Re: [Postfix-BR] Servidor utilizado para enviar SPAM d e várias redes

[Victório]

Snifar (ngrep) filtrando a rede que estão usando no ataque (41.138.160.0/19)

ex. ngrep -d eth0 net 41.138.160.0/19

#################################################
Victório Felipe
http://choppnerd.com
linux user #306117 - counter.li.org
         Slackware Linux                          FreeBSD
               Because it works!                     The Power To Serve
#################################################


2010/7/14 Fernando Cordeiro <fequesti...@gmail.com>

> Não deu muito certo não.
>
> A origem volto a exececutar o scripts e nada da identificação da conta
> foi registrada no log:
>
> *** ENVELOPE RECORDS deferred/F/F036E2D94EB4 ***
> message_size:            2475            2505              50
> 0
> message_arrival_time: Wed Jul 14 17:33:38 2010
> sender: nore...@webmaster.cc.org
> named_attribute: client_address=41.138.179.204
> named_attribute: message_origin=unknown[41.138.179.204]
> named_attribute: helo_name=User
> named_attribute: protocol_name=ESMTP
> original_recipient: egonza...@reshealthcare.org
> recipient: egonza...@reshealthcare.org
> original_recipient: egra...@alsde.edu
> recipient: egra...@alsde.edu
> original_recipient: egra...@ascrs.org
> recipient: egra...@ascrs.org
> original_recipient: egr...@lww.com
> recipient: egr...@lww.com
> original_recipient: egureg...@thebeaconjournal.com
> recipient: egureg...@thebeaconjournal.com
> original_recipient: ehea...@seattlechildrens.org
> recipient: ehea...@seattlechildrens.org
> original_recipient: ehealthi...@multiplan.com
> recipient: ehealthi...@multiplan.com
> original_recipient: e...@jax.org
> recipient: e...@jax.org
> original_recipient: eholzha...@ihastaff.org
> recipient: eholzha...@ihastaff.org
> original_recipient: e...@aaas.org
> recipient: e...@aaas.org
> original_recipient: e...@ohsu.edu
> recipient: e...@ohsu.edu
> original_recipient: ehsd...@u.washington.edu
> recipient: ehsd...@u.washington.edu
> original_recipient: ehstr...@u.washington.edu
> recipient: ehstr...@u.washington.edu
> original_recipient: ejo...@opted.org
> recipient: ejo...@opted.org
> original_recipient: e...@hsc.usc.edu
> recipient: e...@hsc.usc.edu
> original_recipient: ek...@dental.pitt.edu
> recipient: ek...@dental.pitt.edu
> original_recipient: ekes...@roe38.k12.il.us
> recipient: ekes...@roe38.k12.il.us
> original_recipient: ekoe...@wisc.edu
> recipient: ekoe...@wisc.edu
> original_recipient: eku...@vistahealth.com
> recipient: eku...@vistahealth.com
> original_recipient: elaine.chris...@uhhs.com
> recipient: elaine.chris...@uhhs.com
> original_recipient: ela...@nche.org
> recipient: ela...@nche.org
> original_recipient: ela...@iaff.org
> recipient: ela...@iaff.org
> original_recipient: ela...@lsuhsc.edu
> recipient: ela...@lsuhsc.edu
> original_recipient: elas...@mail.mcw.edu
> recipient: elas...@mail.mcw.edu
> original_recipient: elawr...@uci.edu
> recipient: elawr...@uci.edu
> original_recipient: el...@dental.pitt.edu
> recipient: el...@dental.pitt.edu
> original_recipient: el...@dental.pitt.edu
> recipient: el...@dental.pitt.edu
> original_recipient: elbrut...@coavision.org
> recipient: elbrut...@coavision.org
> original_recipient: eldercare_loca...@aoa.gov
> recipient: eldercare_loca...@aoa.gov
> original_recipient: electricun...@hotmail.com
> recipient: electricun...@hotmail.com
> original_recipient: electrohec...@hotmail.com
> recipient: electrohec...@hotmail.com
> original_recipient: elemp...@aaas.org
> recipient: elemp...@aaas.org
> original_recipient: elenac...@alconlabs.com
> recipient: elenac...@alconlabs.com
> original_recipient: elen...@hotmail.com
> recipient: elen...@hotmail.com
> original_recipient: e...@vision.eri.harvard.edu
> recipient: e...@vision.eri.harvard.edu
> original_recipient: elizabeth_d.sulli...@thomson.com
> recipient: elizabeth_d.sulli...@thomson.com
> original_recipient: elizs...@umich.edu
> recipient: elizs...@umich.edu
> original_recipient: e...@dental.pitt.edu
> recipient: e...@dental.pitt.edu
> original_recipient: ellen.fi...@med.va.gov
> recipient: ellen.fi...@med.va.gov
> original_recipient: el...@jsei.ucla.edu
> recipient: el...@jsei.ucla.edu
> original_recipient: elmergibb...@mail.sunyjcc.edu
> recipient: elmergibb...@mail.sunyjcc.edu
> original_recipient: elsa.lo...@med.va.gov
> recipient: elsa.lo...@med.va.gov
> original_recipient: els...@vision.eri.harvard.edu
> recipient: els...@vision.eri.harvard.edu
> original_recipient: els...@elsevier.com
> recipient: els...@elsevier.com
> original_recipient: elw...@isms.org
> recipient: elw...@isms.org
> original_recipient: el...@ihastaff.org
> recipient: el...@ihastaff.org
> original_recipient: em...@arabiyon.com
> recipient: em...@arabiyon.com
> original_recipient: em...@bcm.tmc.edu
> recipient: em...@bcm.tmc.edu
> original_recipient: em...@youremailaddress.com
> recipient: em...@youremailaddress.com
> original_recipient: emailli...@commonwealthclub.org
> recipient: emailli...@commonwealthclub.org
> *** MESSAGE CONTENTS deferred/F/F036E2D94EB4 ***
> Received: from User (unknown [41.138.179.204])
>        by webmail.SERVER.COM.br (Postfix) with ESMTP id B51652D94C32;
>        Wed, 14 Jul 2010 17:33:38 -0300 (BRT)
> Reply-To: <jhnhu...@gmail.com>
> From: "Web Administration" <nore...@webmaster.cc.org>
> Subject:  Dear email user
> Date: Wed, 14 Jul 2010 21:32:44 +0100
> MIME-Version: 1.0
> Content-Type: text/plain;
>        charset="Windows-1251"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> Message-Id: <20100714203338.b51652d94...@webmail.server.com.br>
> To: undisclosed-recipients:;
> X-SERVER.COM.br-MailScanner: Found to be clean
> X-SERVER.COM.br-MailScanner-SpamCheck:
> X-SERVER.COM.br-MailScanner-From: nore...@webmaster.cc.org
>
> This is to inform you, that we will be carrying out a seven days
> maintenance on our site starting from today to enable us control the
> rate of spammers and to upgrade our webpage into our new version in
> other to acceleration this site for a faster connection. During this
> period of maintenance you will experience difficulty in logging your
> account.  To prevent you from loosing access to your account, you are
> therefore required to activate your account by sending down the your
> account details.
>
> User name:
> Password:
> Date of birth:
> error codes: fh6xr
>
> NB:  We will not be liable for any lost account. Subscriber who did
> not comply with us during this exercise is at his/her own risk.
>
> We are truly sorry for any inconvenience.
>
> Regards,
> Administration Center.
>
> DISCLAIMER:
>
> "This communication is intended only for the named recipient and
> others authorized to receive it. It contains confidential or legally
> privileged information. If you are not the intended recipient, please
> notify us immediately, and note that any disclosure, copying,
> distribution or action you may take in reliance on this communication
> is strictly prohibited and may be unlawful. Unless indicated
> otherwise, this communication is not intended, nor should it be taken
> to create any legal and/or contractual relation or otherwise.  We are
> neither liable for the proper and complete transmission of the
> communication, nor for any delay in its receipt.
>
> Whilst we. undertakes all reasonable efforts to screen outgoing
> e-mails for viruses, it cannot be held liable for any viruses
> transmitted by this e-mail."
>
> --
> Esta mensagem foi verificada pelo sistema de
> anti-virus e anti-spam.
>
> *** HEADER EXTRACTED deferred/F/F036E2D94EB4 ***
> *** MESSAGE FILE END deferred/F/F036E2D94EB4 ***
>
> Alguma outra sugestão..?
>
> Em 14 de julho de 2010 14:14, Alexandre Gorges <algor...@gmail.com>
> escreveu:
> > Sim também ajuda. Eu uso isso com o meu mysql
> >
> > smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-login.cf
> > smtpd_sender_restrictions = ....
> > reject_authenticated_sender_login_mismatch,
> >  reject_sender_login_mismatch,
> > ....
> >
> > Funciona perfeitamente. Ai vai de você configurar no seu sistema.
> >
> >
> >
> >
> > []'s
> > Alexandre Gorges
> > http://www.google.com.br/profiles/algorges
> > MSN/Gtalk/iCHAT/Skype/Buzz: algor...@gmail.com
> > ICQ: 2031408
> >
> >
> >
> >
> >> From: Fernando Cordeiro <fequesti...@gmail.com>
> >> Reply-To: Lista Postfix-br <postfix-br@listas.softwarelivre.org>
> >> Date: Wed, 14 Jul 2010 14:02:15 -0300
> >> To: Lista Postfix-br <postfix-br@listas.softwarelivre.org>
> >> Subject: Re: [Postfix-BR] Servidor utilizado para enviar SPAM de várias
> redes
> >>
> >> Alexandre, coloquei a linha que você sugeriu, vou esperar mais alguém
> tentar.
> >>
> >> Dei uma pesquisada enquanto isto e, achei este link com uma informação
> >> interessante e, acredito que também irá ajudar. Estou testando.
> >>
> >>
> http://www.linuxadm.com.br/2009/11/30/impedir-saida-de-emails-forjados-no-post
> >> fix/
> >>
> >> Segue a dica para vocês. Não sei se vai dar certo, para isto vou
> >> desbloquear a rede que estava enviando ou executando o ataque.
> >>
> >> Vamos ver no que dá.
> >>
> >>
> >>
> >> Em 14 de julho de 2010 11:30, irado furioso com tudo
> >> <ir...@bsd.com.br> escreveu:
> >>> Em Wed, 14 Jul 2010 10:36:15 -0300
> >>> Fernando Cordeiro <fequesti...@gmail.com>, conhecido
> consumidor/usuário
> >>> de drogas (Windows e BigMac com Coke) escreveu:
> >>>
> >>>> Não conseguiu uma forma de identificar de qual conta esta partindo?
> >>>> Em uma das mensagens eu consegui identificar um dos remetentes e
> >>>> alterei a senha, o problema é que são mais de 1000 contas.
> >>>> tenho que descobrir as contas genéricas.
> >>>>
> >>>> Alguma sugestão antes dessa alteração geral de enforcamento? =/
> >>>
> >>> a dica do diego bernardo deve resolver seu problema, além da alteração
> >>> de senha.
> >>>
> >>> como (normalmente) os procedimentos para essa "invasão" são
> >>> automatizados, provavelmente só uma conta foi "contaminada" (pelo menos
> >>> aqui foi assim); examine um ou dois email dos "refused" ou "user
> >>> unknow" (destinatario desconhecido) que são os mais prováveis de conter
> >>> a informação que importa (conta, etc).
> >>>
> >>> --
> >>>  saudações,
> >>>  irado furioso com tudo
> >>>  Linux User 179402/FreeBSD BSD50853/FUG-BR 154
> >>>  Não uso drogas - 100% Miko$hit-free
> >>> "Me pergunto em que tipo de sociedade vivemos, que democracia é essa
> >>> que temos onde os corruptos vivem na impunidade, e a fome das pessoas é
> >>> considerada subversiva" [Ernesto Sábato, Antes do Fim (1998)]
> >>> _______________________________________________
> >>> Postfix-BR mailing list
> >>> Postfix-BR@listas.softwarelivre.org
> >>> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >>>
> >>
> >>
> >>
> >> --
> >> Fernando
> >> http://mula-veia.blogspot.com
> >> _______________________________________________
> >> Postfix-BR mailing list
> >> Postfix-BR@listas.softwarelivre.org
> >> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >
> >
> > _______________________________________________
> > Postfix-BR mailing list
> > Postfix-BR@listas.softwarelivre.org
> > http://listas.softwarelivre.org/mailman/listinfo/postfix-br
> >
>
>
>
> --
> Fernando
> http://mula-veia.blogspot.com
> _______________________________________________
> Postfix-BR mailing list
> Postfix-BR@listas.softwarelivre.org
> http://listas.softwarelivre.org/mailman/listinfo/postfix-br
>
_______________________________________________
Postfix-BR mailing list
Postfix-BR@listas.softwarelivre.org
http://listas.softwarelivre.org/mailman/listinfo/postfix-br