Prezados, bom dia. Há alguns dias venho enfrentando um sério problema de envio de spam a partir do servidor da empresa. O que acontece?
A solução é postfix, sasl, mysql... etc e, tenho o horder instalado como webmail. Dê alguma, algumas contas no servidor tiveram o conteúdo alterado inserindo informações de spam e, externamente essas contas são executadas e enviado vários e-mails para contas em outros servidores. Percebam que no e-mail abaixo, a programação alterar o SENDER e o MESSAGE_ORIGIN. Não consegui identificar de nenhuma forma através dos logs e, pesquisando por find dentro do servidor, de qual conta estão sendo enviados estes e-mails. O problema aqui não é OPEN RELAY, já fiz todos os testes possíveis. Preciso identificar a partir de qual conta estão sendo enviados estes e-mails. Outra informação que consegui identifcar através de log é que estão utilizando o seguinte esquema para enviar estes e-mails: Transcript of session follows. Out: 220 webmail.cesumar.br ESMTP Postfix In: EHLO User Out: 250-webmail.cesumar.br Out: 250-PIPELINING Out: 250-SIZE 131457280 Out: 250-VRFY Out: 250-ETRN Out: 250-AUTH LOGIN PLAIN Out: 250-AUTH=LOGIN PLAIN Out: 250 8BITMIME In: AUTH LOGIN Out: 334 VXNlcm5hbWU6 In: cmVpdG9y Out: 334 UGFzc3dvcmQ6 In: MTIzNDU2 Out: 235 Authentication successful In: RSET Out: 250 Ok In: MAIL FROM:<[email protected]> Out: 250 Ok In: RCPT TO:<[email protected]> Out: 250 Ok In: DATA Out: 354 End data with <CR><LF>.<CR><LF> Out: 451 Error: queue file write error E-mai enviado abaixo: *** ENVELOPE RECORDS deferred/F/F3AB52D94B0D *** message_size: 2475 3115 50 0 message_arrival_time: Wed Jul 14 08:29:18 2010 sender: [email protected] named_attribute: client_address=41.138.185.246 named_attribute: message_origin=unknown[41.138.185.246] named_attribute: helo_name=User named_attribute: protocol_name=ESMTP original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] original_recipient: [email protected] done_recipient: [email protected] *** MESSAGE CONTENTS deferred/F/F3AB52D94B0D *** Received: from User (unknown [41.138.185.246]) by webmail.MEUSERVIDOR.COM.BR (Postfix) with ESMTP id A4C762D94AAD; Wed, 14 Jul 2010 08:29:18 -0300 (BRT) Reply-To: <[email protected]> From: "Web Administration" <[email protected]> Subject: Dear email user Date: Wed, 14 Jul 2010 12:28:09 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <[email protected]> To: undisclosed-recipients:; X-MEUSERVIDOR.COM.BR-MailScanner: Found to be clean X-MEUSERVIDOR.COM.BR-MailScanner-SpamCheck: X-MEUSERVIDOR.COM.BR-MailScanner-From: [email protected] This is to inform you, that we will be carrying out a seven days maintenance on our site starting from today to enable us control the rate of spammers and to upgrade our webpage into our new version in other to acceleration this site for a faster connection. During this period of maintenance you will experience difficulty in logging your account. To prevent you from loosing access to your account, you are therefore required to activate your account by sending down the your account details. User name: Password: Date of birth: error codes: fh6xr NB: We will not be liable for any lost account. Subscriber who did not comply with us during this exercise is at his/her own risk. We are truly sorry for any inconvenience. Regards, Administration Center. DISCLAIMER: "This communication is intended only for the named recipient and others authorized to receive it. It contains confidential or legally privileged information. If you are not the intended recipient, please notify us immediately, and note that any disclosure, copying, distribution or action you may take in reliance on this communication is strictly prohibited and may be unlawful. Unless indicated otherwise, this communication is not intended, nor should it be taken to create any legal and/or contractual relation or otherwise. We are neither liable for the proper and complete transmission of the communication, nor for any delay in its receipt. Whilst we. undertakes all reasonable efforts to screen outgoing e-mails for viruses, it cannot be held liable for any viruses transmitted by this e-mail." -- Esta mensagem foi verificada pelo sistema de anti-virus e anti-spam. *** HEADER EXTRACTED deferred/F/F3AB52D94B0D *** *** MESSAGE FILE END deferred/F/F3AB52D94B0D *** Como posso bloquear este problema? Desde já agradeço a ajuda de todos. Obrigado. -- Fernando Cordeiro _______________________________________________ Postfix-BR mailing list [email protected] http://listas.softwarelivre.org/mailman/listinfo/postfix-br
