Re: Stopping spammers extreme
On Tue, 2010-05-04 at 12:29 +0300, Appliantologist wrote: Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table here is the result of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = apache disable_vrfy_command = yes html_directory = no in_flow_delay = 1s inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = wans-eu.com myhostname = wans-eu.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_helo_restrictions = reject_invalid_hostname strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = multiterminal.ua virtual_alias_maps = hash:/etc/postfix/virtual 1) Add smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit 2) create a relaydomains file http://www.postfix.org/postconf.5.html#relay_domains 3) And ask the legitimate senders to use sasl auth
Re: Stopping spammers extreme
On 2010-05-05 ram wrote: On Tue, 2010-05-04 at 12:29 +0300, Appliantologist wrote: I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table [...] 1) Add smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit The default is permit_mynetworks, reject_unauth_destination, which should be sufficient for his scenario. 2) create a relaydomains file http://www.postfix.org/postconf.5.html#relay_domains 3) And ask the legitimate senders to use sasl auth What for? AFAICS he's not relaying for any other domain, but only forwarding particular (local/virtual) addresses to gmail mailboxes. And we still don't know how the supposed spams are entering Postfix in the first place. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Stopping spammers extreme
It seems pretty straight forward to me. If you dont have any non-local users sending mail using this server you could just shut down port 25. For those virtual-file id users use port 587 with smtp authentication.Forwarding for those users is not relevant here. Hello, I was assuming this would be pretty easy, I'm a little surprised and now messing with this amavid-wtf I can't shut down port 25, since we accept mail for sites and forward it offsite. I don't have any users sending mail via our SMTP, they all use gmail boxes and their servers. I only want to accept mail that is to an address listed in some file somewhere, like /etc/postfix/virtual OR is sent by the local host. What's really interesting is my spam fests are normally preceeded by a /var with no free inodes left due to disk errors. 100% usage till I run fsck on it. I have to figure who ever is doing this crap obviously is targeting postfix and probably reads these same lists. Anyway, thanks for the suggestions, I tried them ... As others said , post a sample of the headers of spam relayed and that will help a lot
Re: Stopping spammers extreme
On 5/5/2010 12:40 PM, Appliantologist wrote: It seems pretty straight forward to me. If you dont have any non-local users sending mail using this server you could just shut down port 25. For those virtual-file id users use port 587 with smtp authentication.Forwarding for those users is not relevant here. I can't shut down port 25, since we accept mail for sites and forward it offsite. I don't have any users sending mail via our SMTP, they all use gmail boxes and their servers. I only want to accept mail that is to an address listed in some file somewhere, like /etc/postfix/virtual OR is sent by the local host. This is the default of Postfix. I have to figure who ever is doing this crap obviously is targeting postfix and probably reads these same lists. Anyway, thanks for the suggestions, I tried them ... You still have neglected to share a log of a spam message. If you include the transaction from beginning to end, people here are more likely to point you in the right direction. You may hide usernames to protect your users.
Re: Stopping spammers extreme
On 5/5/2010 11:40 AM, Appliantologist wrote: It seems pretty straight forward to me. If you dont have any non-local users sending mail using this server you could just shut down port 25. For those virtual-file id users use port 587 with smtp authentication.Forwarding for those users is not relevant here. Hello, I was assuming this would be pretty easy, I'm a little surprised and now messing with this amavid-wtf I can't shut down port 25, since we accept mail for sites and forward it offsite. I don't have any users sending mail via our SMTP, they all use gmail boxes and their servers. I only want to accept mail that is to an address listed in some file somewhere, like /etc/postfix/virtual OR is sent by the local host. What's really interesting is my spam fests are normally preceeded by a /var with no free inodes left due to disk errors. 100% usage till I run fsck on it. I have to figure who ever is doing this crap obviously is targeting postfix and probably reads these same lists. I strongly suspect your problem is an exploited web script and nothing to do with postfix. But that's just a wild guess because you still haven't shown any evidence of your spam or logs despite repeated requests. All we can give you without evidence is random guesses and suggestions that may help, or may make things worse, or -- most likely -- just waste your and our time. All the documentation you need can be found here: http://www.postfix.org/documentation.html Likely everything else you need can be found in your logs. -- Noel Jones
Re: Stopping spammers extreme
Noel Jones wrote: On 5/5/2010 11:40 AM, Appliantologist wrote: It seems pretty straight forward to me. If you dont have any non-local users sending mail using this server you could just shut down port 25. For those virtual-file id users use port 587 with smtp authentication.Forwarding for those users is not relevant here. Hello, I was assuming this would be pretty easy, I'm a little surprised and now messing with this amavid-wtf I can't shut down port 25, since we accept mail for sites and forward it offsite. I don't have any users sending mail via our SMTP, they all use gmail boxes and their servers. I only want to accept mail that is to an address listed in some file somewhere, like /etc/postfix/virtual OR is sent by the local host. What's really interesting is my spam fests are normally preceeded by a /var with no free inodes left due to disk errors. 100% usage till I run fsck on it. I have to figure who ever is doing this crap obviously is targeting postfix and probably reads these same lists. It's unclear weather you might have a relaying problem or not. Are there large numbers of messages destined for delivery to other sites in your mailq? Is the spam that you are seeing addressed to local delivery addresses at your site? Are there bounce messages in your mailq? I realize you are forwarding local mail to gmail. So is your mailq filled up with spam getting forwarded to gmail? nataraj
Re: Stopping spammers extreme
On 2010-05-04 Terry Gilsenan wrote: Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on. If you don't want services to listen on interfaces they're not supposed to listen on: configure the services to not listen on those interfaces. Do NOT let the services listen on all interfaces and then block access with a packet filter. inet_interfaces = loopback-only Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Stopping spammers extreme
On 2010-05-04 Appliantologist wrote: I had a situation where some of my users had compromised machines and someone is brazil and indiawere able to authorize themselves to use sendmail using the login then send scenario. Recently we changed hosting and set up postfix. In addition we decided to eliminate any access to our system buy email users, instead we asked them all to go open gmail accounts and put the corresponding address in the virtual file. Now it seems the spammers are back with a vengance and still able to send spam. I set up the rules suggested but it seems they are simply using email that exist. I was hoping someone could point me to a solution. I would like to set up postfix so that: It only accepts mail generated by the scripts on the server and It only accepts mail to a predefined list of email address I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Please post a log excerpt of one full (spam) mail transaction from submission to delivery to demonstrate the issue. Also post the output of postconf -n. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Stopping spammers extreme
Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table here is the result of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = apache disable_vrfy_command = yes html_directory = no in_flow_delay = 1s inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = wans-eu.com myhostname = wans-eu.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_helo_restrictions = reject_invalid_hostname strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = multiterminal.ua virtual_alias_maps = hash:/etc/postfix/virtual On Tue, May 4, 2010 at 2:14 AM, Terry Gilsenan terry.gilse...@interoil.com wrote: From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On Behalf Of Appliantologist [octo...@gmail.com] Sent: Tuesday, 4 May 2010 9:11 AM To: Gary Smith Cc: The Doctor; postfix-users@postfix.org Subject: Re: Stopping spammers extreme Hi, We don't have any legitimate users sending mail aside from scripts on the server (linux), only mail from localhost, anyone with an email address is listed in the virtual file and has their email forwarded to a gmail and uses gmail's MTA to send mail. Since we have all the email addresses we accept mail for in a file (/etc/postfix/virtual) I was hoping there was some way to check a) is the mail from the localhost OR is the mail for an address in some file. My understanding is you can make a list of email addresses that you will deliver to like a whitelist, but we also send mail from scripts to outside addresses of which we don't alway know beforehand. I don't think I am running an open relay, I've tested it on a couple of sites came back clean. I come from 20 years of sendmail, which has a completely different system and we were using pop authorization, until people had their password compromised and spammers took over. I am sure some of this is trojans so the amavisd seems like a solid tool to have anyway. Thanks guys, David Do this..: Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on. On Tue, May 4, 2010 at 1:49 AM, Gary Smith gary.sm...@holdstead.com wrote: I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.
Re: Stopping spammers extreme
Please stop top-posting... On 2010-05-04 5:29 AM, Appliantologist wrote: Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table here is the result of postconf -n You forgot the logging of a sample spam... -- Best regards, Charles
Re: Stopping spammers extreme
On Tue, May 04, 2010 at 12:29:59PM +0300, Appliantologist wrote: Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table here is the result of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = apache disable_vrfy_command = yes html_directory = no in_flow_delay = 1s inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = wans-eu.com myhostname = wans-eu.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_helo_restrictions = reject_invalid_hostname strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = multiterminal.ua virtual_alias_maps = hash:/etc/postfix/virtual On Tue, May 4, 2010 at 2:14 AM, Terry Gilsenan terry.gilse...@interoil.com wrote: From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On Behalf Of Appliantologist [octo...@gmail.com] Sent: Tuesday, 4 May 2010 9:11 AM To: Gary Smith Cc: The Doctor; postfix-users@postfix.org Subject: Re: Stopping spammers extreme Hi, We don't have any legitimate users sending mail aside from scripts on the server (linux), only mail from localhost, anyone with an email address is listed in the virtual file and has their email forwarded to a gmail and uses gmail's MTA to send mail. Since we have all the email addresses we accept mail for in a file (/etc/postfix/virtual) I was hoping there was some way to check a) is the mail from the localhost OR is the mail for an address in some file. My understanding is you can make a list of email addresses that you will deliver to like a whitelist, but we also send mail from scripts to outside addresses of which we don't alway know beforehand. I don't think I am running an open relay, I've tested it on a couple of sites came back clean. I come from 20 years of sendmail, which has a completely different system and we were using pop authorization, until people had their password compromised and spammers took over. I am sure some of this is trojans so the amavisd seems like a solid tool to have anyway. Thanks guys, David Do this..: Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on. On Tue, May 4, 2010 at 1:49 AM, Gary Smith gary.sm...@holdstead.com wrote: I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here. Have you read the README in the amavis documentation for PostFix? -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee UK Time for a Common Sense change vote Liberal Democrat / Alliance
RE: Stopping spammers extreme
Hi guys, I still need to accept mail for the email addresses we host on our machine from the net, so blocking port 25 or mynetworks as local host would seem to prevent that. we still have users on the domain that get mail to the address, except now we forward that mail to gmail using the virtual table Accepting email for your domain and setting mynetworks to local host still work. When my networks is set to remote addresses, you are given those remote addresses permission to relay through you. That's bad. The short course is that you need to setup postfix to accept email for your domain, then set my networks to be your local network (or loopback). When you do that, external email will still be allowed to flow to your server, and your server will accept that email, as it knows it is the endpoint. Once this is done any email coming across the internet to your box will be rejected if it's not the proper destination. Though you say your not an open relay, it still sounds like you are.
Re: Stopping spammers extreme
On Tue, May 04, 2010 at 12:45:19AM +0300, Appliantologist wrote: Hi everyone, I had a situation where some of my users had compromised machines and someone is brazil and indiawere able to authorize themselves to use sendmail using the login then send scenario. Recently we changed hosting and set up postfix. In addition we decided to eliminate any access to our system buy email users, instead we asked them all to go open gmail accounts and put the corresponding address in the virtual file. Now it seems the spammers are back with a vengance and still able to send spam. I set up the rules suggested but it seems they are simply using email that exist. I was hoping someone could point me to a solution. I would like to set up postfix so that: It only accepts mail generated by the scripts on the server and It only accepts mail to a predefined list of email address I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee UK Time for a Common Sense change vote Liberal Democrat / Alliance
RE: Stopping spammers extreme
I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.
Re: Stopping spammers extreme
Hi, We don't have any legitimate users sending mail aside from scripts on the server (linux), only mail from localhost, anyone with an email address is listed in the virtual file and has their email forwarded to a gmail and uses gmail's MTA to send mail. Since we have all the email addresses we accept mail for in a file (/etc/postfix/virtual) I was hoping there was some way to check a) is the mail from the localhost OR is the mail for an address in some file. My understanding is you can make a list of email addresses that you will deliver to like a whitelist, but we also send mail from scripts to outside addresses of which we don't alway know beforehand. I don't think I am running an open relay, I've tested it on a couple of sites came back clean. I come from 20 years of sendmail, which has a completely different system and we were using pop authorization, until people had their password compromised and spammers took over. I am sure some of this is trojans so the amavisd seems like a solid tool to have anyway. Thanks guys, David On Tue, May 4, 2010 at 1:49 AM, Gary Smith gary.sm...@holdstead.com wrote: I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.
RE: Stopping spammers extreme
We don't have any legitimate users sending mail aside from scripts on the server (linux), only mail from localhost, anyone with an email address is listed in the virtual file and has their email forwarded to a gmail and uses gmail's MTA to send mail. Since we have all the email addresses we accept mail for in a file (/etc/postfix/virtual) I was hoping there was some way to check a) is the mail from the localhost OR is the mail for an address in some file. My understanding is you can make a list of email addresses that you will deliver to like a whitelist, but we also send mail from scripts to outside addresses of which we don't alway know beforehand. I don't think I am running an open relay, I've tested it on a couple of sites came back clean. I come from 20 years of sendmail, which has a completely different system and we were using pop authorization, until people had their password compromised and spammers took over. I am sure some of this is trojans so the amavisd seems like a solid tool to have anyway. Thanks guys, David So in short, all email is originating from scripts on your local system? These wouldn't be web mail postings by chance, would they?
RE: Stopping spammers extreme
From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On Behalf Of Appliantologist [octo...@gmail.com] Sent: Tuesday, 4 May 2010 9:11 AM To: Gary Smith Cc: The Doctor; postfix-users@postfix.org Subject: Re: Stopping spammers extreme Hi, We don't have any legitimate users sending mail aside from scripts on the server (linux), only mail from localhost, anyone with an email address is listed in the virtual file and has their email forwarded to a gmail and uses gmail's MTA to send mail. Since we have all the email addresses we accept mail for in a file (/etc/postfix/virtual) I was hoping there was some way to check a) is the mail from the localhost OR is the mail for an address in some file. My understanding is you can make a list of email addresses that you will deliver to like a whitelist, but we also send mail from scripts to outside addresses of which we don't alway know beforehand. I don't think I am running an open relay, I've tested it on a couple of sites came back clean. I come from 20 years of sendmail, which has a completely different system and we were using pop authorization, until people had their password compromised and spammers took over. I am sure some of this is trojans so the amavisd seems like a solid tool to have anyway. Thanks guys, David Do this..: Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on. On Tue, May 4, 2010 at 1:49 AM, Gary Smith gary.sm...@holdstead.com wrote: I tried to make a CIDR file with most of the 3rd world in it, some 30,000 ips but for some reason it doesn't seem to have the effect I was hoping for. Any ideas would be helpful, thanks.David Add amavisd to your postfix. If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.