|
Replies
:
16
-
Pages
:
2
[
1
2
|
Next
]
-
Last Post
:
Mar 29, 2008 10:47 AM
by: kcam1999
|
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
I Have become a Spam relay system I need Help
Posted:
Mar 15, 2008 1:39 PM
|
|
|
Hi everyone. First off I need to admit that I am a noob! I don't know much about server other then the GUI. I bought a tutorial from Lynda.com to help me set up my server. Also I am a student so I am still in the very new learning stages. I have started my Mail services in and with in minutes I have become a spam relay system. I get undeliverable messages to my postmaster email, I also watch these email addresses like ltidmdig@xxxxx.com ones that I have not set up accounts for. I have my firewall set so that things only work for mail. I am also only running Imap not pop. Also in my relay in settings I have it set to 127.0.0.1 and 192.168.0.1/28 when I do I don't get the spam messages, but I also can't send email. if I change it to 192.168.0.0/28 then I can send but become a spammer again. If anybody can help me I would surely appreciate it. I love time machine in the fact that I back things up before I enable mail services, but find that I am constantly using that backup again and again to "reset" things. Thanks again
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
1,725
From:
New England
Registered:
Jun 2, 2007
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 15, 2008 2:54 PM
in response to: kcam1999
|
|
Helpful
|
|
|
Shut down mail.
Shut down the web, since I'm going to assume you're (also) running some sort of web server or web-facing interface.
Your first job is to figure out where the spam is coming from; where it is being injected from.
This could be from an external source, from the web, or from a open WiFi network, or...
Post up some configuration details.
To confirm your footer, this is with Mac OS X Server Leopard?
External firewall or the Mac OS X Server firewall?
Static IP with some sort of an external NAT device, or are you using a dynamic DHCP address with NAT?
WiFi (if any) locked down with WPA or WPA2, and with a non-obvious non-dictionary password?
Any other (compromised) boxes on your local network? Some malware actively seeks mail servers.
Mac OS X (10.4.10)
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 15, 2008 9:36 PM
in response to: kcam1999
|
|
|
Well first off I am running Leopard. Second I am just using the firewall that comes with the OS. I have a Dynamic IP but it only changes every 6 months. I do have a WiFi, but it is locked down with a WPA. From what I know of we don't have any machines on the network that are infected with anything they all run McAfee and are scanned once a week. What kind of files to you want me to post? IMAP, SMTP and Mail access I would assume. Also currently I am NOT running a web service of any sort. Not yet at least that is in the plans, but I want to make sure this works before I move to other things. I have DNS, AFP, NFS, SMB FTP, and firewall services running. The Mail service is down, infact the computer is off for saftey reasons obviously. Tell me what reports do post that will help thanks so much for taking the time to help me I really DO appreciate it.
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
5,573
From:
Switzerland
Registered:
May 19, 2005
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 16, 2008 2:39 AM
in response to: kcam1999
|
|
|
OS X Server's default configuration does not allow for relay. While I am not excluding that your server is being used as a relay, this could just as well be backscatter you are seeing.
Please post relevant log entries. Also open terminal and post the unmodified output of "postconf -n".
Only then will people be able to tell whether your server is an open relay or not.
Mac OS X (10.5.2)
|
|
Posts:
1,725
From:
New England
Registered:
Jun 2, 2007
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 16, 2008 10:05 AM
in response to: kcam1999
|
|
|
Helpful
|
|
|
Dynamic IP implies NAT might be involved here, as servers don't "like" dynamic IP.
I'd suggest a second (outboard) firewall, if you're not already using one. Mac OS X Server firewall is nice if and while it works, but -- if it should drop for any reason (ranging from run-time errors to configuration errors) -- your server becomes vulnerable. Belt and suspenders.
Confirm port connectivity, too, as it's easily possible for an ISP to block port 25, or other such weirdnesses.
Consider turning on authentication on the mail submission ports, too.
And yes, postconf -n output.
Mac OS X (10.4.10)
|
|
Posts:
9,714
From:
San Jose, CA
Registered:
Mar 13, 2002
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 16, 2008 2:54 PM
in response to: kcam1999
|
|
|
You do need to provide more information - the postconf -n would help, as would snippets from your mail log (/var/log/mail.log) and email messages that you're getting.
If the messages are coming in to postmaster @ your domain, it may be that they are bounce messages coming into your server. This does not necessarily mean you are a spam relay, just that someone is sending out spam with a return address in your domain. There is very little to ensure that your mail server is the only one that can send mail for your domain, and it's a common trick of spammers to claim to be sending mail from bogus addresses in other domains to help cover their tracks.
The mail logs and the messages in question will help clarify the situation.
Mac OS X (10.5.2)
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 20, 2008 4:46 PM
in response to: Camelot
|
|
|
Thanks so much for your help you guys! I truly appreciate it. Being such a noob, how do I copy those files in terminal? I have had some other problems as well so I just reformatted and started over again. My DNS just stopped working. If you could tell me how to get those logs copied from terminal then I could post them. Once again thanks so much
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 20, 2008 7:58 PM
in response to: kcam1999
|
|
|
OK so I just changed my relay from 192.168.0.1/28 to 192.168.0.0/28 and this is when I started having problems this is what I copied from the SMTP Log
Mar 20 20:55:05 yoda postfix/master731: daemon started -- version 2.4.3, configuration /etc/postfix
Mar 20 20:55:06 yoda postfix/tlsmgr735: warning: no entropy source specified with parameter tls_random_source
Mar 20 20:55:06 yoda postfix/tlsmgr735: warning: encryption keys etc. may be predictable
Mar 20 20:55:06 yoda postfix/smtpd734: connect from fl-69-68-136-64.sta.embarqhsd.nethttp://69.68.136.64
Mar 20 20:55:15 yoda postfix/smtpd734: NOQUEUE: reject: RCPT from fl-69-68-136-64.sta.embarqhsd.nethttp://69.68.136.64: 554 5.7.1 <cremybfxf@mackproductions.com>: Relay access denied; from= to=<cremybfxf@mackproductions.com> proto=ESMTP helo=<mail.hardhatwebdesign.com>
Mar 20 20:55:19 yoda postfix/smtpd734: disconnect from fl-69-68-136-64.sta.embarqhsd.nethttp://69.68.136.64
Mar 20 20:55:28 yoda postfix/master731: terminating on signal 15
Mar 20 20:55:28 yoda postfix/postfix-script749: fatal: the Postfix mail system is not running
What do I do?
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
1,725
From:
New England
Registered:
Jun 2, 2007
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 20, 2008 9:20 PM
in response to: kcam1999
|
|
|
How to get the postconf text posted in here?
Use the mouse cursor and the mouse button to select the text that is output by the postconf -n command, and Cmd-C (copy) the text. Click the text box here, and enter Cmd-V (paste).
It may well be most expedient here to get a reputable local Mac OS X Server contractor in to set this up for you and to get you started, as being a spam relay is just one small target around what the malware authors are after. Compromising the whole server is a definite goal of these folks, and they can and do actively try to attack and to compromise servers. The malware authors and the botnets just don't give up, and they don't go away.
Mac OS X (10.4.10)
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 21, 2008 12:44 PM
in response to: MrHoffman
|
|
|
MrHoffman,
I do like the idea, but at the same time, I can't afford it. Also I don't learn. But I don't want to be a malware server.
Thanks
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
5,573
From:
Switzerland
Registered:
May 19, 2005
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 21, 2008 12:52 PM
in response to: kcam1999
|
|
|
Your wanting to learn how to get things done is certainly a good idea and people are certainly willing to help you. That said, if you don't post the information needed, nobody can help you.
Open terminal
Type:
postconf -n
and hit Enter
Select and copy the output and paste it here.
HTH,
Alex
Mac OS X (10.5.2)
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 25, 2008 12:39 PM
in response to: kcam1999
|
|
|
OK Guys once again so sorry. Finals will becoming up in a couple of weeks and projects seem to be falling behind. Here is a copy of the Configure file
Last login: Tue Mar 25 13:27:42 on console
yoda:~ nicholasmack$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:http://127.0.0.1:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = localhost
local_recipient_maps =
luser_relay = postmaster
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 10485760
mydomain = mackproductions.com
mydomain_fallback = localhost
myhostname = yoda.mackproductions.com
mynetworks = 127.0.0.1,192.168.0.0/28
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost = smtp.comcast.net
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtpd_client_restrictions = permit_mynetworks reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_pw_server_security_options = cram-md5
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/certificates/Default.crt
smtpd_tls_key_file = /etc/certificates/Default.key
smtpd_use_pw_server = yes
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
Thanks once again for all of your help
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 27, 2008 9:54 AM
in response to: pterobyte
|
|
|
Please tell me if this is the right file? Thanks
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
Posts:
5,573
From:
Switzerland
Registered:
May 19, 2005
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 28, 2008 4:00 AM
in response to: kcam1999
|
|
Solved
|
|
|
Yes that is the correct output.
That said, you say you only know how to use the GUI, yet your configuration contains hand edited parameters (smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd) for example.
Anyway. Your configuration is not allowing for any open relay. It is certainly not an optimised configuration but not open.
You say that when you change the allow network range, you start seeing spam. If this really is the case (you have yet to provide log evidence), then it would be coming from an internal machine on the same network and not from the outside as 192.168.0.x addresses do not get routed to/from the outside.
The reason you don't get "spam" but also can't send when using 192.168.0.1/28 is simply because this is incorrect syntax. Either use 192.168.0.1/32 to indicate that single address or 192.168.0.0/28 to indicate 192.168.0.0 to 192.168.0.15
Mac OS X (10.5.2)
|
|
Posts:
38
From:
utah usa
Registered:
Mar 15, 2008
|
|
|
|
Re: I Have become a Spam relay system I need Help
Posted:
Mar 28, 2008 11:06 AM
in response to: pterobyte
|
|
|
So I took your advice and looked at the computers on the internal network and I think that I have found which one it is. Also on the relay I told it to accept just the computers that are 192.168.0.10-20 and I think it has made a difference. But here is a copy of the log from today with the new modification. As for the smtp_sasl_password_maps, honestly I don't even know what that is. I do have a tutorial from lynda.com that I have been using but it doesn't say anything about using terminal much. It just tells me how to changeip to check for my dns.
Mar 28 11:49:01 yoda postfix/postfix-script385: fatal: the Postfix mail system is not running
Mar 28 11:49:07 yoda postfix/master432: daemon started -- version 2.4.3, configuration /etc/postfix
Mar 28 11:49:39 yoda postfix/tlsmgr443: warning: no entropy source specified with parameter tls_random_source
Mar 28 11:49:39 yoda postfix/tlsmgr443: warning: encryption keys etc. may be predictable
Mar 28 11:49:57 yoda postfix/smtpd442: connect from mx12.emailroi.comhttp://69.63.211.22
Mar 28 11:50:18 yoda postfix/smtpd442: NOQUEUE: reject: RCPT from mx12.emailroi.comhttp://69.63.211.22: 554 5.7.1 <bob@mackproductions.com>: Relay access denied; from=<aiap@mx12.emailroi.com> to=<bob@mackproductions.com> proto=ESMTP helo=<mx12.emailroi.com>
Mar 28 11:50:21 yoda postfix/smtpd449: connect from vhost1.permeta.comhttp://64.7.135.40
Mar 28 11:50:22 yoda postfix/smtpd442: NOQUEUE: reject: RCPT from mx12.emailroi.comhttp://69.63.211.22: 554 5.7.1 <bob@mackproductions.com>: Relay access denied; from=<aiap@mx12.emailroi.com> to=<bob@mackproductions.com> proto=ESMTP helo=<mx12.emailroi.com>
Mar 28 11:50:23 yoda postfix/smtpd442: disconnect from mx12.emailroi.comhttp://69.63.211.22
Mar 28 11:50:35 yoda postfix/smtpd449: NOQUEUE: reject: RCPT from vhost1.permeta.comhttp://64.7.135.40: 554 5.7.1 <*byugxu@mackproductions.com*>: Relay access denied; from= to=<byugxu@mackproductions.com> proto=ESMTP helo=<vhost1.permeta.com>
Mar 28 11:50:37 yoda postfix/smtpd449: disconnect from vhost1.permeta.comhttp://64.7.135.40
Mar 28 11:51:01 yoda postfix/smtpd442: connect from 69-64-68-207.dedicated.abac.nethttp://69.64.68.207
Mar 28 11:51:15 yoda postfix/smtpd442: NOQUEUE: reject: RCPT from 69-64-68-207.dedicated.abac.nethttp://69.64.68.207: 554 5.7.1 <*onxrffxcyvjw@mackproductions.com*>: Relay access denied; from= to=<onxrffxcyvjw@mackproductions.com> proto=ESMTP helo=<69-64-68-207.dedicated.abac.net>
Mar 28 11:51:16 yoda postfix/smtpd442: disconnect from 69-64-68-207.dedicated.abac.nethttp://69.64.68.207
Mar 28 11:54:36 yoda postfix/anvil447: statistics: max connection rate 1/60s for (smtp:69.63.211.22) at Mar 28 11:49:57
Mar 28 11:54:36 yoda postfix/anvil447: statistics: max connection count 1 for (smtp:69.63.211.22) at Mar 28 11:49:57
Mar 28 11:54:36 yoda postfix/anvil447: statistics: max cache size 3 at Mar 28 11:51:01
Mar 28 11:56:28 yoda postfix/smtpd473: connect from vswall-backup.dehttp://81.169.151.133
Mar 28 11:56:30 yoda postfix/smtpd477: connect from yoda.mackproductions.comhttp://192.168.0.3
Mar 28 11:56:30 yoda postfix/smtpd477: warning: yoda.mackproductions.comhttp://192.168.0.3: SASL CRAM-MD5 authentication failed
Mar 28 11:56:30 yoda postfix/smtpd477: lost connection after AUTH from yoda.mackproductions.comhttp://192.168.0.3
Mar 28 11:56:30 yoda postfix/smtpd477: disconnect from yoda.mackproductions.comhttp://192.168.0.3
Mar 28 11:56:30 yoda postfix/smtpd472: connect from www.marklines.comhttp://202.233.46.65
Mar 28 11:56:32 yoda postfix/smtpd473: NOQUEUE: reject: RCPT from vswall-backup.dehttp://81.169.151.133: 554 5.7.1 <*zgugputnym@mackproductions.com*>: Relay access denied; from=<nobody@mail.vswall-backup.de> to=<*zgugputnym@mackproductions.com*> proto=ESMTP helo=<mail.vswall-backup.de>
Mar 28 11:56:34 yoda postfix/smtpd473: disconnect from vswall-backup.dehttp://81.169.151.133
Mar 28 11:56:35 yoda postfix/smtpd472: NOQUEUE: reject: RCPT from www.marklines.comhttp://202.233.46.65: 554 5.7.1 <esvzddnuooci@mackproductions.com>: Relay access denied; from= to=<*esvzddnuooci@mackproductions.com*> proto=ESMTP helo=<markgw1.marklines.com>
Mar 28 11:56:37 yoda postfix/smtpd472: disconnect from www.marklines.comhttp://202.233.46.65
Mar 28 11:56:39 yoda postfix/smtpd476: connect from smtp-out.hotpop.comhttp://38.113.3.61
Mar 28 11:56:42 yoda postfix/smtpd476: NOQUEUE: reject: RCPT from smtp-out.hotpop.comhttp://38.113.3.61: 554 5.7.1 <*pirepcdgooflz@mackproductions.com>: Relay access denied; from= to=<pirepcdgooflz@mackproductions.com*> proto=ESMTP helo=<smtp-out.hotpop.com>
Mar 28 11:56:43 yoda postfix/smtpd476: disconnect from smtp-out.hotpop.comhttp://38.113.3.61
Mar 28 11:57:29 yoda postfix/master432: terminating on signal 15
Mar 28 11:57:30 yoda postfix/postfix-script491: fatal: the Postfix mail system is not running
As you can see there are email addresses XXXX@mackproductions.com that aren't real also the bob@mackproductions.com doesn't exist either. Right now all that does is postmaster@mackproductions.com
Once again thanks so much for your help!!
Kcam1999
mac mini
Mac OS X (10.5.2)
Server
|
|
|
