POSTFIX: Servermissbrauch / Spamproblem

AllOnline

New Member
Hallo,

leider wurde mein Server zum Spamversenden missbraucht.

Wahrscheinlich die postfix Einstellungen zu unsicher (bin noch dran):
Code:
eadme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = p043.purple.fastwebserver.de
program_directory = /usr/lib/postfix
masquerade_domains = 
mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = /usr/bin/procmail
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = 
smtpd_helo_required = no
smtpd_helo_restrictions = 
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
inet_interfaces = all
Aber folgende Einstellung ist zu hart:
Code:
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = p043.purple.fastwebserver.de
program_directory = /usr/lib/postfix
masquerade_domains = 
mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = /usr/bin/procmail
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions =  permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination,reject_rhsbl_client rhsbl.sorbs.net,reject_rhsbl_sender rhsbl.sorbs.net,reject_rbl_client relays.ordb.org,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client unconfirmed.dsbl.org,reject_rbl_client list.dsbl.org,reject_rbl_client dynablock.njabl.org,reject_rbl_client dialup.blacklist.jippg.org,reject_rbl_client multihop.dsbl.org,reject_rbl_client dialup.rbl.kropka.net,reject_rbl_client opm.blitzed.org, reject_rbl_client cbl.abuseat.org,reject_non_fqdn_sender,reject_non_fqdn_recipient, reject_unknown_recipient_domain,reject_unauth_pipelining
smtpd_client_restrictions = 
smtpd_helo_required = yes
smtpd_helo_restrictions =  permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_non_fqdn_hostname,reject_invalid_hostname,reject_rhsbl_client rhsbl.sorbs.net,reject_rhsbl_sender rhsbl.sorbs.net,reject_rbl_client opm.blitzed.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client relays.ordb.org,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client unconfirmed.dsbl.org,reject_rbl_client list.dsbl.org,reject_rbl_client dynablock.njabl.org,reject_rbl_client dialup.blacklist.jippg.org,reject_rbl_client opm.blitzed.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client multihop.dsbl.org,reject_rbl_client dialup.rbl.kropka.net,reject_unauth_pipelining 
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination, reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client zombie.dnsbl.sorbs.net,reject_rbl_client relays.ordb.org,reject_rbl_client opm.blitzed.org,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client blackholes.easynet.nl,reject_rbl_client unconfirmed.dsbl.org,reject_rbl_client dynablock.njabl.org,reject_rbl_client dialup.blacklist.jippg.org,reject_rbl_client cbl.abuseat.org
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 1024000000
disable_vrfy_command = yes
default_rbl_reply = $rbl_code RBLTRAP: You can't send us a E-mail today!!! Pls send an E-Mail to SimonLudwigs@gmail.com
smtpd_delay_reject = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
inet_interfaces = all
Könnte mir einer helfen wie die Einstellung für den normal Betrieb aussehen müsste.

Darüber hinaus frag ich mich, welche Möglichkeiten es noch gibt Spam zu versenden außer über ssh Zugang und falsche Webapplikationen.

Interessant ist auch wie man von AntiSpam-Listen gelöscht werden kann.

Bitte um Aufklärung (ausser google) danke euch.

PS: Server ist natürlich vom Netz!
 

mr_brain

Registered User
Hast du denn mal geschaut, wie der SPAM versendet wurde, sprich SMTP oder via sendmail-wrapper?
 

AllOnline

New Member
sry logs hatte ich vergessen;
nur mal paar Auszuüge

Code:
Sep  8 12:35:20 p043 postfix/qmgr[14676]: 944C510BA79F: from=<noreply@netlogmail.com>, size=5768, nrcpt=50 (queue active)
Sep  8 12:35:20 p043 postfix/qmgr[14676]: 9FB4810BB1FC: from=<noreply@netlogmail.com>, size=5768, nrcpt=50 (queue active)
Sep  8 12:35:20 p043 postfix/qmgr[14676]: 9F79410BA788: from=<noreply@netlogmail.com>, size=5768, nrcpt=50 (queue active)

Sep  8 12:55:51 p043 postfix/smtp[24921]: DD01510BB131: to=<wwilsterman@aol.com>, relay=mailin-02.mx.aol.com[205.188.190.1]:25, delay=342924, delays=342893/30/0.54/0.74, dsn=5.1.1, status=bounced (host mailin-02.mx.aol.com[205.188.190.1] said: 550 5.1.1 <wwilsterman@aol.com>: Recipient address rejected: aol.com (in reply to RCPT TO command))
Sep  8 12:55:51 p043 postfix/smtp[24858]: 25A8010BA3F1: to=<mommy2atjh8301@aol.com>, relay=mailin-03.mx.aol.com[205.188.59.193]:25, delay=143252, delays=143221/27/2.5/1.2, dsn=4.2.1, status=deferred (host mailin-03.mx.aol.com[205.188.59.193] said: 421 4.2.1  MSG=:  (DYN:T1)  http://postmaster.info.aol.com/errors/421dynt1.html  (in reply to end of DATA command))
Sep  8 12:55:51 p043 postfix/smtp[24832]: D88C610BA446: to=<nize74@aol.com>, relay=mailin-04.mx.aol.com[205.188.157.18]:25, delay=143162, delays=143131/30/0.3/0.78, dsn=5.1.1, status=bounced (host mailin-04.mx.aol.com[205.188.157.18] said: 550 5.1.1 <nize74@aol.com>: Recipient address rejected: aol.com (in reply to RCPT TO command))
Sep  8 12:55:51 p043 postfix/smtp[24982]: connect to alltel.net[198.133.103.44]:25: Connection timed out
Sep  8 12:55:51 p043 postfix/smtp[24982]: 516FA10BA3F3: to=<monroem2@alltel.net>, relay=none, delay=143248, delays=143217/1/30/0, dsn=4.4.1, status=deferred (connect to alltel.net[198.133.103.44]:25: Connection timed out)
Sep  8 12:55:51 p043 postfix/cleanup[25042]: C7D6510BA780: message-id=<20100908105551.C7D6510BA780@p043.purple.fastwebserver.de>
Sep  8 12:55:51 p043 postfix/smtp[24884]: 6588E10BA474: host hrndva-smtpin01.mail.rr.com[71.74.56.243] refused to talk to me: 554 5.7.1 - ERROR: Mail refused - <85.114.133.43> - See http://postmaster.rr.com/amIBlockedByRR?ip=85.114.133.43
Sep  8 12:55:51 p043 postfix/smtp[25020]: connect to sprintpcs.com[144.230.162.36]:25: Connection timed out
Sep  8 12:55:51 p043 postfix/smtp[25024]: connect to u3.org[208.73.210.28]:25: Connection timed out
Sep  8 12:55:51 p043 postfix/smtp[25025]: connect to vbe.org[208.73.210.28]:25: Connection timed out
Sep  8 12:55:51 p043 postfix/bounce[25036]: 93A0F10BA2ED: sender non-delivery notification: 9A84710BA779

Sep  8 12:55:52 p043 postfix/smtp[24912]: 77C4E10BAB63: to=<cojang@orgio.net>, relay=none, delay=344852, delays=344820/1.1/30/0, dsn=4.4.1, status=deferred (connect to orgio.net[64.94.136.5]:25: Connection timed out)
Sep  8 12:55:52 p043 postfix/bounce[25013]: 751B010BA3F7: sender non-delivery notification: EB18910BA5C2
Sep  8 12:55:52 p043 postfix/qmgr[14676]: EB18910BA5C2: from=<>, size=7854, nrcpt=1 (queue active)

Sep  8 13:20:43 p043 postfix/error[26258]: 6073E10BA871: to=<antionetterd@yahoo.com>, relay=none, delay=347117, delays=347095/16/0/6.2, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26332]: 60B4410BB061: to=<roconnell88@yahoo.com>, relay=none, delay=144448, delays=144426/16/0/6.2, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26344]: A748D10BA964: to=<icema8488@yahoo.com>, relay=none, delay=145523, delays=145501/22/0/0.28, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26318]: 0933310BA8BF: to=<as4seen2000@yahoo.com>, relay=none, delay=347065, delays=347043/21/0/0.82, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26242]: 08B9810BA90B: to=<identity1040@yahoo.com>, relay=none, delay=145506, delays=145483/21/0/0.82, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26359]: 07CD610BB028: to=<shellyjc2006@yahoo.com>, relay=none, delay=344870, delays=344847/18/0/3.8, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep  8 13:20:43 p043 postfix/error[26307]: 6F8DD10BB023: to=<singleton_carolyn@yahoo.com>, relay=none, delay=344855, delays=344833/14/0/8.5, dsn=4.7.0, status=deferred (delivery temporarily suspended: host e.mx.mail.yahoo.com[67.195.168.230] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Falls Ihr noch mehr braucht Bescheidenheit sagen, danke euch!

Axo; warum ist es bei der 2ten Einstellung so, dass alle Mails abgewiesen werden?

testmail:
Code:
Sep 10 20:28:07 p043 postfix/smtpd[11320]: NOQUEUE: reject: RCPT from mail.xyz.de[192.216.183.73]: 554 5.7.1 RBLTRAP: You can't send us a E-mail today!!! ; from=<test@dxyz.de> to=<info@xxx.de> proto=ESMTP helo=<mail.xyz.de>
 
Last edited by a moderator:

AllOnline

New Member
Danke,
momentan sieht es so aus:

Code:
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
allow_percent_hack = no
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = p043.purple.fastwebserver.de
program_directory = /usr/lib/postfix
masquerade_domains = 
mydestination = $myhostname, localhost.$mydomain
defer_transports = 
mynetworks_style = subnet
disable_dns_lookups = no
relayhost = 
mailbox_command = /usr/bin/procmail
mailbox_transport = 
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain,  permit
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_reverse_client_hostname,permit
smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_helo_hostname,permit
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = no
smtp_use_tls = no
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
inet_interfaces = all
Sinnvoll??

Trotz dieser Einstellung
Code:
Sep 11 13:50:53 p043 postfix/smtpd[2701]: NOQUEUE: reject: RCPT from unknown[183.7.132.182]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [183.7.132.182]; from=<fhuvzcqt@gvyhps.com> to=<vbvvstyh80844@yahoo.com.tw> proto=ESMTP helo=<qwbtlim.com>
 
Last edited by a moderator:

AllOnline

New Member
Hallo,

bitte helft mir nochmal,
meine logs wachsen immer noch wie bekloppt
u.a. mit folgenden Meldungen

Code:
Sep 12 23:17:48 p043 postfix/smtp[2752]: 0719C10BA350: host mta.mcel.co.mz[212.96.25.51] said: 452 4.4.5 Insufficient disk space; try again later (in reply to MAIL FROM command)
Sep 12 23:17:48 p043 postfix/smtp[2737]: 5A58610BA2B7: to=<jonzindawg@comcast.net>, relay=mx2b.comcast.net[76.96.30.116]:25, delay=26298, delays=26293/0.03/5.1/0, dsn=4.0.0, status=deferred (host mx2b.comcast.net[76.96.30.116] refused to talk to me: 554 imta08.emeryville.ca.mail.comcast.net comcast 85.114.133.43 Comcast Blocked for spam. Please see http://help.comcast.net/content/faq/BL000000)
Sep 12 23:17:48 p043 postfix/smtp[2744]: B59B710BA316: to=<clarissaaugust@aol.com>, relay=mailin-01.mx.aol.com[64.12.90.98]:25, delay=27857, delays=27852/0.06/4.6/0, dsn=4.7.1, status=deferred (host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Sep 12 23:17:48 p043 postfix/smtp[2743]: D78B110BA3C7: to=<malynda11@comcast.net>, relay=mx2b.comcast.net[76.96.30.116]:25, delay=25675, delays=25669/0.06/5.4/0, dsn=4.0.0, status=deferred (host mx2b.comcast.net[76.96.30.116] refused to talk to me: 554 imta08.emeryville.ca.mail.comcast.net comcast 85.114.133.43 Comcast Blocked for spam. Please see http://help.comcast.net/content/faq/BL000000)
Sep 12 23:17:48 p043 postfix/smtp[2743]: D78B110BA3C7: to=<mam2517@comcast.net>, relay=mx2b.comcast.net[76.96.30.116]:25, delay=25675, delays=25669/0.06/5.4/0, dsn=4.0.0, status=deferred (host mx2b.comcast.net[76.96.30.116] refused to talk to me: 554 imta08.emeryville.ca.mail.comcast.net comcast 85.114.133.43 Comcast Blocked for spam. Please see http://help.comcast.net/content/faq/BL000000)
Sep 12 23:17:48 p043 postfix/smtp[2743]: D78B110BA3C7: to=<mama.bear6@comcast.net>, relay=mx2b.comcast.net[76.96.30.116]:25, delay=25675, delays=25669/0.06/5.4/0, dsn=4.0.0, status=deferred (host mx2b.comcast.net[76.96.30.116] refused to talk to me: 554 imta08.emeryville.ca.mail.comcast.net comcast 85.114.133.43 Comcast Blocked for spam. Please see http://help.comcast.net/content/faq/BL000000)
Sep 12 23:17:53 p043 postfix/smtp[2466]: 4072510BA2D4: to=<kbabicz@dotstandards.com>, relay=mail.dotstandards.com[209.145.154.1]:25, delay=26142, delays=25833/0.26/309/0, dsn=4.4.2, status=deferred (conversation with mail.dotstandards.com[209.145.154.1] timed out while receiving the initial server greeting)
Sep 12 23:17:53 p043 postfix/smtp[2476]: 6AF8F10BA288: to=<jblend@mysmtpmail.com>, relay=mail.mysmtpmail.com[209.145.154.1]:25, delay=26513, delays=26203/0.32/309/0, dsn=4.4.2, status=deferred (conversation with mail.mysmtpmail.com[209.145.154.1] timed out while receiving the initial server greeting)
Code:
Sep 12 23:12:46 p043 postfix/error[2412]: 3542810BA2FB: to=<carmenliz95@aol.com>, relay=none, delay=27851, delays=27849/1.8/0/0.43, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Sep 12 23:12:46 p043 postfix/error[2424]: DB39C10BA2F2: to=<caretaker_101@yahoo.com>, relay=none, delay=27856, delays=27854/0.08/0/2.2, dsn=4.7.0, status=deferred (delivery temporarily suspended: host k.mx.mail.yahoo.com[98.139.54.60] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Sep 12 23:12:46 p043 postfix/error[2421]: 6AF8F10BA288: to=<jblb419@aol.com>, relay=none, delay=26206, delays=26203/1.8/0/0.43, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Sep 12 23:12:46 p043 postfix/error[2469]: C88A210BA15B: to=<hp4968@aol.com>, relay=none, delay=26396, delays=26394/1.9/0/0.32, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Sep 12 23:12:46 p043 postfix/error[2428]: C7A7110BA2F7: to=<camorra02@aol.com>, relay=none, delay=27864, delays=27862/1.9/0/0.32, dsn=4.7.1, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.90.98] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
Kommen die Mails jetzt durch oder nicht?!???

Code:
Sep 12 22:16:50 p043 spamd[3561]: prefork: sysread(9) failed after 300 secs at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/SpamdForkScaling.pm line 648. 
Sep 12 22:16:50 p043 spamd[2475]: prefork: child states: II 
Sep 12 22:16:51 p043 spamd[2475]: spamd: handled cleanup of child pid 3561 due to SIGCHLD 
Sep 12 22:16:51 p043 spamd[2475]: spamd: server successfully spawned child process, pid 3647 
Sep 12 22:16:51 p043 spamd[2475]: prefork: child states: II 
Sep 12 22:21:52 p043 spamd[3647]: prefork: sysread(9) failed after 300 secs at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/SpamdForkScaling.pm line 648. 
Sep 12 22:21:52 p043 spamd[2475]: prefork: child states: II 
Sep 12 22:21:52 p043 spamd[2475]: spamd: handled cleanup of child pid 3647 due to SIGCHLD 
Sep 12 22:21:52 p043 spamd[2475]: spamd: server successfully spawned child process, pid 3709
Code:
Sep 12 22:31:04 p043 postfix/anvil[3822]: statistics: max connection rate 1/60s for (smtp:85.13.xxx.xxx) at Sep 12 22:27:44
Sep 12 22:31:04 p043 postfix/anvil[3822]: statistics: max connection count 1 for (smtp:85.13.xxx.xxx) at Sep 12 22:27:44
Sep 12 22:31:04 p043 postfix/anvil[3822]: statistics: max cache size 1 at Sep 12 22:27:44
 

Joe User

Zentrum der Macht
Schnappe Dir ein Englischwörterbuch und übersetze die Fehlermeldungen einfach mal, dann weisst Du mehr...
 

blafasel2

New Member
@AllOnline: Ich glaube deine Postfix-Konfiguration ist soweit in Ordnung Relaycheck (http://www.abuse.net/relay.html) sagt kein Relaying möglich.

Auch in deinen Logs steht ja nichts von Connects per SMTP oder ähnlichem.

Das heißt: Die SPAM-Mails werden von einen der Scripte auf deinem Server gesendet.

Probiere mal (temporär) /usr/sbin/sendmail mit chmod 000 zu sperren. Zusätzlich könntest du noch in deiner php.ini bei disabled_functions = exec,system,passthru und mail angeben.

Damit sollte PHP keine Mails versenden können.

Was ich dir auch raten würde dir einen Virenscanner zu besorgen z.B. F-Prot für Linux http://www.f-prot.com/download/getfplinfree.html und mal alle Verzeichnisse deines Servers durchscannen, ebenso kann Rootkit-Hunter (http://www.rootkit.nl/projects/rootkit_hunter.html) nicht schaden.

Wie ich sehe hast du auch einen Offenen Proxy auf dem Server laufen und diverse sehr freizügige CGI-Scripte (FTP Proxy und ähnliches) Ich vermute irgendwo da liegt das Problem.

Falls du die Funktion nicht abschalten willst oder benötigst dann probiere mal das hier: http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam damit kannst du alle Mails die Über PHP gesendet werden loggen. Das sollte dich auf die richtige Spur führen.

Ansonsten, da du ja Webhosting machst... schau dir mal FastCGI/Fcgid, Chroot und Grsecurity oder AppArmor an sowie die PHP Sicherheitsfunktionen und bastel dir eine sichere Konfiguration.... für den Anfang solltest du zumindest alle exec() system() und andere Sicherheitsrelevante calls deiner Scripte loggen...

Viel Erfolg
 

JackAv

New Member
Dursuche trotzdem deinen Server nach irgendwelchen Shells. Vllt hast sich irgend ein Hacker per sqli oder irgendeinem exploit reingehackt und kann jetzt schön ******e machen wie ddos Attacken etc.
 

AllOnline

New Member
Danke euch für die Mitteilungen,
welche Möglichkeiten der Systemanalyse auf evtl. hacker, exploits etc könnt ihr mir noch empfehlen.

Darüber hinaus gibt es immer noch solche Meldungen:
Code:
043 postfix/error[31272]: 0D8FB10BA68B: to=<ngoclamha@yahoo.com>, relay=none, delay=574, delays=519/44/0/11, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31223]: 3B22E10BAD2C: to=<firstlady41wstyle@yahoo.com>, relay=none, delay=2173, delays=2118/54/0/0.57, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[30850]: A64E810BAB8A: to=<amitybfc@yahoo.com>, relay=none, delay=3335, delays=3280/46/0/9.1, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31245]: 3E3EF10BAB90: to=<anathan8@yahoo.com>, relay=none, delay=3323, delays=3268/51/0/4.5, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31278]: 3192C10BA69A: to=<nicktony2006@yahoo.com>, relay=none, delay=565, delays=510/55/0/0.27, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31228]: 3400C10BAB77: to=<aemcg07@yahoo.com>, relay=none, delay=3428, delays=3373/54/0/0.58, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[30718]: 3AFFD10BAD16: to=<emilian57@yahoo.com>, relay=none, delay=2267, delays=2212/52/0/3.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31271]: A1FE310BAD14: to=<embrie2001@yahoo.com>, relay=none, delay=2271, delays=2216/47/0/8.4, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31217]: 3569210BAB7C: to=<ambiga_1712@yahoo.com>, relay=none, delay=3343, delays=3288/54/0/0.86, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31247]: 3A68810BAB81: to=<altaher_est@yahoo.com>, relay=none, delay=3354, delays=3299/51/0/3.9, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31332]: AFA6510BA388: to=<joonieye39@yahoo.com>, relay=none, delay=1511, delays=1456/46/0/9.1, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31249]: 1704710BAD2A: to=<find_sunnydawn@yahoo.com>, relay=none, delay=2177, delays=2122/49/0/6.5, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31272]: 0D8FB10BA68B: to=<ngoctruong99@yahoo.com>, relay=none, delay=574, delays=519/44/0/11, dsn=4.7.0, status=deferred (delivery temporarily suspended: host d.mx.mail.yahoo.com[209.191.88.254] refused to talk to me: 421 4.7.0 [TS01] Messages from 85.114.133.43 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
Oct  4 15:10:59 p043 postfix/error[31245]: 3E3EF10BAB90:
Code:
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhiteside@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20574]: C80DE10BA4E6: to=<sonia.garcia@midamericabank.com>, relay=none, delay=349144, delays=349113/0.52/30/0, dsn=4.4.1, status=deferred (connect to midamericabank.com[161.150.129.71]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20566]: connect to uvm.com[216.57.210.200]:25: Connection timed out
Oct  4 12:30:34 p043 postfix/smtp[20566]: 37BF710BA4F1: to=<sraidas@uvm.com>, relay=none, delay=349121, delays=349090/0.47/31/0, dsn=4.4.1, status=deferred (connect to uvm.com[216.57.210.200]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhitesides@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhitewater@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhitmore@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhitmoyer@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiwhittiker@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:30:34 p043 postfix/smtp[20561]: 064BF10BA4F6: to=<steffiyuscak@maildomination.com>, relay=none, delay=349091, delays=349060/0.43/30/0, dsn=4.4.1, status=deferred (connect to mail.maildomination.com[209.145.154.1]:25: Connection timed out)
Oct  4 12:31:04 p043 postfix/smtp[20525]: connect to a34-mta03.direcpc.com[66.82.4.104]:25: Connection timed out
Eigentlich ja nichts schlimmes, aber woher kommen diese Mails?

Danke euch
 

blafasel2

New Member
Code:
Eigentlich ja nichts schlimmes, aber woher kommen diese Mails?
Also 1. Ja das ist schlimm, deine IP ist geblockt wegen SPAM und du verschickst immer noch SPAM. Zumindest sieht es so aus.

Hast du mal das PHP Mail-Logging probiert? Also nachgeschaut welche Scripte Mail versenden?

Das kann echt alles mögliche sein.

In /var/spool/postfix ist die queue, kannst du dir mit mailq ansehen. Dann siehst du was in den Mails drinnensteht.
 

AllOnline

New Member
Also 1. Ja das ist schlimm, deine IP ist geblockt wegen SPAM und du verschickst immer noch SPAM. Zumindest sieht es so aus.
ich "dachte" deferred

Hast du mal das PHP Mail-Logging probiert? Also nachgeschaut welche Scripte Mail versenden?
Versucht aber nicht hin bekommen,
wie kann ich das genau prüfen?

Das kann echt alles mögliche sein.
In /var/spool/postfix ist die queue, kannst du dir mit mailq ansehen. Dann siehst du was in den Mails drinnensteht.
Ja kann ich mir ansehen, aber was hilft es mir?

Danke für die Hilfe!

edit:
var/log/postfix/activ
Code:
CO           5743            5071              50               0            5743T1286195966 885336Acreate_time=1286195967Arewrite_context=remoteAsasl_method=LOGINAsasl_username=web2p1Snoreply@netlogmail.comA log_client_address=92.48.121.159Alog_client_port=53234A)log_message_origin=unknown[92.48.121.159]Alog_helo_name=UserA [...] henriettaguy@yahoo.comA0dsn_orig_rcpt=rfc822;henriettamaryanna@yahoo.comOhenriettamaryanna@yahoo.comRhenriettamaryanna@yahoo.comMt:normal;}.ExternalClass{font-size:10pt;}-->N</style>N</head>Nnr="nr" ex="ex" fb="fb" hfb="hfb" hb="hb" ca="notification+i=p6rfef@facebookmail.com" cn="Facebook" ic="rmic1" pfx="mp0_" idx="0">N&															<div class=" Expanded">N¤																<div class="ReadMsgContainer HasLayout ClearBoth FullPart NoHistory Unread RmIc ShowH" style="Z-INDEX: 600" _doResize="null" _willBeResized="false">N#																	<div id="mp0_ctr">NW																		<div class="MsgPartBody FullBody ClearBoth" id="mp0_msgPartFullBody">N„																			<div nr="nr" pfx="mpf0_" sf="m" fa="Forward" raa="ReplyAll" ra="Reply" rfu="EditMessageLight.aspx?ReadMessageId=f54cde10-ab31-11df-8162-00237de3ede0&amp;FolderID=00000000-0000-0000-0000-000000000005&amp;Aux=2118%7c0%7c8CD0D55DE7EA150%7c%7c0%7c0%7c0%7c9%7c&amp;SenderEmail=notification%2bi%3dp6rfef%40facebookmail.com&amp;n=374738890&amp;Action={0}&amp;AllowUnsafe={1}">N•																				<div class="ReadMsgBody" id="mpf0_readMsgBodyContainer" onclick="return Control.invoke('MessagePartBody','_onBodyClick',event);">Nl																					<div class="ExternalClass PlainTextMessageBody ContentFiltered" id="mpf0_MsgContainer">N;																						<pre>Juliana commented on your photo.N NJuliana wrote:N)&quot;very nice photo i like thiss &quot;N N N-Reply to this email to comment on this photo.N N1To see the comment thread, follow the link below:Nõ<a onclick="onClickUnsafeLink(event);" target="_blank" style="color: #0066CC; text-decoration: none" href="http://ilymusic.net/">http://www.facebook.com/n/?photo.php&amp;pid=295038&amp;id=1704181049&amp;mid=2d68770G6593bd39G80875fG9&amp;n_m=</a>N NThanks,NThe Facebook TeamN N___N»Find people from your Windows Live Hotmail address book on Facebook! Go to: <a href="http://ilymusic.net/"><font color="#0066CC">http://www.facebook.com/find-friends/?ref=email</font></a>N N™This message was intended for. If you do not wish to receive this type of email from Facebook in the future, please follow the link below to unsubscribe.N™<a href="http://ilymusic.net/"><font color="#0066CC">http://www.facebook.com/o.php?k=d4ba22&amp;u=1704181049&amp;mid=2d68770G6593bd39G80875fG9</font></a>N8Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303</pre>N																					</div>N																				</div>N																			</div>N																		</div>N																	</div>N																</div>N															</div>N														</div>N													</div>N												</div>N											</div>N										</div>N									</div>N								</div>N
							</div>N						</div>N					</form>N
				</div>N				</div>N		</div>N	</div>N</div>N
 
Last edited by a moderator:
Top