)
Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7: 
to=<chris4wen...@hotmail.co.uk>, relay=192.168.0.10[192.168.0.10]:25
, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 
2.0.0 Ok: queued as 9FC34C8065)
Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7: 
to=<chris_taylo...@hotmail.co.uk>, relay=192.168.0.10[192.168.0.10]:
25, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 
2.0.0 Ok: queued as 9FC34C8065)

dan seterusnya....hingga mencapai hampir 200an email. Saya masih belum 
mengerti apakah ini masalah squirrelmail atau postfix.
pertanyaan saya, bagaimana caranya email dari i...@email.com (bukan 
dari domain kami) bisa mengirimkan email dan autentikasi via 
squirrelmail?

postconf saya sbb:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost
mydomain = domain kami
myhostname = webmail.domain kami
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
relay_domains = $mydomain
relayhost = [192.168.0.10]
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_recipient_restrictions = 
permit_mynetworks,                             
check_relay_domains,                           check_sender_access 
hash:/etc/postfix/maps/check_sender_access,                           
permit

check_sender_access
domain kami   OK


Mohon pencerahannya

terima kasih


Andri