Solved

ubuntu hardy SPAM issue

Posted on 2013-02-04
14
541 Views
Last Modified: 2013-02-23
I have one person receiving a lot of non deliverable email messages.
They have been blocked via Barracuda and UCEProtect.

I created a block rule for Port 25 in my Cisco Router.  This is what is being blocked.
The MAC address is that of the router and the server.

[ACCESS_RULE]: IN=eth0 OUT= MAC=50:3d:e5:a2:40:d4:00:13:20:5c:d5:e7:08:00 SRC=192.x.x.10 DST=217.x.x.23 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49012 DF PROTO=TCP SPT=35962 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

How can I troubleshoot this to determine where the issue is coming from.  No changes on the server.  This started about a week ago.

Using Postfix
0
Comment
Question by:bmsjeff
  • 7
  • 5
  • 2
14 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38854377
If this is a web server, my guess would be that it has been compromised and now tries to send spam to the world.
Check /var/log/mail.log, see who submits the messages.

Tamas
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38855351
Here is a part of the log: (not sure what this tells me?)

Feb  5 09:39:01 myserver01 postfix/bounce[20672]: 14E5BC1F19: sender non-delivery notification: 673BDC1433
Feb  5 09:39:01 myserver01 postfix/qmgr[5146]: 14E5BC1F19: removed
Feb  5 09:39:01 myserver01 postfix/local[20674]: 673BDC1433: to=<thisisme@myemail.com>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb  5 09:39:01 myserver01 postfix/qmgr[5146]: 673BDC1433: removed
Feb  5 09:39:03 myserver01 postfix/smtp[20599]: connect to o.webmd.com[63.140.35.28]:25: Connection timed out
Feb  5 09:39:03 myserver01 postfix/smtp[20599]: D3C86C2A46: to=<nikkii.haggard@o.webmd.com>, relay=none, delay=335678, delays=335374/154/150/0, dsn=4.4.1, status=deferred (connect to o.webmd.com[63.140.35.28]:25: Connection timed out)
Feb  5 09:39:04 myserver01 postfix/smtp[20543]: D31F7C239D: host mailin-02.mx.aol.com[205.188.59.193] refused to talk to me: 554- (RTR:SC)  http://postmaster.info.aol.com/errors/554rtrsc.html 554  Connecting IP: xxx.xxx.xxx.xxx
Feb  5 09:39:05 myserver01 postfix/smtp[20618]: connect to answers.yahoo.com[216.115.110.119]:25: Connection timed out
Feb  5 09:39:05 myserver01 postfix/smtp[20618]: D0296C2618: to=<meetadmin@answers.yahoo.com>, relay=none, delay=410572, delays=410267/155/150/0, dsn=4.4.1, status=deferred (connect to answers.yahoo.com[216.115.110.119]:25: Connection timed out)
Feb  5 09:39:07 myserver01 postfix/smtp[20543]: D31F7C239D: host mailin-04.mx.aol.com[64.12.90.66] refused to talk to me: 554- (RTR:SC)  http://postmaster.info.aol.com/errors/554rtrsc.html 554  Connecting IP: xxx.xxx.xxx.xxx
Feb  5 09:39:12 myserver01 postfix/smtp[20566]: 069E9C2EB2: to=<ea_3tfaison@apsa.org>, relay=mail.apsa.org[173.13.88.187]:25, delay=324845, delays=324531/0.94/11/301, dsn=4.4.2, status=deferred (conversation with mail.apsa.org[173.13.88.187] timed out while sending RCPT TO)
Feb  5 09:39:17 myserver01 postfix/smtpd[20677]: warning: 209.54.32.182: hostname salesfrc.net verification failed: Name or service not known
Feb  5 09:39:17 myserver01 postfix/smtpd[20677]: connect from unknown[209.54.32.182]
Feb  5 09:39:18 myserver01 postfix/smtpd[20677]: NOQUEUE: reject: RCPT from unknown[209.54.32.182]: 554 5.7.1 Service unavailable; Client host [209.54.32.182] blocked using sbl.spamhaus.org; http://www.spamhaus.org/sbl/query/SBLCSS; from=<gfr@wootmerce.com> to=<thisisme@myemail.com> proto=ESMTP helo=<hfe182.wootmerce.com>
Feb  5 09:39:18 myserver01 postfix/smtpd[20677]: disconnect from unknown[209.54.32.182]
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855556
Okay, so looks like you are actually running a full fledged mail server on your ubuntu host?
In that case please describe your intended operation, and post a sanitized postfix config.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38855652
I would like only authorized users to have the ability to send mail via SMTP.  I want to block anything else.  

Here is the "main.cf" file.  (I think this is what you are looking for)

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mymailserver.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mymailserver.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
#mailbox_command = procmail -a "$EXTENSION"
mailbox_command =
mailbox_size_limit = 0
message_size_limit = 51200000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, permit
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855733
Okay, so:
- you want users on the internal network to be able to send email out with smtp on this server?
- do you want authenticated users from the outside to be able to send to the world through this server?
- do you want to accept email from the outside for your own domain on this server?
- do you have a fully qualified domain name forward and reverse record for this server?
- do you actually own mymailserver.com?
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38855895
- you want users on the internal network to be able to send email out with smtp on this server?
YES

- do you want authenticated users from the outside to be able to send to the world through this server?
YES - i.e. when the internal users take their laptops home.

- do you want to accept email from the outside for your own domain on this server?
YES

- do you have a fully qualified domain name forward and reverse record for this server?
NOT SURE, how do I verify this?

- do you actually own mymailserver.com?
YES
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38855994
DNS forward and reverse:
You could run an nslookup on your mail server name, like
nslookup mail.mymailserver.com

Open in new window

and another nslookup on the IP you got back from the previous query, like
nslookup 1.2.3.4

Open in new window

which should give you back mail.mymailserver.com.

Can you post a few examples of those non deliverable mail reports?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 38856312
You have
>>>smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
However you also have
smtpd_tls_auth_only = no
Why is that?

Further have you checked if you system is acting as open relay? Check your server IP from the following links:
http://mxtoolbox.com/diagnostic.aspx
http://www.mailradar.com/openrelay/
http://www.checkor.com/

Sudeep
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38856401
using easydns.com
The MX record is pointing to mymailserver.com

C:\Users\Me>nslookup xxx.xxx.xxx.xxx
Server:  dsldns-in.embarqhsd.net
Address:  67.235.xxx.xxx

Name:    30.207.xxx.xxx.DED-DSL.fuse.net
Address:  xxx.xxx.xxx.xxx

C:\Users\Me>nslookup mymailserver.com
Server:  dsldns-in.embarqhsd.net
Address:  67.235.xxx.xxx

Non-authoritative answer:
Name:    mymailserver.com
Address:  xxx.xxx.xxx.xxx

I will get you the non deliverable reports.
Everything has worked fine for years, the problem just started last 3 weeks.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38856848
sudeep - I don't know.  I am a newbie at this.

Mailradar gives me:
Port 25 is Closed at xxx.xxx.xxx.xxx
Test aborted.

MXToolbox gives me all checks, except for:
SMTP Reverse DNS Mismatch       Warning - Reverse DNS does not match SMTP Banner
0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 500 total points
ID: 38857155
Your system is not open relay. So that's good news.

From the logs you have posted it is not very clear which user has the issue since it is just dump of the logs.

Try to tail the logs and grep the user who has the issue.

tail -f /var/log/mail.log | grep to=<user@domain.com>
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38858812
I created a block rule for Port 25 in my Cisco Router.  This is what is being blocked.
The MAC address is that of the router and the server.
If he shut down port 25, it won't be detected as an open relay at the moment, but it can't stay like this for long if he wants to use it.
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38860857
Here it is:
mylogin@myserver01:~$ sudo tail -f /var/log/mail.log | grep to=


Feb  6 13:35:08 myserver01 postfix/smtp[13212]: 9E29C4D575: to=<cigars@ersecorvo.com>, relay=none, delay=168650, delays=168580/9.8/60/0, dsn=4.4.1, status=deferred (connect to ersecorvo.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:09 myserver01 postfix/smtp[13171]: 3B878C2B44: to=<jfultz@data.cmcore.com>, relay=none, delay=436154, delays=436084/40/30/0, dsn=4.4.1, status=deferred (connect to data.cmcore.com[199.255.33.45]:25: Connection timed out)
Feb  6 13:35:09 myserver01 postfix/local[13229]: 3786A4D426: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:13 myserver01 postfix/smtp[13128]: D4A5FC1879: to=<jaybusbygryt@gutel.com>, relay=none, delay=162455, delays=162380/43/31/0, dsn=4.4.1, status=deferred (connect to gutel.com[211.106.65.112]:25: Connection timed out)
Feb  6 13:35:15 myserver01 postfix/smtp[13222]: 943DBC2E16: to=<wood-biz@suichi.info>, relay=none, delay=426021, delays=425945/16/60/0, dsn=4.4.1, status=deferred (connect to suichi.info[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:25 myserver01 postfix/smtp[13224]: DA48AC169C: to=<s28d642ohpc63@corp.supernews.com>, relay=none, delay=165106, delays=165020/56/30/0, dsn=4.4.1, status=deferred (connect to corp.supernews.com[216.168.3.44]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13130]: D9A13C15FC: to=<mbogart@a1.interclick.com>, relay=none, delay=165286, delays=165196/60/30/0, dsn=4.4.1, status=deferred (connect to a1.interclick.com[74.122.143.72]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13132]: D66074D7E5: to=<glazetd@eudict.com>, relay=none, delay=165328, delays=165237/60/30/0, dsn=4.4.1, status=deferred (connect to eudict.com[216.70.108.87]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13139]: DA212C2B8D: to=<kelsy@msnbc.msn.com>, relay=none, delay=434768, delays=434677/60/30/0, dsn=4.4.1, status=deferred (connect to msnbc.msn.com[65.55.53.235]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: 625CD4D42B: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/smtp[13143]: DE7D64D69C: to=<pyrexgo79@proracingsimtv.com>, relay=none, delay=178660, delays=178569/60/30/0, dsn=4.4.1, status=deferred (connect to mail.proracingsimtv.com[216.37.76.2]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13151]: 0767AC1415: to=<jparker@mail.aol.com>, relay=none, delay=182434, delays=182343/0.85/90/0, dsn=4.4.1, status=deferred (connect to mail.aol.com[205.188.16.149]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13131]: D0AA7C14CB: to=<states@secure.ian.com>, relay=none, delay=171991, delays=171901/60/30/0, dsn=4.4.1, status=deferred (connect to secure.ian.com[216.251.126.131]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13149]: DEE2AC2B4E: to=<homes@valeries.com>, relay=none, delay=436182, delays=436091/60/30/0, dsn=4.4.1, status=deferred (connect to valeries.com[82.98.86.167]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13138]: DF180C2D8D: to=<ekinder@uid.shoplocal.com>, relay=none, delay=427266, delays=427175/60/30/0, dsn=4.4.1, status=deferred (connect to uid.shoplocal.com[167.8.225.33]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/smtp[13152]: DB428C2BB9: to=<hjones@rslusa.com>, relay=none, delay=435104, delays=435013/61/30/0, dsn=4.4.1, status=deferred (connect to rslusa.com[208.91.196.50]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: CA1554D42F: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.03/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/local[13229]: D1A614D42D: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.03, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:29 myserver01 postfix/smtp[13136]: DE305C2C79: to=<faustinonelson_zx@pnte.cfnavarra.es>, relay=none, delay=434576, delays=434485/60/31/0, dsn=4.4.1, status=deferred (connect to aralar.pnte.cfnavarra.es[195.76.216.3]:25: Connection timed out)
Feb  6 13:35:29 myserver01 postfix/local[13229]: EC2764D42F: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:30 myserver01 postfix/smtp[13165]: 923A9C1523: to=<searches@villamalgae.com>, relay=none, delay=171968, delays=171877/31/60/0, dsn=4.4.1, status=deferred (connect to villamalgae.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13162]: 95CD4C5666: to=<jpb1143@students.pjc.edu>, relay=none, delay=412817, delays=412725/31/60/0, dsn=4.4.1, status=deferred (connect to students.pjc.edu[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13179]: 9FCA14D776: to=<john_hanley@bxadycorp.com>, relay=none, delay=170755, delays=170664/31/60/0, dsn=4.4.1, status=deferred (connect to bxadycorp.com[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13174]: 6F9A7C2BA7: to=<cwanish@media.gsimedia.net>, relay=none, delay=435200, delays=435108/1.3/90/0, dsn=4.4.1, status=deferred (connect to media.gsimedia.net[74.217.59.19]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/local[13229]: 6AC0E4D432: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.02, delays=0.02/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:30 myserver01 postfix/smtp[13158]: 9B46E4DA6F: to=<k_muraj_ia@nedllc.mo>, relay=none, delay=165953, delays=165862/31/60/0, dsn=4.4.1, status=deferred (connect to nedllc.mo[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:30 myserver01 postfix/smtp[13147]: DD5074D9AA: to=<dtdtiy@english.ivsz.hu>, relay=none, delay=178867, delays=178775/60/31/0, dsn=4.4.1, status=deferred (connect to english.ivsz.hu[84.2.39.122]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13189]: 9168CC2E30: to=<expert@gladefern.com>, relay=none, delay=425965, delays=425873/32/60/0, dsn=4.4.1, status=deferred (connect to gladefern.com[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13201]: 9C6F9C2EA3: to=<diafrate@1031helpcenter.com>, relay=none, delay=425467, delays=425375/32/60/0, dsn=4.4.1, status=deferred (connect to 1031helpcenter.com[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13209]: 9F9E1C2BED: to=<kara@at.atwola.com>, relay=none, delay=434993, delays=434900/32/60/0, dsn=4.4.1, status=deferred (connect to at.atwola.com[64.236.144.246]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13211]: 32C81C18D0: to=<matt.eckler@firstunion.com>, relay=none, delay=162453, delays=162361/32/60/0, dsn=4.4.1, status=deferred (connect to firstunion.com[151.151.88.101]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/local[13229]: 3EC334D436: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.05, delays=0.05/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:31 myserver01 postfix/smtp[13192]: 393F4C2EF2: to=<emailreed.kyrk@comcast.netr>, relay=none, delay=425228, delays=425136/32/60/0, dsn=4.4.1, status=deferred (connect to comcast.netr[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13205]: 3DEFAC1A6E: to=<linda.kohler@cbdfw.comy>, relay=none, delay=162270, delays=162178/32/60/0, dsn=4.4.1, status=deferred (connect to cbdfw.comy[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13223]: 3AA3BC2C0A: to=<kseno@chkcnt.edu>, relay=none, delay=434928, delays=434836/32/60/0, dsn=4.4.1, status=deferred (connect to chkcnt.edu[69.16.143.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/smtp[13193]: 3A37CC1DD4: to=<bonita.a.pollard@onemoremail.net>, relay=none, delay=160585, delays=160492/32/60/0, dsn=4.4.1, status=deferred (connect to onemoremail.net[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:31 myserver01 postfix/local[13229]: 6F7084D43B: to=<MYEMAIL@MYDOMAIN.com>, relay=local, delay=0.04, delays=0.04/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Feb  6 13:35:31 myserver01 postfix/smtp[13198]: 3D3964DAED: to=<customerservice@kettehttp.info>, relay=none, delay=162559, delays=162466/33/60/0, dsn=4.4.1, status=deferred (connect to kettehttp.info[66.152.109.70]:25: Connection timed out)
Feb  6 13:35:32 myserver01 postfix/smtp[13125]: 3C211C1760: to=<mita7770@gmail.co>, relay=none, delay=162548, delays=162455/33/60/0, dsn=4.4.1, status=deferred (connect to gmail.co[74.125.228.54]:25: Connection timed out)
Feb  6 13:35:32 myserver01 postfix/smtp[13207]: 35733C2C95: to=<lynnettecristy@gartmore.com>, relay=none, delay=429944, delays=429851/33/60/0, dsn=4.4.1, status=deferred (connect to decommissioned.blackh0le.com[66.152.109.70]:25: Connection timed out)
0
 
LVL 14

Author Comment

by:bmsjeff
ID: 38860867
p.s.
none of the above emails where actual sent by a user.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now