[Dspam-user] fake users mail addresses are created in mysql.

Wed, 23 Feb 2011 01:38:50 -0800 

Hi,
Some fake users mail addresses are created in mysql database. These mail addresses use our domain name, but they don't exist in our ldap directory. 

/Debian squeeze
DSPAM 3.9.1 RC1/

Here some logs and conf files:
/_
_fake_u...@cire.fr is our example._

mail.info


_Feb 22 08:43:43 srv08savsmtp01 postfix/qmgr[13671]: 4E7813406C7: 
from=<we...@att.net>, size=46089, nrcpt=1 (queue active)
Feb 22 08:43:43 srv08savsmtp01 postfix/lmtp[20464]: 5D865340918: 
to=<//fake_user//@cire.fr>, relay=127.0.0.1[127.0.0.1]:25000, delay=7.1, 
delays=6.3/0.01/0.04/0.71, dsn=2.6.0, status=sent (250 2.6.0 
<//fake_user//@cire.fr> Message accepted for delivery)

Feb 22 08:43:43 srv08savsmtp01 postfix/qmgr[13671]: 5D865340918: removed

Feb 22 08:43:43 srv08savsmtp01 postfix/smtp[20403]: 4E7813406C7: 
to=<fake_u...@cire.fr>, relay=10.0.0.232[10.0.0.232]:25, delay=0.22, 
delays=0.14/0/0.01/0.08, dsn=5.1.1, status=bounced (host 
10.0.0.232[10.0.0.232] said: 550 5.1.1 <//fake_user//@cire.fr>... User 
Unknown (in reply to RCPT TO command))
Feb 22 08:43:43 srv08savsmtp01 postfix/cleanup[20398]: 7BD64340918: 
message-id=<20110222074343.7bd64340...@smtp.cire.fr>
Feb 22 08:43:43 srv08savsmtp01 postfix/qmgr[13671]: 7BD64340918: 
from=<>, size=47919, nrcpt=1 (queue active)
Feb 22 08:43:43 srv08savsmtp01 postfix/bounce[20466]: 4E7813406C7: 
sender non-delivery notification: 7BD64340918

Feb 22 08:43:43 srv08savsmtp01 postfix/qmgr[13671]: 4E7813406C7: removed

Feb 22 08:43:43 srv08savsmtp01 postfix/smtp[20403]: 7BD64340918: 
to=<we...@att.net>, relay=10.0.0.232[10.0.0.232]:25, delay=0.06, 
delays=0.01/0/0.01/0.04, dsn=5.7.1, status=bounced (host 
10.0.0.232[10.0.0.232] said: 550 5.7.1 <we...@att.net>... Relaying 
denied. IP name lookup failed [10.0.4.232] (in reply to RCPT TO command))

Feb 22 08:43:43 srv08savsmtp01 postfix/qmgr[13671]: 7BD64340918: removed/_

dspam.debug

_/16399: [02/22/2011 08:43:42] External Lookup: found 0 LDAP entries

16399: [02/22/2011 08:43:42] External Lookup: Backend search failure: no 
entries found.

16399: [02/22/2011 08:43:42] DSPAM Instance Startup
16399: [02/22/2011 08:43:42] input args: dspam --deliver=innocent -d %u
16399: [02/22/2011 08:43:42] pass-thru args: -d %u
16399: [02/22/2011 08:43:42] processing user fake_u...@cire.fr
16399: [02/22/2011 08:43:42] uid = 103, euid = 103, gid = 105, egid = 105
16399: [02/22/2011 08:43:42] loading preferences for user fake_u...@cire.fr

16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: fake_u...@cire.fr

16399: [02/22/2011 08:43:42] Loading preferences for uid 154
16399: [02/22/2011 08:43:42] Loading preferences for uid 0
16399: [02/22/2011 08:43:42] Loading preferences for uid 0
16399: [02/22/2011 08:43:42] loaded default preferences externally

16399: [02/22/2011 08:43:42] using 
/var/spool/dspam/opt-in/cire.fr/fake_user.dspam as path
16399: [02/22/2011 08:43:42] using 
/var/spool/dspam/opt-out/cire.fr/fake_user.nodspam as path

16399: [02/22/2011 08:43:42] adding user to merged group dspam_group
16399: [02/22/2011 08:43:42] sedation level set to: 0

16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: fake_u...@cire.fr
16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: dspam_group

16399: [02/22/2011 08:43:42] Connecting to 127.0.0.1:3310 for virus check

16399: [02/22/2011 08:43:42] Connecting to 127.0.0.1:1499 for virus 
stream transmission
16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: fake_u...@cire.fr
16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: dspam_group

16399: [02/22/2011 08:43:42] DSPAM Instance Shutdown.  Exit Code: 0
16399: [02/22/2011 08:43:42] checking trusted user list for dspam(103)
16399: [02/22/2011 08:43:42] Loading 1 BNR patterns

16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: fake_u...@cire.fr
16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: dspam_group

16399: [02/22/2011 08:43:42] Whitelist threshold: 10

16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*Tue+22 (3frq, 
0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*Tue+22 (3frq, 
0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*Tue+22 (3frq, 
0s, 5i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*cire.fr>+Tue 
(3frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*cire.fr>+Tue 
(3frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*cire.fr>+Tue 
(3frq, 0s, 5i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*Tue (3frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*Tue (3frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*Tue (3frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] Date*21+Feb (1frq, 0s, 13i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Date*21+Feb (1frq, 0s, 13i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] Date*12 (1frq, 0s, 7i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Date*12 (1frq, 0s, 7i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*12 (1frq, 0s, 7i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*12 (1frq, 0s, 7i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] Date*Mon (1frq, 0s, 11i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Date*Mon (1frq, 0s, 11i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*0000 (4frq, 
0s, 3i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*0000 (4frq, 
0s, 3i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Date*0800 (1frq, 0s, 3i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Date*0800 (1frq, 0s, 3i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*invoked+by 
(1frq, 0s, 6i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*invoked+by 
(1frq, 0s, 6i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] 
DKIM-Signature*a=rsa+sha256 (1frq, 0s, 11i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] 
DKIM-Signature*a=rsa+sha256 (1frq, 0s, 11i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] 
X-PMX-Spam*Probability=88% (1frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] 
X-PMX-Spam*Probability=88% (1frq, 0s, 5i)
16399: [02/22/2011 08:43:42] [graham] [0.010000] 
DKIM-Signature*c=relaxed/relaxed (1frq, 0s, 19i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] 
DKIM-Signature*c=relaxed/relaxed (1frq, 0s, 19i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Date*Mon+21 (1frq, 0s, 11i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Date*Mon+21 (1frq, 0s, 11i)

16399: [02/22/2011 08:43:42] [graham] [0.010000] Received*invoked (1frq, 
0s, 7i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*invoked (1frq, 
0s, 7i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] DKIM-Signature*Version 
(1frq, 0s, 3i)

16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*uid (1frq, 0s, 6i)

16399: [02/22/2011 08:43:42] [burton] [0.010000] DKIM-Signature*sha256 
(1frq, 0s, 11i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*22+Feb (7frq, 
0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*22+Feb (7frq, 
0s, 5i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] 
DomainKey-Signature*a=rsa (1frq, 0s, 14i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] Received*Mon+21 (1frq, 
0s, 14i)
16399: [02/22/2011 08:43:42] [burton] [0.010000] 
DomainKey-Signature*c=nofws (1frq, 0s, 6i)
16399: [02/22/2011 08:43:42] Graham-Bayesian Probability: 0.000000 
Samples: 15
16399: [02/22/2011 08:43:42] Burton-Bayesian Probability: 0.000000 
Samples: 27

16399: [02/22/2011 08:43:42] no factors specified; using default
16399: [02/22/2011 08:43:42] Result Confidence: 0.99

16399: [02/22/2011 08:43:42] _mysql_drv_getpwnam: successful returning 
struct for name: fake_u...@cire.fr

16399: [02/22/2011 08:43:43] Control: [10 10] [10 11] Delta: [0 1]
16399: [02/22/2011 08:43:43] total processing time: 0.43014s

16399: [02/22/2011 08:43:43] _mysql_drv_getpwnam returning cached name 
fake_u...@cire.fr.

16399: [02/22/2011 08:43:43] saving signature as 4d63692f163991827145673

16399: [02/22/2011 08:43:43] _mysql_drv_getpwnam returning cached name 
fake_u...@cire.fr.

16399: [02/22/2011 08:43:43] libdspam returned probability of 0.000000
16399: [02/22/2011 08:43:43] message result: NOT SPAM

16399: [02/22/2011 08:43:43] _mysql_drv_getpwnam returning cached name 
fake_u...@cire.fr.

16399: [02/22/2011 08:43:43] delivering message
16399: [02/22/2011 08:43:43] Establishing connection to 127.0.0.1:25001
16399: [02/22/2011 08:43:43] Connection established
16399: [02/22/2011 08:43:43] DSPAM Instance Shutdown.  Exit Code: 0
16399: [02/22/2011 08:43:43] checking trusted user list for dspam(103)
16399: [02/22/2011 08:45:11] connection id 8 from 127.0.0.1.
16399: [02/22/2011 08:45:11] checking trusted user list for dspam(103)

16399: [02/22/2011 08:45:11] No QuarantineAgent option found. Using 
standard quarantine.

16399: [02/22/2011 08:45:11] using database handle id 2
16399: [02/22/2011 08:45:11] handle locked/_


main.cf_/
_
_/######### On indique le nom de dommaine ###########

mydomain = cire.fr
myhostname = smtp.cire.fr
mydestination = $myhostname, localh...@cire.fr, localh...@cire-pcb.com
myorigin = $mydomain
relayhost = 10.0.0.232

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


######## On rend le helo obligatoire, on change le message de bienvenue ###

smtpd_helo_requied = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
smtpd_banner = Bienvenue sur le serveur de courrier du groupe CIRE

append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no

local_domains_maps=([".$mydomain", '.cire-pcb.com'])

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases


#tail des mails max de 5 MO fonction biff désactivé procmail désactivée 
pour la livraison des mails

#courier imap et pop utilisé le format Maildir pas de quota sur les bals

message_size_limit = 0
mailbox_size_limit = 0
recipient_delimiter = +
biff = no


smtpd_recipient_restrictions =
       permit_mynetworks,
       reject_unauth_destination,
       reject_unknown_recipient_domain,
       reject_unverified_recipient

######## on definie le reseau local et on ecoute toutes les interfaces #####

mynetworks = 127.0.0.0/8, 10.0.0.0/8
inet_interfaces = all

transport_maps = hash:/etc/postfix/transports

content_filter = smtp-dspam:[127.0.0.1]:25000


/_extlookup.conf_/


ExtLookup               on                              # Turns on/off 
external lookup
ExtLookupMode           strict                          # available 
modes are 'verify', 'map' and 'strict'.
                                                        # 'strict' 
enforces both verify and map
ExtLookupDriver         ldap                            # Currently only 
ldap and program are supported.
                                                        # There are 
plans to support both MySQL and Postgres.
ExtLookupServer         directory.cire.fr                       # Can 
either be a database hostname or the full path to
                                                        # an executable 
lookup program and its arguments.
ExtLookupPort           389                             # Desired port 
when connecting to the lookup database.
ExtLookupDB             "ou=users,dc=cire.fr,dc=local"  # Can either be 
an LDAP search base or a database name (TODO).
ExtLookupQuery          "(&(objectClass=*)(|(mail=%u)(mailAlias=%u)))"  
# Can either be an LDAP search filter or an SQL query (TODO)
ExtLookupLDAPAttribute  "uid"                           # Attribute to 
be used when ExtLookupDriver is 'ldap'
                                                        # and 
ExtLookupMode 'map' or 'strict'
ExtLookupLDAPScope      base                            # Can be set to 
'base', 'sub' or 'one'. Only used when ExtLookupDriver is 'ldap'.
ExtLookupLDAPVersion    3                               # Sets the LDAP 
protocol version (1, 2 or 3)
#ExtLookupLogin         "cn=admin,dc=domain,dc=com"     # Login to be 
used when connecting to any direct database backend.
#ExtLookupPassword      itsasecret                      # Password to 
use with ExtLookupLogin.
#ExtLookupCrypto        tls                             # Sets the use 
of TLS on backend communication (only compatible with LDAPv3)



Any help would be appreciated

Thanks

Bests regards,

Mickael.


------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Dspam-user mailing list
Dspam-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-user






















					Reply via email to