Re: Is my server hijacked?

Thu, 05 Jun 2014 11:42:13 -0700 

On Thu, Jun 05, 2014 at 03:38:14PM +0200, Martin Kropfinger wrote:
> 
> // QUOTE OF maillog
> Jun  4 13:31:16 mail smtpd[6627]: smtp-in: New session 5a319434d9535c8e from
> host 183.13.181.237 [183.13.181.237]
> Jun  4 13:31:18 mail smtpd[6627]: smtp-in: Accepted message 1be8fd54 on
> session 5a319434d9535c8e: from=<[email protected]>,
> to=<info@MYDOMAIN>, size=3301, ndest=1, proto=SMTP

Actually:

     "As you can see the spam-sender sends a mail to info@MYDOMAIN.
      But info is no valid recepient on my server."

That's not right.

You have the following rule:

      accept tagged erstes_eintreffen from any for domain <domains> relay via
             smtp://127.0.0.1:10024 hostname localhost source 127.0.0.1

which accepts mails for domains listed in <domains> and accepts to relay them.

Since this rule eventually reenters the ruleset and matches:

      accept tagged nach_spamerkennung from any for domain <domains> virtual
             <vusers> deliver to lmtp "/var/run/dovecot/lmtp"

The mail gets rejected at this point, but your own mail system had already
accepted to take care of it so it must now notify someone ... and since the
spammer forged the sender address you notify an inexistant address.

> 
> I think, and please correct me if I am wrong, that my server received the
> mail from the spammer. Found out it could not be delivered because info@ is
> not a valid recepient on the server and tried to answer to the spammer that
> it could not be delivered. The spammer seems to use wrong (or changed) IPs
> and so my errormessage could not be delivered. I think exactly this
> errormessage-mail is what's there in my queue...
> 
> Is this possible?
> 
> Don't be confused It's running on FreeBSD
> 
> Thanks for your help!
>

The fix is to prevent the first rule from accepting to relay mail for users
that do not exist:

      accept tagged erstes_eintreffen from any for domain <domains>
             recipient <a_list_of_valid_email_addresses>  # <- here
              relay via smtp://127.0.0.1:10024 [...]

-- 
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

-- 
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]

Reply via email to