Problems with SPAM

Hello guys,

I come a few days being listed in the Spamhaus CBL. CBL list reports that I have a virus on the network and that is sending emails as "localhost.localdomain". I found no viruses on workstations or any traffic destined for port 25 passing through the server.

In search of data in the logs, I found a source, but not the cause. It is pretending to be a "spammer" trying to connect to my server.

I need some help to find the form that is being used and how to fix.

I have this log as rejected:

Mar 11 10:33:15 mailgw01 postfix/smtpd[4885]: NOQUEUE: reject: RCPT from unknown[190.167.108.170]: 450 4.7.1 <170.108.167.190.d.dyn.codetel.net.do>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<170.108.167.190.d.dyn.codetel.net.do>


Mar 11 10:06:12 mailgw01 postfix/smtpd[31614]: NOQUEUE: reject: RCPT from unknown[72.252.249.42]: 554 5.7.1 Service unavailable; Client host [72.252.249.42] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?72.252.249.42; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[72.252.249.42]>


Mar 11 10:06:41 mailgw01 postfix/smtpd[31634]: NOQUEUE: reject: RCPT from unknown[112.196.29.187]: 554 5.7.1 Service unavailable; Client host [112.196.29.187] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?112.196.29.187; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[112.196.29.187]>



And I have this successfully log: Have you changed the password, but it happens again.


Mar 11 13:19:24 mailgw01 postfix/smtpd[28172]: connect from unknown[49.14.14.17]
Mar 11 13:19:25 mailgw01 imapd: Failed to connect to socket /tmp/fam--
Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: warning: restriction `check_policy_service' after `permit' is ignored
Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: B49CE7F06AF: client=unknown[49.14.14.17]
Mar 11 13:19:29 mailgw01 postfix/cleanup[25479]: B49CE7F06AF: message-id=<[email protected]>
Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: B49CE7F06AF: from=<[email protected]>, size=5208, nrcpt=1 (queue active)
Mar 11 13:19:29 mailgw01 postfix/pickup[26717]: 368347F06B1: uid=130 from=<[email protected]>
Mar 11 13:19:29 mailgw01 postfix/pipe[28466]: B49CE7F06AF: to=<[email protected]>, orig_to=<[email protected]>, relay=filter, delay=1.8, delays=1.8/0/0/0.03, dsn=2.0.0, status=sent (delivered via filter service)
Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: B49CE7F06AF: removed
Mar 11 13:19:29 mailgw01 postfix/cleanup[27082]: 368347F06B1: message-id=<[email protected]>
Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: 368347F06B1: from=<[email protected]>, size=5325, nrcpt=1 (queue active)
Mar 11 13:19:29 mailgw01 postfix/virtual[27248]: 368347F06B1: to=<[email protected]>, relay=virtual, delay=0.07, delays=0.06/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Mar 11 13:19:29 mailgw01 postfix/qmgr[19869]: 368347F06B1: removed
Mar 11 13:19:29 mailgw01 postfix/smtpd[28172]: disconnect from unknown[49.14.14.17]

Thanks!

 

Code:

Mar 11 13:19:27 mailgw01 postfix/smtpd[28172]: warning: restriction `check_policy_service' after `permit' is ignored

looks like a messed up main.cf, please post main.cf / master.cf

Do you have any websites hosted on your system which uses scripting languages? cgi/python/php.... ? That could also be a source if something got infected.

 

thanks for the answer.
This server has sites hosted on it. Sites in PHP. I did a scan on it, but have not found changes accordingly.

main.cf.
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

debug_peer_level = 2
debug_peer_list = domainclient.com.br

myhostname = mail.domainclient.com.br
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = mail.domainclient.com.br
mydestination = mail.domainclient.com.br, domainclient.com.br
relayhost =
mynetworks = 127.0.0.0/8, 192.168.0.0/16, hash:/var/lib/pop-before-smtp/hosts, IP EXTERNAL1, IPEXTERNAL2,
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/


alias_maps = mysql:/etc/postfix/mysql-aliases.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
virtual_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_mailbox_limit = 51200000
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf

smtpd_recipient_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/whitelist-ips,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_unknown_hostname,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
permit

check_policy_service unixrivate/spfcheck,
#check_policy_service inet:127.0.0.1:60000

# reject_rbl_client relays.ordb.org,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client sbl-xbl.spamhaus.org

smtpd_client_restrictions =
permit_mynetworks,

header_checks = regexp:/etc/postfix/header_checks
message_size_limit = 36214400

#local_recipient_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
local_recipient_maps = $alias_maps $virtual_mailbox_maps unixasswd.byname

================================================ SMTPD AUTH
smtpd_sasl_auth_enable = no

bounce_queue_lifetime = 1d
maximal_queue_lifetime = 1d

master.cf

#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================

#smtp inet n - - - - smtpd
# -o content_filter=amavis-scan:[127.0.0.1]:10024
# -o receive_override_options=no_address_mappings
smtp inet n - - - - smtpd
-o content_filter=filter:dummy

submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_sasl_application_name=smtpd
-o broken_sasl_auth_clients=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis-scan unix - - n - 5 lmtp
-o disable_dns_lookups=yes
-o lmtp_send_xforward_command=yes
-o lmtp_data_done_timeout=1200
localhost:10026 inet n - n - 5 smtpd
-o content_filter=
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o myhostname=mailgw01.domainclient.com.br

filter unix - n n - 10 pipe
flags=Rq user=filter null_sender=
argv=/etc/postfix/filter -f ${sender} -- ${recipient}

 

First thing I don't see is

Code:

smtpd_sender_restrictions = reject_unknown_sender_domain 

default behaviour is to allow everything.

Your SPF check is never done because its after a permit

Code:

check_policy_service unix:pivate/spfcheck
permit

permit is the default action in the end anyway.


Edit: do you have a file /etc/mailname ? What's in it?

 

It could be something?

smtpd_sender_restrictions =
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/block,
# Rejeita senders que não podem ser identificados
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
reject_non_fqdn_sender,
reject_unlisted_sender,
reject_unauth_pipelining


About SPF check, which must be improved to make it work?

 

I need to carry out this change?

smtpd_recipient_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/whitelist-ips,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_invalid_hostname,
reject_unknown_hostname,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
check_policy_service unixrivate/spfcheck,
permit

 

Looks good so far if I'm not missing anything.

 

I have these other settings in another email server. I will add. What do you think?

smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_helo_access regexp:/etc/postfix/regras_ehlo,
reject_invalid_hostname,
reject_unauth_pipelining
reject_non_fqdn_hostname


smtpd_client_restrictions =
reject_invalid_hostname,
reject_unverified_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining


On my initial post, the problem was happening due to not having the set smtpd_sender_restrictions?
Can you explain the reason for this?

 

Yes, you can add those restrictions, of course.
Well I'm not 100% sure if my usggestion will solve your issue since I did not look at all of your configuration / can only assume what you're doing at body and header checks and so on.
( Btw. it would be nice to put stuff in BB-Code tags like code or quote to increase readability.
You're also mixing up seperations.

Code:

something = a,b,c
something = a b c
something = a
  b
  c

are all doing the same ( don't miss the whitespaces at the 3rd example ). It's just about some style


However I found a good explaination for my suggestion and other things on centos wiki.
Seems I did miss some useful stuff

Among this I've only seen issues regarding having mails sent with localhost.localdomain extension when postfix automatically appends
dot mydomain ( mails without domain can come from cronjobs running and so on ) which is turned off in your config.

Even if not, you did set your myhostname / myorigin to a valid hostname, so assumptions wether you have localhost.localdomain in your /etc/hosts or /etc/mailname probably can be ignored.

So I tried looking for what's missing, and this has been missing, so I hope it will fix your issue.

 

I will keep indented.
I had seen this link.

In /etc/hosts and /etc/mailname own the FQDN.

I will apply the changes and monitor.
Thanks for the help.
Hugs.

 

Hello guys.
Made changes to main.cf and firewall. Still, every morning I am listed in the blacklist of http://www.abuseat.org/ - CBL. My relay is closed.
I find nothing in the logs. Any tips on how to identify this list?
I was looking for quickly and some forum have reported the possibility of viruses on workstations. It could be something?

Follow the rules of FW.

 

If you IP is listed on a blacklist, your server sends spam or send spam in the last days. You should scan your websites for malware (http://ispprotect.com/) and make sure, that your mailserver is not an open relay(http://mxtoolbox.com/)

 

My relay is closed, and the HELO is mail.domainclient.com.br.
I checked the site with https://sitecheck.sucuri.net and http://ispprotect.com, but found nothing.
I can be listed without sending more spam?

 

update:
On the possibility of some Malware.
I've used chkrootkit, rkhunter and Lynis. But I found nothing.

 

None of that tools are made for detecting infected wordpress plugin page beeing abused to send spam for example.

 

Have you gone through their proper channel to request and be unlisted? There is process and steps to take in order to have your request from what I recall and explanation of what happen and steps you took to fix it.

 

Hello,
Discover a few days it was due to a compromised account. I mentioned in the first post.
Thank you all for your help
Hugs.

 

You didn't mention if you went through their request for removal on their site and block list you might on. If you are on multiple lists you might need to request multiple times multiple locations. Some Auto remove you after X amount of days of no spam but no guarantee. I'm glad you found the problem, maybe someone would chime in and see if they have the munin and monit services running and if it shows the mail or traffic of emails and if you see a huge spike you know something is going on.

 

Excuse me. I did not say removal of the blacklist, every day. I spoke only of the account that has been compromised password.
I will follow the idea of Monit. Thanks again.

 

For email actually it is the Mailgraph.
They have a howto here for Ubuntu and Debian works as well.

-Link: https://www.howtoforge.com/tutorial/postfix-monitoring-with-mailgraph-on-ubuntu-14-04/