User profile for user: alraben
alraben Author
User level: Level 1
0 points

Possible Attack?

Hello,

Since 2 days, I've been receiving many emails from bad address to user accounts that exists in my servers.

I don't know how can I stop it. If u execute this command:

*ls -1R /var/spool/postfix/active | wc -l*
10950

I can see 10950 emails in the active queue!!, when normally is in 48-50 emails. Amavis(clamav + spamassassin) is worked perfectly but how the number of incoming email is more than the processed emails in the active queue, the queue is always growing up.

I'm desesperated because I don't know what can I do User uploaded file are there any manner to stop these SPAM emails to the active queue? because I know that all incoming and outgoing emails goes to the active queue before to be processed ... Then amavis will decide if is a good or bad email ...

Some examples below:


*postqueue -p | less*

002742B9EB83* 17292 Wed Oct 15 21:20:42 terrys@poczta.onet.pl
carpe.gon@cmpont.es

002972BB2B81* 1985 Wed Oct 15 22:56:00 Rein-superdon@BROWNINGMC.COM
beatriz.blanco@cmpont.es

0035C2BA0212* 1962 Wed Oct 15 21:27:37 Marie-rukuujuk@abextelecom.com
ralf@comcas.es

004B62BB198E* 1415 Wed Oct 15 22:49:18 adelinedomitiladp@mediafutures.org
dlorente@musicam.net
jenriquez@musicam.net
clucena@musicam.net

0054C2BB1E72* 911 Wed Oct 15 22:51:40 smdc.orgkradke@smdc.org
rgamon@comcas.es

008F02BA94BE* 798 Wed Oct 15 22:07:13 iodizeuj07@filmhorizon.com
fernandez.ramos@cmpont.es
fernandez.sanroman@cmpont.es

Any Ideas?

I have much lag when any user send an email, about 6 hour! User uploaded file

P.S. Sorry for my english.

Ibook G4, Mac OS X (10.5.2)

Posted on Oct 15, 2008 2:28 PM

Reply
4 replies
User profile for user: pterobyte
pterobyte
User level: Level 6
11,104 points

Oct 16, 2008 1:38 AM in response to alraben

Since the destination accounts exist on your server, mail will not be rejected and thus passed on to the content filter for processing.
The default settings on OS X Tiger Server are such that it cannot cope with a large volume of mails.

You should strengthen your postfix configuration:
Frontline spam defense for Mac OS X Server

If you still have performance issues, you may also want to update ClamAV and use clamd instead of the default clamscan (which is very slow in processing mail):
Updating ClamAV on OS X Server 10.4.7-10.4.11

HTH,
Alex

P.S. To see the mails in the queue, simply issue "mailq",
Reply
User profile for user: alraben
alraben Author
User level: Level 1
0 points

Oct 21, 2008 1:27 PM in response to alraben

Have u tested that configuration?

I've add the following lines to the main,cf file:

#FrontLine SPAM Defense
disablevrfycommand = yes
smtpdclientrestrictions = permit saslauthenticated, permit_mynetworks, reject rblclient zen.spamhaus.org, permit*
smtpdhelorequired = yes
smtpdhelorestrictions = permit saslauthenticated, permit_mynetworks, check heloaccess hash:/etc/postfix/helo_access, reject non_fqdnhostname, reject invalidhostname, permit*
smtpdsenderrestrictions = permit saslauthenticated, permit_mynetworks, reject non_fqdnsender, permit
smtpdrecipientrestrictions = reject invalidhostname, reject non_fqdnsender, reject non_fqdnrecipient, permit saslauthenticated, permit_mynetworks, reject unauthdestination, reject unlistedrecipient, reject rblclient zen.spamhaus.org, permit
smtpddatarestrictions = permit_mynetworks, reject unauthpipelining, permit
#
I've created a helo_access file with the following content:
MYSERVERIP REJECT You are not me.
MYSERVERDOMAIN REJECT You are not me.

Is it necessary the "You are not me." string?

Then I make postmap helo_access. What does that command do?

And finally, postfix reload. That's all no?

I've had 2 lines created in my main.cf that appear in the documentation:

#smtpdrecipientrestrictions = check recipientaccess hash:/etc/postfix/recipient access,permit_sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit

#smtpdclientrestrictions = permit_mynetworks reject rblclient sbl-xbl.spamhaus.org reject rblclient list.dsbl.org reject rblclient bl.spamcop.net permit

They were commented and I put the others.

That's all...

A.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Possible Attack?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up