Postfix - increase of deffered email

Hans and Falko,

Maybe this is the end of it, but I would still like to see the complete route of such mail, just to satisfie my curiousity (and perhaps come up with a final solution to the problem).
I'm intrigued. (That's mainly because Falko implied it cannot be solved, I think I found a bug in my character)

 

more reffered emails

This morning i had a look at munin's graph, to see if there where no reffered mails anymore.

But yes there where 31 reffered mails again!

I removed them again, but hwat can i do else to prevent this as much as possible?

 

Did you trace them back to their origin?

 

I understand that it important to trace them back to their origin, but at this time i did not yet.
The next time, that a lot of deffered mails occur, i will give it a try and i will report it here.

Maybe it is an option to block their IPs

 

No need to wait till next time. Your mail log, starting yesterday at 22:15 end ending 02:00 this morning will most likely provide the wanted info.

 

How can i do this?

 

I would go with examining your maillog. If it contains too much privacy sensitive info you may want to drop me a private line.
I take it you have some new spams ghosting around in your system. So Munin will tell you which part of the log is needed.

 

appache2 error.log file

I have taken a look at my /var/log/apache2/error.log file because i think that the spam is caused via a webapplication.
In this logile, i dicovered a lot of messages like the ones within the attachement.

I think i am on the right track now, but what can i do now?

@tycho:
If necesarry i open that private line later.
Thanks for your help!

 

It looks like spammers are scanning your web sites for vulnerable applications. They probe for file names like contactus.php, email.asp, etc. In your log excerpt the requests always come from 71.233.200.109, so you can try to block that IP address: http://www.howtoforge.com/forums/showthread.php?t=6363&highlight=route+reject

 

Falko,

I can block IP-adresses with command route add -host <IP-address> reject

Two more questions:

- But how can i unblock an IP-address in case that i block wrong IP-addresses?
I guess with the command:
route del -host <IP-address> reject

- Is there also a possibility to list the IP-addesses that i've blocked on the server?

 

One question about this line:

mynetworks = 127.0.0.0/8, 192.168.1.0/24

Is 192.168.1.0 the IP-address of my server or the IP-address of the Gateway ?

 

That would be the address (well, actually the network) of eth1
The setting causes email clients from the inside of your firewall not having to authenticate themselves when sending email, thus providing a somewhat smoother operation.
Also, never add any routable networks to this setting, as you will be an open relay.
Applicable to postfix (which you use, don't you?).

 

Yes, i am using Postfix.
I have added the line <eth0-address>/24 to my Postfix main.cf file.
After that i restarted Postfix.

Yesterday i have studied a lot of log files.
My websites has been scanned, contact forms on the websites of my clients are used to send spam via systemuser www-data (Apache) to a lot of other emailaddresses outside my server.

When the emailaddress/domainname/hostname of the receiver does not excists, email will me marked as "deffered".
It is the reason that deffered mails are increasing.

As Falko suggests i have blocked some IP-addresses, but this does not help a lot.
(The IP's are different every time).

It is very difficult to trace the IP-addresses of the spammers, and almost impossible to find the site, containing a possible vulnerable form/application.
Their IP-addresses are not always available as the spammers are using scripts within the forms on websites.

Right now, i am not able to solve this problem, so if anyone has suggestions, they are welcome.

 

You could add a pre-processor for www-data, like via procmail or MailScanner.

 

Add Procmail

I think that is a good idea.

I believe Procmail is not included within Falko's "Perfect howto "for Debian Sarge.

There is a lot of info available here about procmail at URL http://www.howtoforge.com/taxonomy_menu/1/23

Do you know how i can add and setup procmail for my Debian server with ISPConfig?

 

Add Procmail

I think that is a good idea.

There is a lot of info available here about procmail at URL http://www.howtoforge.com/taxonomy_menu/1/23

Do you know how i can setup procmail for my Debian server with ISPConfig for www-data?

 

It's installed automatically, and the rest is configured by ISPConfig.

This might give you the idea: http://www.howtoforge.com/howto_spamassassin_clamav_procmail

Actually, 192.168.1.0 is your network address, not the address of your network card, and /24 is the subnet mask (it's the same as 255.255.255.0).
If you use the subnet mask /32, then the IP address would be your network card's IP address.

 

I don't agree with that. But it will at least buy you some time.
And you are going to need that time to come up with a real solution (installing a pre-processor in this case is just a work-around), because you will be blacklisted if you don't.
Bear in mind that not postfix is the weak chain in this, apache, and/or programs executed thru apache, are giving the spammers an open relay.

 

A little step further

In the mean time, i found the vulnerable contact form within a site.
The form is deactivated and since that moment everything looks great again.

It is time to create more secure contact forms and to make my server more secure by adding a pre-processor or whatever.

For today i go to bed now, as i am sick of SPAM.

 

Captha

I have put a captcha on the webforms and this really helps to prevent spam provided by automatic processes without human interaction via webforms.

Definition: http://nl.wikipedia.org/wiki/Captcha