Monitor all outgoing email

Question

Level 1

9 points

Monitor all outgoing email

I am suspicious that our mail server may be trying to send out spam. Is there a way I can monitor all outgoing email to see if thats true. I tried saving out the logs from the server to read on my machine, and the log files are empty, even though they are full on the machine.

Here are some entries from the mail.log that make me wonder, I am not sure what they mean exactly though

Apr 21 03:12:12 ns2 postfix/smtp[1848]: connect to mx15.comingsoon.internic.ca[199.85.4.232]: Connection refused (port 25)
Apr 21 03:12:12 ns2 postfix/smtp[1848]: 75272263FAD: to=<Mmcewen@cdtv.ca>, relay=none, delay=60265, status=deferred (connect to mx15.comingsoon.internic.ca[199.85.4.232]: Connection refused)
Apr 21 03:12:12 ns2 postfix/smtp[1854]: connect to rocanada.com[204.13.160.26]: Connection refused (port 25)
Apr 21 03:12:12 ns2 postfix/smtp[1854]: 75272263FAD: to=<kromocki@rocanada.com>, relay=none, delay=60265, status=deferred (connect to rocanada.com[204.13.160.26]: Connection refused)
Apr 21 03:12:12 ns2 postfix/smtp[1853]: 75272263FAD: to=<hamlin@promedia.ca>, relay=none, delay=60265, status=deferred (Host or domain name not found. Name service error for name=promedia.ca type=MX: Host not found, try again)
Apr 21 03:12:12 ns2 postfix/smtp[1846]: 75272263FAD: to=<savannahmusic@att.net>, relay=aln-mailrelay.att.net[12.102.252.75], delay=60265, status=deferred (host aln-mailrelay.att.net[12.102.252.75] refused to talk to me: 550 unauthorized interface for 68.xxx.xxx.xx on alnwmxc01)
Apr 21 03:12:19 ns2 postfix/smtp[1856]: 75272263FAD: to=<brianmurphy@zdnetmail.com>, relay=none, delay=60272, status=deferred (Host or domain name not found. Name service error for name=zdnetmail.com type=MX: Host not found, try again)
Apr 21 03:12:42 ns2 postfix/smtp[1843]: connect to mail.unicum.de[83.136.87.121]: Operation timed out (port 25)
Apr 21 03:12:42 ns2 postfix/smtp[1843]: 68EAF259EE6: to=<hspringer@unicum.de>, relay=none, delay=219644, status=deferred (connect to mail.unicum.de[83.136.87.121]: Operation timed out)
Apr 21 03:12:42 ns2 postfix/smtp[1845]: connect to ambushadvertising.com[64.20.33.115]: Operation timed out (port 25)
Apr 21 03:12:42 ns2 postfix/smtp[1844]: connect to advancefilm.com[205.178.189.131]: Operation timed out (port 25)
Apr 21 03:12:42 ns2 postfix/smtp[1844]: 75272263FAD: to=<mord@advancefilm.com>, relay=none, delay=60295, status=deferred (connect to advancefilm.com[205.178.189.131]: Operation timed out)
Apr 21 03:12:42 ns2 postfix/smtp[1851]: connect to msn.ca[207.68.172.246]: Operation timed out (port 25)
Apr 21 03:12:42 ns2 postfix/smtp[1858]: connect to mail.antararesources.com[65.71.108.218]: Operation timed out (port 25)
Apr 21 03:12:42 ns2 postfix/smtp[1851]: 75272263FAD: to=<tominternational@msn.ca>, relay=none, delay=60295, status=deferred (connect to msn.ca[207.68.172.246]: Operation timed out)

Many, Mac OS X (10.4.8)

Posted on Apr 23, 2007 12:53 PM

Reply

Answer 1

KrayZ Author

Level 1

9 points

Apr 23, 2007 2:40 PM in response to KrayZ

To add to this issue, we cannot get any email from any .mac accounts (Though we can send to them). We DO NOT have spam filtering turned on, so I don't know what would be blocking it. This is what I see in the logs

arning: 17.250.248.184: hostname smtpout.mac.com verification failed: host not found

and I get TONS of these, with different IP addys.

Any ideas? (I have checked the blacklists, and we are not on them that I can find)

Reply

Answer 2

rhwalker

Level 3

589 points

Apr 23, 2007 6:02 PM in response to KrayZ

DNS doesn't seem to be operational on your server. Pursue that avenue. (man dig).

Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

Reply

Answer 3

David_x

Level 4

3,011 points

Apr 24, 2007 12:46 AM in response to rhwalker

DNS doesn't seem to be operational on your server.

I don't think it is DNS related. The first log posting looks like typical backscatter mail (mail being returned to non-existant spam sender). These have all been sitting in the queue for a while (see 'delay' field). However, you say you do not have spam filtering on?

We will need output from Terminal command 'postconf -n'

-david

Reply

Answer 4

David_x

Level 4

3,011 points

Apr 24, 2007 1:24 AM in response to KrayZ

Warning: 17.250.248.184: hostname smtpout.mac.com
verification failed: host not found

This, however, may be a DNS issue...

This is a "Warning" that your dns cannot find a straight match between a PTR lookup on the IP address and an A record for the hostname. Although .Mac does have a string of A records for the same hostname, I do not get these warnings on my server, so a bit strange.

However, this should not prevent your server from accepting mail from .mac unless you have explicitly added a postfix restriction for same. The default server will just log the 'warning' and continue with accepting the connection. This will show up on postconf -n output.

Re blacklisting, being on a blacklist would not prevent you from receiving mail.

As rhwalker first suggested, probably worth checking that your dns is working (just open a browser on the server and see if you can browse internet).

-david

Reply

Answer 5

KrayZ Author

Level 1

9 points

Apr 24, 2007 8:44 AM in response to David_x

The only restrictions I can see, are these

smtpd clientrestrictions = permit_mynetworks permit saslauthenticated reject unauthdestination reject unauthpipelining reject invalidhostname permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit

I am confused beyond belief, but I am sure that these problems stem from being hacked. We are having way too many problems since that time, and the weird CPU usage and extreme amount of network traffic during down times, is making me very suspicious, but the guy above me does not seem that concerned (Which makes me more concerned).

Reply

Answer 6

David_x

Level 4

3,011 points

Apr 24, 2007 9:34 AM in response to KrayZ

smtpd clientrestrictions = permit_mynetworks
permit saslauthenticated reject unauthdestination
reject unauthpipelining reject invalidhostname
permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd recipientrestrictions =
permit sasl_authenticated,permit_mynetworks,rejectuna
uth_destination,permit

Quick comment, unrelated to your 'problems'...

reject unauthpipelining is not recommended for use outside of an smtpd datarestriction.

I cannot really tell anything without the whole output from postconf -n. But if you do not have spam filtering turned on, don't have an RBL blacklist lookup and have only got those basic restrictions to stop spammers sending you stuff, then you will be accepting a lot more spam than you need to. I'm still puzzled as to you "not having spam filters" and yet your previous log output showing typical backscatter caused by spam being rejected by same filters. Maybe you just recently turned them off? But without more info being offered by yourself, theres nothing really to suggest. Did you check your DNS, for example?

-david

Reply

Answer 7

KrayZ Author

Level 1

9 points

Apr 24, 2007 9:39 AM in response to David_x

David,
I think a bit of background is in order. I am taking over for somebody else at this company, and because of quick expansion, he was forced to piece the system together and use some work arounds to get things working properly. I am still new to server technology (I recently completed the server essentials course at Apple Canada).
Apparently, they were having lots of problems with the spam filters grabbing all the real mail and letting through all the spam. Instead of trying to fix it, they just turned it off. We are going to be moving in a few months here, and hopefully getting 2 new Xserves, which will be setup from scratch (Including Spam filtering!).
Given our recent security issues, I do not want to post the information directly online as it lists our IPs. If you drop me an email @ kraym (at) joemedia.tv I will send it to you.
Thank you for your help on this BTW, it is greatly appreciated.

Reply

Answer 8

David_x

Level 4

3,011 points

Apr 24, 2007 9:49 AM in response to KrayZ

If you need to, just change your external IPs to 1.2.3.4 (although your external IP should not need to be in that output anyway). Your internal IPs are not a security risk since these are just from the private ranges anyway (we all have variations of these and they do not give away your location). Change your domain name too if you want to - just ensure that you are doing this very consistently (just change main domain name part, not sub domains or host part - e.g. change mail.secretDomain.org to mail.domain.org )

-david

Reply

Answer 9

KrayZ Author

Level 1

9 points

Apr 24, 2007 10:06 AM in response to David_x

alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
default_privs = nobody
enable serveroptions = yes
html_directory = no
inet_interfaces = all
local recipientmaps =
luser_relay = catchall
mail_owner = postfix
mail spooldirectory = /var/mail
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
maps rbl_rejectcode = 571
message sizelimit = 26214400
mydestination = $myhostname,localhost.$mydomain,mydomain.tv,mail.mydomain.tv,@mydomain.tv,local host
mydomain = mydomain.tv
mydomain_fallback = localhost
myhostname = ns2.mydomain.tv
mynetworks = 68.xxx.xxx.xx,68.xxx.xxx.xxx,127.x.x.x,127.x.x.x,205.xxx.xxx.xx,68.xxx.xxx.xx,1 92.168.1.159,68.xxx.xxx.xx,68.xxx.xx.xx,192.168.1.0/24
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd clientrestrictions = permit_mynetworks permit saslauthenticated reject unauthdestination reject unauthpipelining reject invalidhostname permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd pw_server_securityoptions = plain,login
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_certfile = /etc/certificates/Default.crt
smtpd tls_keyfile = /etc/certificates/Default.key
smtpd use_pwserver = yes
smtpd usetls = no
soft_bounce = NO
unknown local_recipient_rejectcode = 550

Reply

Answer 10

David_x

Level 4

3,011 points

Apr 24, 2007 4:35 PM in response to KrayZ

I had a read of your previous post about the hacking, etc so aware of the background now.

There are some bits of your config which are totally alien to me (I had to look them up 🙂 so presume those bits got copied in from the other system (maybe linux box?) before you took over. As purely an OS X Server postfix person, I may therefore have missed something relevant that someone else may notice. Also, you appear to be running mailman which is something else I do not have experience of (I don't know how it might change the postfix main.cf file). Otherwise there was nothing that really jumped out. My comments for what they are worth...

mydestination = $myhostname, localhost.$mydomain, mydomain.tv, mail.mydomain.tv, @mydomain.tv, localhost

I'm not sure what the "@mydomain.tv" is for?

myhostname = ns2.mydomain.tv

This will be the HELO name which your mail server uses to identify it to other mail servers. Ideally it should be the same as your MX record (and PTR record for your WAN IP). Possibly this should be "mail.mydomain.tv"? Mail Services uses the 'hostname' as set in Mail Services settings, not the 'real' dns hostname for the server - they don't really have to match.

mynetworks = lots of them...

Are these really all needed? In particular the 68.x.x.x IPs. Any mail coming from these IPs will be relayed by your server without any authentication due to the permit_mynetworks restriction so I presume that they are your remote offices and therefore very trusted. Even so, usually authentication is enforced instead of just trusting. Not sure what the two 127.x.x.x IPs are, presumably one is 127.0.0.1 (which always resolves to 'localhost'). The 192.168.1.159 is actually included within the 192.168.1.0/24 range.

smtpd pw_server_securityoptions = plain,login

This allows external users (not otherwise in your 'mynetworks') to authenticate for relay. Generally, this should be set to at least CRAM-MD5 - plain & login are sent 'in the clear' and so are not really secure.

All in all, nothing really hit me (although there are several options there I have never seen before). From your earlier posts I doubt though whether you really want to start editing things, especially if other people are quite happy with what they have (no point in putting yourself up as a target).

So... back to your original question... "how can I tell if I have a spammer using me?". Since you have already checked your IP out with the spam blacklist sites and it is not there then that would suggest your are not getting used as a spam outlet - these sites are pretty quick to catch on. Only other way is to filter the mail.log for "status=sent" or "to=" and you will see all the incoming/outgoing mail. Depending on how busy your server is you should see a 'lot' of mail going out to different addresses within minutes of each other. If you are being used as a spam outlet then I would expect them to make hay while the sun shines and not just trickle it out a few at a time. In Console menu: File->Save A Copy, you can save a text copy of a log and either open it in a text editor or pipe it through grep for further filtering.

You also seem to have a 'catchall' account in use (luser_relay) which gets copies of all incoming/outgoing mail - this should also be getting copies of the spammers mail so check that for outgoing spam.

-david

Reply