Solved

ubuntu hardy SPAM issue

Posted on 2013-02-04
14
555 Views
Last Modified: 2013-02-23
I have one person receiving a lot of non deliverable email messages.
They have been blocked via Barracuda and UCEProtect.

I created a block rule for Port 25 in my Cisco Router.  This is what is being blocked.
The MAC address is that of the router and the server.

[ACCESS_RULE]: IN=eth0 OUT= MAC=50:3d:e5:a2:40:d4:00:13:20:5c:d5:e7:08:00 SRC=192.x.x.10 DST=217.x.x.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49012 DF PROTO=TCP SPT=35962 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

How can I troubleshoot this to determine where the issue is coming from.  No changes on the server.  This started about a week ago.

Using Postfix
0
Comment
Question by:bmsjeff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38854377
If this is a web server, my guess would be that it has been compromised and now tries to send spam to the world.
Check /var/log/mail.log, see who submits the messages.

Tamas
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38855351
Here is a part of the log: (not sure what this tells me?)

Feb  5 09:39:01 myserver01 postfix/bounce[20672]: 14E5BC1F19: sender non-delivery notification: 673BDC1433
Feb  5 09:39:01 myserver01 postfix/qmgr[5146]: 14E5BC1F19: removed
Feb  5 09:39:01 myserver01 postfix/local[20674]: 673BDC1433: to=<thisisme@myemail.com>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb  5 09:39:01 myserver01 postfix/qmgr[5146]: 673BDC1433: removed
Feb  5 09:39:03 myserver01 postfix/smtp[20599]: connect to o.webmd.com[63.140.35.28]:25: Connection timed out
Feb  5 09:39:03 myserver01 postfix/smtp[20599]: D3C86C2A46: to=<nikkii.haggard@o.webmd.com>, relay=none, delay=335678, delays=335374/154/150/0, dsn=4.4.1, status=deferred (connect to o.webmd.com[63.140.35.28]:25: Connection timed out)
Feb  5 09:39:04 myserver01 postfix/smtp[20543]: D31F7C239D: host mailin-02.mx.aol.com[205.188.59.193] refused to talk to me: 554- (RTR:SC)  http://postmaster.info.aol.com/errors/554rtrsc.html 554  Connecting IP: xxx.xxx.xxx.xxx
Feb  5 09:39:05 myserver01 postfix/smtp[20618]: connect to answers.yahoo.com[216.115.110.119]:25: Connection timed out
Feb  5 09:39:05 myserver01 postfix/smtp[20618]: D0296C2618: to=<meetadmin@answers.yahoo.com>, relay=none, delay=410572, delays=410267/155/150/0, dsn=4.4.1, status=deferred (connect to answers.yahoo.com[216.115.110.119]:25: Connection timed out)
Feb  5 09:39:07 myserver01 postfix/smtp[20543]: D31F7C239D: host mailin-04.mx.aol.com[64.12.90.66] refused to talk to me: 554- (RTR:SC)  http://postmaster.info.aol.com/errors/554rtrsc.html 554  Connecting IP: xxx.xxx.xxx.xxx
Feb  5 09:39:12 myserver01 postfix/smtp[20566]: 069E9C2EB2: to=<ea_3tfaison@apsa.org>, relay=mail.apsa.org[173.13.88.187]:25, delay=324845, delays=324531/0.94/11/301, dsn=4.4.2, status=deferred (conversation with mail.apsa.org[173.13.88.187] timed out while sending RCPT TO)
Feb  5 09:39:17 myserver01 postfix/smtpd[20677]: warning: 209.54.32.182: hostname salesfrc.net verification failed: Name or service not known
Feb  5 09:39:17 myserver01 postfix/smtpd[20677]: connect from unknown[209.54.32.182]
Feb  5 09:39:18 myserver01 postfix/smtpd[20677]: NOQUEUE: reject: RCPT from unknown[209.54.32.182]: 554 5.7.1 Service unavailable; Client host [209.54.32.182] blocked using sbl.spamhaus.org; http://www.spamhaus.org/sbl/query/SBLCSS; from=<gfr@wootmerce.com> to=<thisisme@myemail.com> proto=ESMTP helo=<hfe182.wootmerce.com>
Feb  5 09:39:18 myserver01 postfix/smtpd[20677]: disconnect from unknown[209.54.32.182]
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855556
Okay, so looks like you are actually running a full fledged mail server on your ubuntu host?
In that case please describe your intended operation, and post a sanitized postfix config.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Author Comment

by:bmsjeff
ID: 38855652
I would like only authorized users to have the ability to send mail via SMTP.  I want to block anything else.  

Here is the "main.cf" file.  (I think this is what you are looking for)

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mymailserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mymailserver.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
#mailbox_command = procmail -a "$EXTENSION"
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 51200000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, permit
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855733
Okay, so:
- you want users on the internal network to be able to send email out with smtp on this server?
- do you want authenticated users from the outside to be able to send to the world through this server?
- do you want to accept email from the outside for your own domain on this server?
- do you have a fully qualified domain name forward and reverse record for this server?
- do you actually own mymailserver.com?
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38855895
- you want users on the internal network to be able to send email out with smtp on this server?
YES

- do you want authenticated users from the outside to be able to send to the world through this server?
YES - i.e. when the internal users take their laptops home.

- do you want to accept email from the outside for your own domain on this server?
YES

- do you have a fully qualified domain name forward and reverse record for this server?
NOT SURE, how do I verify this?

- do you actually own mymailserver.com?
YES
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855994
DNS forward and reverse:
You could run an nslookup on your mail server name, like
nslookup mail.mymailserver.com

Open in new window

and another nslookup on the IP you got back from the previous query, like
nslookup 1.2.3.4

Open in new window

which should give you back mail.mymailserver.com.

Can you post a few examples of those non deliverable mail reports?
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38856312
You have
>>>smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
However you also have
smtpd_tls_auth_only = no
Why is that?

Further have you checked if you system is acting as open relay? Check your server IP from the following links:
http://mxtoolbox.com/diagnostic.aspx
http://www.mailradar.com/openrelay/
http://www.checkor.com/

Sudeep
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38856401
using easydns.com
The MX record is pointing to mymailserver.com

C:\Users\Me>nslookup xxx.xxx.xxx.xxx
Server:  dsldns-in.embarqhsd.net
Address:  67.235.xxx.xxx

Name:    30.207.xxx.xxx.DED-DSL.fuse.net
Address:  xxx.xxx.xxx.xxx

C:\Users\Me>nslookup mymailserver.com
Server:  dsldns-in.embarqhsd.net
Address:  67.235.xxx.xxx

Non-authoritative answer:
Name:    mymailserver.com
Address:  xxx.xxx.xxx.xxx

I will get you the non deliverable reports.
Everything has worked fine for years, the problem just started last 3 weeks.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38856848
sudeep - I don't know.  I am a newbie at this.

Mailradar gives me:
Port 25 is Closed at xxx.xxx.xxx.xxx
Test aborted.

MXToolbox gives me all checks, except for:
SMTP Reverse DNS Mismatch       Warning - Reverse DNS does not match SMTP Banner
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 500 total points
ID: 38857155
Your system is not open relay. So that's good news.

From the logs you have posted it is not very clear which user has the issue since it is just dump of the logs.

Try to tail the logs and grep the user who has the issue.

tail -f /var/log/mail.log | grep to=<user@domain.com>
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38858812
I created a block rule for Port 25 in my Cisco Router.  This is what is being blocked.
The MAC address is that of the router and the server.
If he shut down port 25, it won't be detected as an open relay at the moment, but it can't stay like this for long if he wants to use it.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38860857
Here it is:
mylogin@myserver01:~$ sudo tail -f /var/log/mail.log | grep to=


Feb  6 13:35:08 myserver01 postfix/smtp[13212]: 9E29C4D575: to=<cigars@ersecorvo.com>, relay=none, delay=168650, delays=168580/9.8/60/0, dsn=4.4.1, status=deferred (connect to ersecorvo.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:09 myserver01 postfix/smtp[13171]: 3B878C2B44: to=<jfultz@data.cmcore.com>, relay=none, delay=436154, delays=436084/40/30/0, dsn=4.4.1, status=deferred (connect to data.cmcore.com[199.255.33.45]:25: Connection timed out)
Feb  6 13:35:09 myserver01 postfix/local[13229]: 3786A4D426: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:13 myserver01 postfix/smtp[13128]: D4A5FC1879: to=<jaybusbygryt@gutel.com>, relay=none, delay=162455, delays=162380/43/31/0, dsn=4.4.1, status=deferred (connect to gutel.com[211.106.65.112]:25: Connection timed out)
Feb  6 13:35:15 myserver01 postfix/smtp[13222]: 943DBC2E16: to=<wood-biz@suichi.info>, relay=none, delay=426021, delays=425945/16/60/0, dsn=4.4.1, status=deferred (connect to suichi.info[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:25 myserver01 postfix/smtp[13224]: DA48AC169C: to=<s28d642ohpc63@corp.supernews.com>, relay=none, delay=165106, delays=165020/56/30/0, dsn=4.4.1, status=deferred (connect to corp.supernews.com[216.168.3.44]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13130]: D9A13C15FC: to=<mbogart@a1.interclick.com>, relay=none, delay=165286, delays=165196/60/30/0, dsn=4.4.1, status=deferred (connect to a1.interclick.com[74.122.143.72]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13132]: D66074D7E5: to=<glazetd@eudict.com>, relay=none, delay=165328, delays=165237/60/30/0, dsn=4.4.1, status=deferred (connect to eudict.com[216.70.108.87]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13139]: DA212C2B8D: to=<kelsy@msnbc.msn.com>, relay=none, delay=434768, delays=434677/60/30/0, dsn=4.4.1, status=deferred (connect to msnbc.msn.com[65.55.53.235]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: 625CD4D42B: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/smtp[13143]: DE7D64D69C: to=<pyrexgo79@proracingsimtv.com>, relay=none, delay=178660, delays=178569/60/30/0, dsn=4.4.1, status=deferred (connect to mail.proracingsimtv.com[216.37.76.2]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13151]: 0767AC1415: to=<jparker@mail.aol.com>, relay=none, delay=182434, delays=182343/0.85/90/0, dsn=4.4.1, status=deferred (connect to mail.aol.com[205.188.16.149]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13131]: D0AA7C14CB: to=<states@secure.ian.com>, relay=none, delay=171991, delays=171901/60/30/0, dsn=4.4.1, status=deferred (connect to secure.ian.com[216.251.126.131]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13149]: DEE2AC2B4E: to=<homes@valeries.com>, relay=none, delay=436182, delays=436091/60/30/0, dsn=4.4.1, status=deferred (connect to valeries.com[82.98.86.167]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13138]: DF180C2D8D: to=<ekinder@uid.shoplocal.com>, relay=none, delay=427266, delays=427175/60/30/0, dsn=4.4.1, status=deferred (connect to uid.shoplocal.com[167.8.225.33]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13152]: DB428C2BB9: to=<hjones@rslusa.com>, relay=none, delay=435104, delays=435013/61/30/0, dsn=4.4.1, status=deferred (connect to rslusa.com[208.91.196.50]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: CA1554D42F: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/local[13229]: D1A614D42D: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/smtp[13136]: DE305C2C79: to=<faustinonelson_zx@pnte.cfnavarra.es>, relay=none, delay=434576, delays=434485/60/31/0, dsn=4.4.1, status=deferred (connect to aralar.pnte.cfnavarra.es[195.76.216.3]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: EC2764D42F: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:30 myserver01 postfix/smtp[13165]: 923A9C1523: to=<searches@villamalgae.com>, relay=none, delay=171968, delays=171877/31/60/0, dsn=4.4.1, status=deferred (connect to villamalgae.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13162]: 95CD4C5666: to=<jpb1143@students.pjc.edu>, relay=none, delay=412817, delays=412725/31/60/0, dsn=4.4.1, status=deferred (connect to students.pjc.edu[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13179]: 9FCA14D776: to=<john_hanley@bxadycorp.com>, relay=none, delay=170755, delays=170664/31/60/0, dsn=4.4.1, status=deferred (connect to bxadycorp.com[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13174]: 6F9A7C2BA7: to=<cwanish@media.gsimedia.net>, relay=none, delay=435200, delays=435108/1.3/90/0, dsn=4.4.1, status=deferred (connect to media.gsimedia.net[74.217.59.19]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/local[13229]: 6AC0E4D432: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:30 myserver01 postfix/smtp[13158]: 9B46E4DA6F: to=<k_muraj_ia@nedllc.mo>, relay=none, delay=165953, delays=165862/31/60/0, dsn=4.4.1, status=deferred (connect to nedllc.mo[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13147]: DD5074D9AA: to=<dtdtiy@english.ivsz.hu>, relay=none, delay=178867, delays=178775/60/31/0, dsn=4.4.1, status=deferred (connect to english.ivsz.hu[84.2.39.122]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13189]: 9168CC2E30: to=<expert@gladefern.com>, relay=none, delay=425965, delays=425873/32/60/0, dsn=4.4.1, status=deferred (connect to gladefern.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13201]: 9C6F9C2EA3: to=<diafrate@1031helpcenter.com>, relay=none, delay=425467, delays=425375/32/60/0, dsn=4.4.1, status=deferred (connect to 1031helpcenter.com[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13209]: 9F9E1C2BED: to=<kara@at.atwola.com>, relay=none, delay=434993, delays=434900/32/60/0, dsn=4.4.1, status=deferred (connect to at.atwola.com[64.236.144.246]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13211]: 32C81C18D0: to=<matt.eckler@firstunion.com>, relay=none, delay=162453, delays=162361/32/60/0, dsn=4.4.1, status=deferred (connect to firstunion.com[151.151.88.101]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/local[13229]: 3EC334D436: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.05, delays=0.05/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:31 myserver01 postfix/smtp[13192]: 393F4C2EF2: to=<emailreed.kyrk@comcast.netr>, relay=none, delay=425228, delays=425136/32/60/0, dsn=4.4.1, status=deferred (connect to comcast.netr[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13205]: 3DEFAC1A6E: to=<linda.kohler@cbdfw.comy>, relay=none, delay=162270, delays=162178/32/60/0, dsn=4.4.1, status=deferred (connect to cbdfw.comy[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13223]: 3AA3BC2C0A: to=<kseno@chkcnt.edu>, relay=none, delay=434928, delays=434836/32/60/0, dsn=4.4.1, status=deferred (connect to chkcnt.edu[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13193]: 3A37CC1DD4: to=<bonita.a.pollard@onemoremail.net>, relay=none, delay=160585, delays=160492/32/60/0, dsn=4.4.1, status=deferred (connect to onemoremail.net[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/local[13229]: 6F7084D43B: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.04, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:31 myserver01 postfix/smtp[13198]: 3D3964DAED: to=<customerservice@kettehttp.info>, relay=none, delay=162559, delays=162466/33/60/0, dsn=4.4.1, status=deferred (connect to kettehttp.info[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:32 myserver01 postfix/smtp[13125]: 3C211C1760: to=<mita7770@gmail.co>, relay=none, delay=162548, delays=162455/33/60/0, dsn=4.4.1, status=deferred (connect to gmail.co[74.125.228.54]:25: Connection timed out)
Feb  6 13:35:32 myserver01 postfix/smtp[13207]: 35733C2C95: to=<lynnettecristy@gartmore.com>, relay=none, delay=429944, delays=429851/33/60/0, dsn=4.4.1, status=deferred (connect to decommissioned.blackh0le.com[66.152.109.70]:25: Connection timed out)
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38860867
p.s.
none of the above emails where actual sent by a user.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Easy CSR creation in Exchange 2007,2010 and 2013
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question