Re: Is my server hijacked?
Someone knows some password On Jun 5, 2014 1:33 PM, Martin Kropfinger free...@rakor-net.de wrote: Hi there, today I found the following in my daily mails: // BEGIN QUOTE // Mail in local queue: 5849a0f85ce64c96|local|mta|auth|@|i...@yt1ktrkw.10stats3.ru|i...@yt1ktrkw.10stats3.ru|1401881480|1402227080|0|12|pending|9012|Network error on destination MXs d3675854b4778959|local|mta|auth|@|i...@4xe9fzfo.10stats3.ru|i...@4xe9fzfo.10stats3.ru|1401885800|1402231400|0|11|pending|4132|Network error on destination MXs Mail in submit queue: 5849a0f85ce64c96|local|mta|auth|@|i...@yt1ktrkw.10stats3.ru|i...@yt1ktrkw.10stats3.ru|1401881480|1402227080|0|12|pending|9012|Network error on destination MXs d3675854b4778959|local|mta|auth|@|i...@4xe9fzfo.10stats3.ru|i...@4xe9fzfo.10stats3.ru|1401885800|1402231400|0|11|pending|4132|Network error on destination MXs // END QUOTE // I really did not send those mails so I am not shure if those are spam mails having something terrible in their headers or if someone sends mails from my server. I don't really know how to understand the lines. Do you need some more Infos? Which? Thanks for your help. Martin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Is my server hijacked?
previous mail was short because i was outside and sent it from my phone, here's what you should understand from these lines: Mail in local queue: 5849a0f85ce64c96|local|mta|auth|@|i...@yt1ktrkw.10stats3.ru|i...@yt1ktrkw.10stats3.ru|1401881480|1402227080|0|12|pending|9012|Network error on destination MXs without configuration file, it's hard to know what happens ;-) -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Is my server hijacked?
Am 05.06.2014 20:41, schrieb Gilles Chehade: Actually: As you can see the spam-sender sends a mail to info@MYDOMAIN. But info is no valid recepient on my server. That's not right. You have the following rule: accept tagged erstes_eintreffen from any for domain domains relay via smtp://127.0.0.1:10024 hostname localhost source 127.0.0.1 which accepts mails for domains listed in domains and accepts to relay them. Since this rule eventually reenters the ruleset and matches: accept tagged nach_spamerkennung from any for domain domains virtual vusers deliver to lmtp /var/run/dovecot/lmtp The mail gets rejected at this point, but your own mail system had already accepted to take care of it so it must now notify someone ... and since the spammer forged the sender address you notify an inexistant address. [...] The fix is to prevent the first rule from accepting to relay mail for users that do not exist: accept tagged erstes_eintreffen from any for domain domains recipient a_list_of_valid_email_addresses # - here relay via smtp://127.0.0.1:10024 [...] Ah OK... Thanks... So after doing the loop there is no valid recepient... but the problem is that when entering the loop it accepts any destination on the domain. Thanks a lot I'll fix it :) But the most important thing to me is: The server is still secure and NOT hijacked :) Cu! -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
