Hello ISPConfig Forum Members, We currently have spoofing issues that's causing us to be added to blacklists specifically backscatterer currently. Generating a mail summary from our logs with pflogsumm -d today /var/log/maillog > /tmp/mail_summary.txt and reviewing the senders by message count it is filled with spoof accounts. We have our current .cnf files setup as suggested in previous forms for anti-spoofing main.cf: smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps mysql-virtual_sender_login_maps.cf: user = user password = password dbname = dbispconfig query = SELECT destination FROM mail_forwarding WHERE source = '%s' AND active = 'y' AND allow_send_as = 'y' AND server_id = 4 UNION SELECT email FROM mail_user WHERE email = '%s' AND disablesmtp = 'n' AND server_id = 4; hosts = 127.0.0.1 Any suggestions or tips are welcome. Thank you for your time.
What do you mean by spoofing? What is exactly happening? Nobody should be able to use your server to send out mail unless they are authenticated or from a trusted ip. If authenticated it can't be with a bogus account if everything is set up properly.
Here is a small snippet of our mail log I referred to previously. There is a lot of bogus accounts sending out. We have a standard setup with no special modifications. Maybe there is a bad user with an account that has been compromised? If there is any information or logs that would be helpful to provide please let me know.
This is nothing more then a message count. Compare those mailaddresses with your postfix logs to determen how they were sent. Especially which user was used to authenticate and change that user's password or kill the user. Or if they originate from a trusted host take appropiate messures on that host.
