Hi guys! I'm having a serious problem with my mailserver. It seems there is some kind of DoS or Spam attack running, which is nearly crashing the whole server. Some days ago we had a DoS attack on apache (40+ requests to one site per second from one ip), and now it's starting on the mailserver. It seems to originate from an single ip, if i'm not mistaken. If I do run the command "tail -f /var/log/mail.log | grep 1.2.3.4" I get the following output: Code: Mar 28 17:37:01 server1 postfix/smtpd[2413]: 715002530564: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:01 server1 postfix/smtpd[2423]: 77E012530565: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:01 server1 postfix/smtpd[2512]: E53542530413: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:02 server1 amavis[1871]: (01871-03-4) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected] om.tw>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<c0762@yah oo.com.tw>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<greatest [email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarantine: X/badh-XPAn+KjwcGjn, Message-ID: <IUHTZUPJBXXGZAGGBWH [email protected]>, mail_id: XPAn+KjwcGjn, Hits: 29.032, size: 5547, queued_as: 77E182530566, 4413 ms Mar 28 17:37:04 server1 postfix/smtpd[2512]: 7F0DA21B112F: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:04 server1 postfix/smtpd[2423]: 7F17B25303C4: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:04 server1 postfix/smtpd[2413]: 803D22530568: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:05 server1 postfix/smtpd[2708]: warning: 1.2.3.4: address not listed for hostname email.DomainOnMyServer.at Mar 28 17:37:05 server1 postfix/smtpd[2708]: connect from unknown[1.2.3.4] Mar 28 17:37:05 server1 amavis[1870]: (01870-03-13) Passed BAD-HEADER, [1.2.3.4] [75.116.26.152] <[email protected]> -> <[email protected]>, quarantine: j/badh-jLp6v1RP31 FB, Message-ID: <[email protected]>, mail_id: jLp6v1RP31FB, Hits: 28.97, size: 5545, queued_as: B476F2530569, 2765 ms Mar 28 17:37:06 server1 postfix/smtpd[2708]: 5EEF92331F5D: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2423]: 7897B253056B: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2413]: 789E0253056C: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2512]: 79B99253056D: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2708]: 7A618253056E: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 amavis[1871]: (01871-03-5) Passed BAD-HEADER, [1.2.3.4] [185.248.120.84] <[email protected]> -> <[email protected]>,<[email protected]>,<johnsonp @yahoo.com.tw>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,< [email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarantine: B/badh-BWzuYpe8ThAM, Message-ID: <BUDYAWCSBBNEN [email protected]>, mail_id: BWzuYpe8ThAM, Hits: 29.469, size: 6527, queued_as: 77FB4253056A, 5424 ms Mar 28 17:37:08 server1 postfix/smtpd[2512]: A4E29253056F: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2423]: A732B2530570: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2413]: ADFFE2530571: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2708]: EAC6C2530572: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:08 server1 postfix/smtpd[2413]: EAC8C2530573: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:10 server1 postfix/smtpd[2423]: 69F422530575: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:10 server1 postfix/smtpd[2512]: E010A2530576: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:10 server1 postfix/smtpd[2708]: E0FE62530578: client=unknown[1.2.3.4], sasl_method=LOGIN, [email protected] Mar 28 17:37:12 server1 amavis[1870]: (01870-03-14) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <[email protected]> -> <[email protected]>,<[email protected]>, as you can see, this is the output of only a few seconds.
If I dont grep for the IP and just use "tail -f /var/log/mail.log" i get this within seconds: Code: Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: 185FE21B11BD: to=<[email protected]>, relay=none, delay=12736, delays=12475/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:32 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/smtpd[2454]: 08E3E25307F6: client=unknown[90.146.13.50], sasl_method=LOGIN, [email protected] Mar 28 17:44:33 server1 postfix/smtpd[2620]: 098A425307F7: client=unknown[90.146.13.50], sasl_method=LOGIN, [email protected] Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A19B721B1817: to=<[email protected]>, relay=none, delay=11737, delays=11476/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/smtpd[2708]: 0E69425307F8: client=unknown[90.146.13.50], sasl_method=LOGIN, [email protected] Mar 28 17:44:33 server1 postfix/smtpd[2585]: 0F80225307F9: client=unknown[90.146.13.50], sasl_method=LOGIN, [email protected] Mar 28 17:44:33 server1 postfix/smtpd[2398]: 0F99425307FA: client=unknown[90.146.13.50], sasl_method=LOGIN, [email protected] Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<[email protected]>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<[email protected]>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<[email protected]>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<[email protected]>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: 1780821B1722: to=<[email protected]>, relay=none, delay=11930, delays=11669/261/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Can anyone help, or explain what exactly is going on? it's real urgent, considering that the server just crashed a few minutes ago, and i have some live sites running on it. I would also be glad for some kind of a quick fix (just ban that one ip or something?)
blocked ip - no success I have now blocked the ip with "route add -host 1.2.3.4 reject". The "tail -f /var/log/mail.log | grep 90.146.13.50" now results in the following: Code: Mar 28 17:57:31 server1 amavis[18006]: (18006-02-46) Passed BAD-HEADER, [1.2.3.4:] [183.128.84.108] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarant... Mar 28 17:57:31 server1 amavis[16078]: (16078-01-111) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarant... Mar 28 17:57:33 server1 amavis[18006]: (18006-02-47) Passed BAD-HEADER, [1.2.3.4] [157.120.139.150] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarantine: N/badh-NWyeRQikDbdr, Message-ID: <[email protected]>, mail_id: NWyeRQikDbdr, Hits: 27.748, size: 5828, queued_as: 0DD8623313BE, 1404 ms Mar 28 17:57:34 server1 amavis[16078]: (16078-01-112) Passed BAD-HEADER, [1.2.3.4] [181.236.150.22] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>,<[email protected]>, quarantine: u/badh-u6-w7u-VHSX8, Message-ID: <[email protected]>, mail_id: u6-w7u-VHSX8, Hits: 27.625, size: 7382, queued_as: CCF7921B1CF6, 1033 ms Mar 28 17:57:35 server1 amavis[16078]: (16078-01-113) Passed BAD-HEADER, [1.2.3.4] [1.2.3.4] <[email protected]> -> <[email protected]>,<[email protected]>,<[email protected]> any ideas?
server abused as spambot? Ok, I think my server is abused for sending spam. I don't think it's an open relay however, so can it be some script on my server that sends the mails? I followed the instructions from the first answer here: http://serverfault.com/questions/333072/mail-server-compromised-yahoo-refusing-mails I seem to have the same problem as the poster there. when i execute "qshape deferred" i get the following output: Code: yahoo.com.tw 70279 0 42 0 1998 5617 12254 39296 11072 0 0 DomainOnMyServer.at 12583 0 0 0 17 31 36 73 885 1445 10096 kimo.com 310 0 0 0 16 24 48 159 63 0 0 heattreatmentchina.ru 29 0 0 0 1 0 1 0 0 0 27 yahoo.com.hk 22 0 0 0 1 2 9 9 1 0 0 purifiercn.ru 16 0 0 0 0 0 1 1 0 1 13 earthlink.net 12 0 0 0 0 0 0 0 0 0 12 ymail.com 11 0 0 0 0 0 6 4 1 0 0 example.com 8 0 0 0 0 0 0 0 0 2 6 aol.com 2 0 0 0 0 0 0 0 0 0 2 jumpy.it 2 0 0 0 0 0 0 0 0 0 2 gawab.com 2 0 0 0 0 0 0 0 0 0 2 rocketmail.com 2 0 0 0 0 0 0 2 0 0 0 gdp-globaldigitalpost.com 2 0 0 0 0 0 0 0 0 0 2 nsi.com 1 0 0 0 0 0 0 0 0 0 1 mxb.org 1 0 0 0 0 0 0 0 0 0 1 kjf.com 1 0 0 0 0 0 0 0 0 0 1 when i look in /var/spool/postfix/deferred/ there are masses of mails there - all apparently spam-mails. What can i do to stop this? please help! - I had to shut down the mailserver already, which isn't good, as it is used by quite some customers..
problem seems to be solved for now Ok, the problem seems to be fixed for now. I'll post a little summary of the problem and of what i did, as this may be interesting to other ISPConfig 3 users that also use the standard postfix settings. 1. My mailserver sent masses of spam-mails to seemingly random accounts (mostly @yahoo.com) My log was full of lines like this: Code: Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<[email protected]>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<[email protected]>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<[email protected]>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) Mar 28 17:44:33 server1 postfix/qmgr[3936]: A7B1525303C0: to=<[email protected]>, relay=none, delay=1250, delays=988/262/0/0, dsn=4.3.0, status=deferred (unknown mail transport error) 2. There were lots of logins from a mailaccount on my server, all from the same IP 3. As a result of the many spam mails, yahoo blocked the IP of my server. What i did was the following: 1. Panicked and tried to find out what the hell was going on... 2. Tried some stuff that didn't work, most of which i can't remember in the correct order now.. 3. What i think did the trick was that i changed the password of the account which i thought was compromised, and removed all mail from the queue (which was completely clogged up). Afterwards there were no more outgoing spam-mails in my mail.log. The hardest part was finding the compromised account, because the mail log was filling up so fast, it was hard to find useful information. If anyone has some info on how to identify a compromised account quickly, i would be glad to hear it. I still see spam-mail blocks in my mail log, but the spam comes from the outside now, and get's blocked, if i interpret it correctly. Here's a short snippet: Code: Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0DBC22134107: from=<[email protected]>, size=2461, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: 0EAAD213410A: from=<[email protected]>, size=5221, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: F400621340DF: from=<[email protected]>, size=1797, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: E426E2134109: from=<[email protected]>, size=2865, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7DB341FBE351: from=<[email protected]>, size=5396, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: 79D781FBE34F: from=<[email protected]>, size=5261, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7F4632134152: from=<[email protected]>, size=2694, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: 7929F21340AA: from=<[email protected]>, size=2482, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/qmgr[27307]: D6F7F1FBE353: from=<[email protected]>, size=5178, nrcpt=1 (queue active) which get's followed by: Code: Mar 29 08:58:36 server1 postfix/qmgr[27307]: 1D1B7213410B: from=<[email protected]>, size=2489, nrcpt=1 (queue active) Mar 29 08:58:36 server1 postfix/pipe[330]: 647FA2138021: to=<[email protected]>, orig_to=<[email protected]>, relay=maildrop, delay=8889, delays=8889/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/smuglyaguirre/337.0.server1. ) Mar 29 08:58:36 server1 postfix/pipe[324]: A6F4B1FBE2A7: to=<[email protected]>, orig_to=<[email protected]>, relay=maildrop, delay=42406, delays=42406/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/evalyn.danby/332.0.server1. ) Mar 29 08:58:36 server1 postfix/pipe[315]: B38AF21340DE: to=<[email protected]>, orig_to=<[email protected]>, relay=maildrop, delay=25730, delays=25730/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/markus.novak/339.0.server1. ) Mar 29 08:58:36 server1 postfix/pipe[336]: BF10F213419A: to=<[email protected]>, orig_to=<[email protected]>, relay=maildrop, delay=2384, delays=2384/0.03/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/domainOnMyServer.at/kontaktformular/343.0. So i guess that's all right? Are there some best practices for preventing something like this in the future? It may be that another account gets compromised, and i don't want to go throught this again. PS: even though i didn't get repies here in the forum, i still got quick help via private messages - so thanks for that!
if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure. Could be somebody hacked the password of a mail user via bruteforce or some other way
I agree. You can check if fail2fan is working with: Code: fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf (example in ubuntu for the sasl filter) You can check pop3, imap and so on as well. The report will give you something like this(bottom): Code: Success, the total number of match is 43
I have had exactly this incident in my server a while ago... Seems like a good fail2ban rule along with monit is a good way to stop this attacks and monitor the server for multiple emails queue ( in case some account is compromised again). my fail2ban sasl rule has currently 10 bans and by using the recidive rule you can ban permanently those attackers. If you need help with the rule we will be here
Thanks for the tipps guys! I'll set up mail for ssl and try to move my clients over asap. Concerning the fail2ban rules: i have some rules, following this tutorial: http://scottlinux.com/2011/05/26/prevent-postfix-brute-force/ So i got a rule for sasl that looks like this: [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log maxretry = 3 When i check the logs with the command suggested by pititis "fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf" i dont get any results though. But in the attack on my server, the user apparently logged in with the correct (hacked) password, so i guess the sasl rule doesn't trigger in that case, is that right? @leonheart82: Can you tell me which sasl rule you use? I'm curious about that, as it seems to be working. which fail2ban rules would be responsible to block a single account from sending huge amouts of mails? Or do i just need a simple postfix rule for that? @compugraphix: do you have any suggestions for courier-pop3(-ssl), courier-imap(-ssl) and smtp settings for fail2ban, or a good tutorial? I found this one: http://www.howtoforge.de/anleitung/verhindern-von-brute-force-attacks-mit-fail2ban-auf-debian-etch/ but it's from 2007, and there's no smtp rule. thanks again for the help. you never stop learning here.
i got something like this: [courierpop3] enabled = true port = pop3 filter = courierpop3 logpath = /var/log/mail.log maxretry = 5 [courierpop3s] enabled = true port = pop3s filter = courierpop3s logpath = /var/log/mail.log maxretry = 5 most is standard in the /etc/fail2ban/jail.conf O and one big tip you must ensure that your own ip can't be banned... put it in /etc/hosts.allow like sshd: yourip ftpd: yourip etc...
First of all, install manually the latest version from here: https://github.com/fail2ban/fail2ban/ I strongly recommend that as it fixes many many bugs and has a lot more rules to play with You should remove any repos first though My rule is this one, the default if i remember correctly. failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$ Also yes, since the hacker knew the pass you can't see any failure but you can try and test the older logs, eg /var/log/mail_2.log etc...
if he isn't that good with compiling his own stuff i would stay with apt-get cause when there's an upgrade or bugfix the control panel tells you about it. And it's easier to maintain that way.
I am a centos user and our repos are not updated any more, well since fail2ban moved to githhub and its logical since changes occur every minute Also a tip, try to use a high number of minutes to ban or use -1 for infinite time.
ok. apparently i was feeling save too early. it started again. this time changing the password didnt help. i even disabled the whole suspected domain in ispconfig and it didnt help I'm out of ideas. @Lionheart82: you talked about configuring monit to find out who sends the mails. Do you have any concrete tips for that. I never worked with monit before. PS: maybe the following message from my mail.warn is useful: Mar 29 22:43:35 server1 postfix/smtpd[7602]: warning: Message delivery request rate limit exceeded: 106 from unknown[90.146.13.50] for service smtp
then he is going to be blocked, it takes 5 minutes to block an ip with fail2ban in the controlpanel do you see the show fail2ban log? are there ip's getting banned?
they ip isnt getting blocked. is my fail2ban setup wrong? do i have to restart it or something? i still get lots of Code: Mar 29 23:04:52 server1 postfix/smtpd[11734]: warning: Message delivery request rate limit exceeded: 104 from unknown[1.2.3.4] for service smtp Mar 29 23:04:52 server1 postfix/smtpd[10961]: warning: Message delivery request rate limit exceeded: 105 from unknown[1.2.3.4] for service smtp Mar 29 23:04:52 server1 postfix/smtpd[10990]: warning: Message delivery request rate limit exceeded: 106 from unknown[1.2.3.4] for service smtp
did you put in a line for smtpd? in the fail2ban configuration? something like: [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log and restart fail2ban /etc/init.d/fail2ban restart if you have debian that is
i have the following: [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 5 but does this rule also work if the spammer apparently has a valid account? or does it only block if someone tries to send mails and get's rejected multiple times?
another question: i have tried to ban a suspictious ip via route add -host 90.146.13.50 reject, but when i try iptables -L i dont see the ip listed anywhere. is this normal?
