Re: [Postfix-BR] Servidor utilizado para enviar SPAM d e várias redes

[Fernando Cordeiro]

Não deu muito certo não.

A origem volto a exececutar o scripts e nada da identificação da conta
foi registrada no log:

*** ENVELOPE RECORDS deferred/F/F036E2D94EB4 ***
message_size:            2475            2505              50               0
message_arrival_time: Wed Jul 14 17:33:38 2010
sender: nore...@webmaster.cc.org
named_attribute: client_address=41.138.179.204
named_attribute: message_origin=unknown[41.138.179.204]
named_attribute: helo_name=User
named_attribute: protocol_name=ESMTP
original_recipient: egonza...@reshealthcare.org
recipient: egonza...@reshealthcare.org
original_recipient: egra...@alsde.edu
recipient: egra...@alsde.edu
original_recipient: egra...@ascrs.org
recipient: egra...@ascrs.org
original_recipient: egr...@lww.com
recipient: egr...@lww.com
original_recipient: egureg...@thebeaconjournal.com
recipient: egureg...@thebeaconjournal.com
original_recipient: ehea...@seattlechildrens.org
recipient: ehea...@seattlechildrens.org
original_recipient: ehealthi...@multiplan.com
recipient: ehealthi...@multiplan.com
original_recipient: e...@jax.org
recipient: e...@jax.org
original_recipient: eholzha...@ihastaff.org
recipient: eholzha...@ihastaff.org
original_recipient: e...@aaas.org
recipient: e...@aaas.org
original_recipient: e...@ohsu.edu
recipient: e...@ohsu.edu
original_recipient: ehsd...@u.washington.edu
recipient: ehsd...@u.washington.edu
original_recipient: ehstr...@u.washington.edu
recipient: ehstr...@u.washington.edu
original_recipient: ejo...@opted.org
recipient: ejo...@opted.org
original_recipient: e...@hsc.usc.edu
recipient: e...@hsc.usc.edu
original_recipient: ek...@dental.pitt.edu
recipient: ek...@dental.pitt.edu
original_recipient: ekes...@roe38.k12.il.us
recipient: ekes...@roe38.k12.il.us
original_recipient: ekoe...@wisc.edu
recipient: ekoe...@wisc.edu
original_recipient: eku...@vistahealth.com
recipient: eku...@vistahealth.com
original_recipient: elaine.chris...@uhhs.com
recipient: elaine.chris...@uhhs.com
original_recipient: ela...@nche.org
recipient: ela...@nche.org
original_recipient: ela...@iaff.org
recipient: ela...@iaff.org
original_recipient: ela...@lsuhsc.edu
recipient: ela...@lsuhsc.edu
original_recipient: elas...@mail.mcw.edu
recipient: elas...@mail.mcw.edu
original_recipient: elawr...@uci.edu
recipient: elawr...@uci.edu
original_recipient: el...@dental.pitt.edu
recipient: el...@dental.pitt.edu
original_recipient: el...@dental.pitt.edu
recipient: el...@dental.pitt.edu
original_recipient: elbrut...@coavision.org
recipient: elbrut...@coavision.org
original_recipient: eldercare_loca...@aoa.gov
recipient: eldercare_loca...@aoa.gov
original_recipient: electricun...@hotmail.com
recipient: electricun...@hotmail.com
original_recipient: electrohec...@hotmail.com
recipient: electrohec...@hotmail.com
original_recipient: elemp...@aaas.org
recipient: elemp...@aaas.org
original_recipient: elenac...@alconlabs.com
recipient: elenac...@alconlabs.com
original_recipient: elen...@hotmail.com
recipient: elen...@hotmail.com
original_recipient: e...@vision.eri.harvard.edu
recipient: e...@vision.eri.harvard.edu
original_recipient: elizabeth_d.sulli...@thomson.com
recipient: elizabeth_d.sulli...@thomson.com
original_recipient: elizs...@umich.edu
recipient: elizs...@umich.edu
original_recipient: e...@dental.pitt.edu
recipient: e...@dental.pitt.edu
original_recipient: ellen.fi...@med.va.gov
recipient: ellen.fi...@med.va.gov
original_recipient: el...@jsei.ucla.edu
recipient: el...@jsei.ucla.edu
original_recipient: elmergibb...@mail.sunyjcc.edu
recipient: elmergibb...@mail.sunyjcc.edu
original_recipient: elsa.lo...@med.va.gov
recipient: elsa.lo...@med.va.gov
original_recipient: els...@vision.eri.harvard.edu
recipient: els...@vision.eri.harvard.edu
original_recipient: els...@elsevier.com
recipient: els...@elsevier.com
original_recipient: elw...@isms.org
recipient: elw...@isms.org
original_recipient: el...@ihastaff.org
recipient: el...@ihastaff.org
original_recipient: em...@arabiyon.com
recipient: em...@arabiyon.com
original_recipient: em...@bcm.tmc.edu
recipient: em...@bcm.tmc.edu
original_recipient: em...@youremailaddress.com
recipient: em...@youremailaddress.com
original_recipient: emailli...@commonwealthclub.org
recipient: emailli...@commonwealthclub.org
*** MESSAGE CONTENTS deferred/F/F036E2D94EB4 ***
Received: from User (unknown [41.138.179.204])
        by webmail.SERVER.COM.br (Postfix) with ESMTP id B51652D94C32;
        Wed, 14 Jul 2010 17:33:38 -0300 (BRT)
Reply-To: <jhnhu...@gmail.com>
From: "Web Administration" <nore...@webmaster.cc.org>
Subject:  Dear email user
Date: Wed, 14 Jul 2010 21:32:44 +0100
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20100714203338.b51652d94...@webmail.server.com.br>
To: undisclosed-recipients:;
X-SERVER.COM.br-MailScanner: Found to be clean
X-SERVER.COM.br-MailScanner-SpamCheck:
X-SERVER.COM.br-MailScanner-From: nore...@webmaster.cc.org

This is to inform you, that we will be carrying out a seven days
maintenance on our site starting from today to enable us control the
rate of spammers and to upgrade our webpage into our new version in
other to acceleration this site for a faster connection. During this
period of maintenance you will experience difficulty in logging your
account.  To prevent you from loosing access to your account, you are
therefore required to activate your account by sending down the your
account details.

User name:
Password:
Date of birth:
error codes: fh6xr

NB:  We will not be liable for any lost account. Subscriber who did
not comply with us during this exercise is at his/her own risk.

We are truly sorry for any inconvenience.

Regards,
Administration Center.

DISCLAIMER:

"This communication is intended only for the named recipient and
others authorized to receive it. It contains confidential or legally
privileged information. If you are not the intended recipient, please
notify us immediately, and note that any disclosure, copying,
distribution or action you may take in reliance on this communication
is strictly prohibited and may be unlawful. Unless indicated
otherwise, this communication is not intended, nor should it be taken
to create any legal and/or contractual relation or otherwise.  We are
neither liable for the proper and complete transmission of the
communication, nor for any delay in its receipt.

Whilst we. undertakes all reasonable efforts to screen outgoing
e-mails for viruses, it cannot be held liable for any viruses
transmitted by this e-mail."

--
Esta mensagem foi verificada pelo sistema de
anti-virus e anti-spam.

*** HEADER EXTRACTED deferred/F/F036E2D94EB4 ***
*** MESSAGE FILE END deferred/F/F036E2D94EB4 ***

Alguma outra sugestão..?

Em 14 de julho de 2010 14:14, Alexandre Gorges <algor...@gmail.com> escreveu:
> Sim também ajuda. Eu uso isso com o meu mysql
>
> smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-login.cf
> smtpd_sender_restrictions = ....
> reject_authenticated_sender_login_mismatch,
>  reject_sender_login_mismatch,
> ....
>
> Funciona perfeitamente. Ai vai de você configurar no seu sistema.
>
>
>
>
> []'s
> Alexandre Gorges
> http://www.google.com.br/profiles/algorges
> MSN/Gtalk/iCHAT/Skype/Buzz: algor...@gmail.com
> ICQ: 2031408
>
>
>
>
>> From: Fernando Cordeiro <fequesti...@gmail.com>
>> Reply-To: Lista Postfix-br <postfix-br@listas.softwarelivre.org>
>> Date: Wed, 14 Jul 2010 14:02:15 -0300
>> To: Lista Postfix-br <postfix-br@listas.softwarelivre.org>
>> Subject: Re: [Postfix-BR] Servidor utilizado para enviar SPAM de várias redes
>>
>> Alexandre, coloquei a linha que você sugeriu, vou esperar mais alguém tentar.
>>
>> Dei uma pesquisada enquanto isto e, achei este link com uma informação
>> interessante e, acredito que também irá ajudar. Estou testando.
>>
>> http://www.linuxadm.com.br/2009/11/30/impedir-saida-de-emails-forjados-no-post
>> fix/
>>
>> Segue a dica para vocês. Não sei se vai dar certo, para isto vou
>> desbloquear a rede que estava enviando ou executando o ataque.
>>
>> Vamos ver no que dá.
>>
>>
>>
>> Em 14 de julho de 2010 11:30, irado furioso com tudo
>> <ir...@bsd.com.br> escreveu:
>>> Em Wed, 14 Jul 2010 10:36:15 -0300
>>> Fernando Cordeiro <fequesti...@gmail.com>, conhecido consumidor/usuário
>>> de drogas (Windows e BigMac com Coke) escreveu:
>>>
>>>> Não conseguiu uma forma de identificar de qual conta esta partindo?
>>>> Em uma das mensagens eu consegui identificar um dos remetentes e
>>>> alterei a senha, o problema é que são mais de 1000 contas.
>>>> tenho que descobrir as contas genéricas.
>>>>
>>>> Alguma sugestão antes dessa alteração geral de enforcamento? =/
>>>
>>> a dica do diego bernardo deve resolver seu problema, além da alteração
>>> de senha.
>>>
>>> como (normalmente) os procedimentos para essa "invasão" são
>>> automatizados, provavelmente só uma conta foi "contaminada" (pelo menos
>>> aqui foi assim); examine um ou dois email dos "refused" ou "user
>>> unknow" (destinatario desconhecido) que são os mais prováveis de conter
>>> a informação que importa (conta, etc).
>>>
>>> --
>>>  saudações,
>>>  irado furioso com tudo
>>>  Linux User 179402/FreeBSD BSD50853/FUG-BR 154
>>>  Não uso drogas - 100% Miko$hit-free
>>> "Me pergunto em que tipo de sociedade vivemos, que democracia é essa
>>> que temos onde os corruptos vivem na impunidade, e a fome das pessoas é
>>> considerada subversiva" [Ernesto Sábato, Antes do Fim (1998)]
>>> _______________________________________________
>>> Postfix-BR mailing list
>>> Postfix-BR@listas.softwarelivre.org
>>> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
>>>
>>
>>
>>
>> --
>> Fernando
>> http://mula-veia.blogspot.com
>> _______________________________________________
>> Postfix-BR mailing list
>> Postfix-BR@listas.softwarelivre.org
>> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
>
>
> _______________________________________________
> Postfix-BR mailing list
> Postfix-BR@listas.softwarelivre.org
> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
>



-- 
Fernando
http://mula-veia.blogspot.com
_______________________________________________
Postfix-BR mailing list
Postfix-BR@listas.softwarelivre.org
http://listas.softwarelivre.org/mailman/listinfo/postfix-br