Undicher Mail Server?

Jammy · Nov 10, 2011

Hallo,

Soeben erhielt ich von meinen Server von meiner eigenen Mail Adresse postmaster@meinedomain.de eine Spam Mail.

Mein erster Verdacht scheint sich nun zu bestätigen.
In meinen Logs finde ich einige Hinweise

mail.info

Nov 11 01:02:52 meinedomain postfix/qmgr[1894]: 85E5711028E4B: removed
Nov 11 01:02:52 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9277]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <uucp@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<uucp@meinedomain.de> to=<uucp@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <thisisjusttestmessageatall@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<thisisjusttestmessageatall@meinedomain.de> to=<thisisjusttestmessageatall@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/policyd-weight[6076]: decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=webmaster@meinedomain.de> <to=webmaster@meinedomain.de>; delay: 0s
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.7.1 <webmaster@meinedomain.de>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; from=<webmaster@meinedomain.de> to=<webmaster@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <support@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<support@meinedomain.de> to=<support@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <uucp@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<uucp@meinedomain.de> to=<uucp@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <thisisjusttestmessageatall@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<thisisjusttestmessageatall@meinedomain.de> to=<thisisjusttestmessageatall@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/policyd-weight[6076]: decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=webmaster@meinedomain.de> <to=webmaster@meinedomain.de>; delay: 0s
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.7.1 <webmaster@meinedomain.de>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; from=<webmaster@meinedomain.de> to=<webmaster@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <support@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<support@meinedomain.de> to=<support@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max connection rate 25/60s for (smtp:200.253.110.30) at Nov 11 01:02:53
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max connection count 5 for (smtp:200.253.110.30) at Nov 11 01:02:45
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max cache size 1 at Nov 11 00:55:35

mail.log

Nov 11 00:59:50 meinedomain postgrey[1812]: cleaning up old logs...
Nov 11 00:59:50 meinedomain postfix/smtpd[9218]: NOQUEUE: reject: RCPT from mx0.phx.paypal.com[66.211.168.230]: 450 4.2.0 <info@meinedomain.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/meinedomain.de.html; from=<service@paypal.de> to=<info@meinedomain.de> proto=ESMTP helo=<mx0.phx.paypal.com>
Nov 11 00:59:55 meinedomain postfix/smtpd[9218]: disconnect from mx0.phx.paypal.com[66.211.168.230]
Nov 11 01:00:01 meinedomain postfix/pickup[9217]: 8502711028E4D: uid=102 from=<smmsp>
Nov 11 01:00:01 meinedomain postfix/cleanup[9263]: 8502711028E4D: message-id=<20111110210001.8502711028E4D@mail.meinedomain.de>
Nov 11 01:00:01 meinedomain postfix/qmgr[1894]: 8502711028E4D: from=<smmsp@mail.meinedomain.de>, size=699, nrcpt=1 (queue active)
Nov 11 01:00:01 meinedomain postfix/local[9264]: 8502711028E4D: to=<root@mail.meinedomain.de>, orig_to=<root>, relay=local, delay=0.12, delays=0.07/0.01/0/0.03, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Nov 11 01:00:01 meinedomain postfix/qmgr[1894]: 8502711028E4D: removed
Nov 11 01:00:32 meinedomain postfix/smtpd[9218]: connect from mx0.phx.paypal.com[66.211.168.230]
Nov 11 01:00:33 meinedomain postfix/policyd-weight[6076]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25 CL_IP_EQ_HELO_IP=-2 (check from: .paypal. - helo: .mx0.phx.paypal. - helo-domain: .paypal.) FROM/MX_MATCHES_HELO(DOMAIN)=-2 IN_ABUSE_RFCI=2.225; <client=66.211.168.230> <helo=mx0.phx.paypal.com> <from=service@paypal.de> <to=info@meinedomain.de>; rate: -2.025
Nov 11 01:00:33 meinedomain postfix/policyd-weight[6076]: decided action=PREPEND X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25 CL_IP_EQ_HELO_IP=-2 (check from: .paypal. - helo: .mx0.phx.paypal. - helo-domain: .paypal.) FROM/MX_MATCHES_HELO(DOMAIN)=-2 IN_ABUSE_RFCI=2.225; rate: -2.025; <client=66.211.168.230> <helo=mx0.phx.paypal.com> <from=service@paypal.de> <to=info@meinedomain.de>; delay: 0s
Nov 11 01:00:33 meinedomain postgrey[1812]: action=greylist, reason=early-retry (257s missing), client_name=mx0.phx.paypal.com, client_address=66.211.168.230, sender=service@paypal.de, recipient=info@meinedomain.de
Nov 11 01:00:33 meinedomain postfix/smtpd[9218]: NOQUEUE: reject: RCPT from mx0.phx.paypal.com[66.211.168.230]: 450 4.2.0 <info@meinedomain.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/meinedomain.de.html; from=<service@paypal.de> to=<info@meinedomain.de> proto=ESMTP helo=<mx0.phx.paypal.com>
Nov 11 01:00:38 meinedomain postfix/smtpd[9218]: disconnect from mx0.phx.paypal.com[66.211.168.230]
Nov 11 01:02:41 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <accounting@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<accounting@meinedomain.de> to=<accounting@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:42 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:42 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <advetising@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<advetising@meinedomain.de> to=<advetising@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:43 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <advertising@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<advertising@meinedomain.de> to=<advertising@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:43 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <administrator@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<administrator@meinedomain.de> to=<administrator@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:43 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <accounts@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<accounts@meinedomain.de> to=<accounts@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:43 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:43 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:44 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <billing@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<billing@meinedomain.de> to=<billing@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:44 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:44 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9277]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:45 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <ccounting@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<ccounting@meinedomain.de> to=<ccounting@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:45 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <home@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<home@meinedomain.de> to=<home@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:46 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <help@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<help@meinedomain.de> to=<help@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:46 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <ertising@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<ertising@meinedomain.de> to=<ertising@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:46 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <contact@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<contact@meinedomain.de> to=<contact@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:46 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:46 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9277]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <in@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<in@meinedomain.de> to=<in@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:48 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <majordomo@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<majordomo@meinedomain.de> to=<majordomo@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:48 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <majodomo@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<majodomo@meinedomain.de> to=<majodomo@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:48 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <mail@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<mail@meinedomain.de> to=<mail@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:48 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:48 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/policyd-weight[6076]: weighted check: IN_SBL_XBL_SPAMHAUS=4.35 IN_SPAMCOP=3.75; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=info@meinedomain.de> <to=info@meinedomain.de>; rate: 8.1
Nov 11 01:02:49 meinedomain postfix/policyd-weight[6076]: decided action=550 Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/200.253.110.30.html; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=info@meinedomain.de> <to=info@meinedomain.de>; delay: 1s
Nov 11 01:02:49 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.7.1 <info@meinedomain.de>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/200.253.110.30.html; from=<info@meinedomain.de> to=<info@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:49 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:49 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:50 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:50 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:50 meinedomain postfix/smtpd[9277]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:50 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:50 meinedomain postfix/smtpd[9272]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <master@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<master@meinedomain.de> to=<master@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:51 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <sales@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<sales@meinedomain.de> to=<sales@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:51 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <root@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<root@meinedomain.de> to=<root@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:51 meinedomain postfix/policyd-weight[6076]: decided action=DUNNO mail for postmaster@meinedomain.de; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=postmaster@meinedomain.de> <to=postmaster@meinedomain.de>; delay: 0s
Nov 11 01:02:51 meinedomain postgrey[1812]: action=pass, reason=recipient whitelist, client_name=speednet-G3-0-1-111-gacc01.ntl.embratel.net.br, client_address=200.253.110.30, sender=postmaster@meinedomain.de, recipient=postmaster@meinedomain.de
Nov 11 01:02:51 meinedomain postfix/smtpd[9275]: 85E5711028E4B: client=speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9272]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <ounts@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<ounts@meinedomain.de> to=<ounts@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:51 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9272]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:51 meinedomain postfix/smtpd[9272]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:52 meinedomain postfix/cleanup[9278]: 85E5711028E4B: message-id=<20111110185617.2689.qmail@speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:52 meinedomain postfix/qmgr[1894]: 85E5711028E4B: from=<postmaster@meinedomain.de>, size=1376, nrcpt=1 (queue active)
Nov 11 01:02:52 meinedomain postfix/virtual[9279]: 85E5711028E4B: to=<info@meinedomain.de>, orig_to=<postmaster@meinedomain.de>, relay=virtual, delay=0.98, delays=0.97/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Nov 11 01:02:52 meinedomain postfix/qmgr[1894]: 85E5711028E4B: removed
Nov 11 01:02:52 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9277]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9275]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9274]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <uucp@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<uucp@meinedomain.de> to=<uucp@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <thisisjusttestmessageatall@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<thisisjusttestmessageatall@meinedomain.de> to=<thisisjusttestmessageatall@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/policyd-weight[6076]: decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; <client=200.253.110.30> <helo=speednet-g3-0-1-111-gacc01.ntl.embratel.net.br> <from=webmaster@meinedomain.de> <to=webmaster@meinedomain.de>; delay: 0s
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.7.1 <webmaster@meinedomain.de>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 1 retries.; from=<webmaster@meinedomain.de> to=<webmaster@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: NOQUEUE: reject: RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]: 550 5.1.1 <support@meinedomain.de>: Recipient address rejected: User unknown in virtual mailbox table; from=<support@meinedomain.de> to=<support@meinedomain.de> proto=SMTP helo=<speednet-G3-0-1-111-gacc01.ntl.embratel.net.br>
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9276]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9275]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9277]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: lost connection after RCPT from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:02:54 meinedomain postfix/smtpd[9274]: disconnect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max connection rate 25/60s for (smtp:200.253.110.30) at Nov 11 01:02:53
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max connection count 5 for (smtp:200.253.110.30) at Nov 11 01:02:45
Nov 11 01:05:35 meinedomain postfix/anvil[8189]: statistics: max cache size 1 at Nov 11 00:55:35

meinedomain ist die Domain der Mailadresse

So wie es aussieht kommt alles von einer einzigen IP.
Die Logs wurde alle Gesichert und der Server erstmal heruntergefahren bis das Loch gefunden worden ist.
Wie kann sowas passieren? Der Server ist seit knapp 1 Woche Online, es ist ein Frisches Squezze mit ISPCP
Installiert wurden unter anderem:

Fail2Ban
mod_evasive
SSH Key
Port geändert
Root Login nicht möglich

Wie kann ich nun das Loch am Besten finden? Was würdet Ihr emfehlen?

Roger Wilco · Nov 10, 2011

Worin siehst du konkret ein Problem?

E-Mail-Header und Envelope-Informationen kann man beliebig fälschen. Nur weil sich ein Mailclient herausnimmt, sich deinem MTA gegenüber mit dem Absender postmaster@example.com zu identifizieren, ist noch lange nichts kaputt. Willkommen im Internet.

Eventuell willst du dich auch ein wenig über die Funktionsweise von SMTP im Allgemeinen informieren.

Jammy · Nov 10, 2011

Das es machbar ist ist mir klar aber es lief wohl alles über meinen Server, so sagt es auch der Traffic.

Nov 11 01:02:53 meinedomain postfix/smtpd[9276]: connect from speednet-G3-0-1-111-gacc01.ntl.embratel.net.br[200.253.110.30]

Heist das nun er hatte meine Zugangsdaten oder nur das erne mail Adresse genutzt hat?

Welche Möglichlkeiten habe ich um dies zu verhindern?

Roger Wilco · Nov 10, 2011

Jammy said:
Heist das nun er hatte meine Zugangsdaten oder nur das erne mail Adresse genutzt hat?

Weder noch. Ein externer Client hat eine Mail für eine Domain bei deinem MTA eingeliefert, für welche dieser sich zuständig fühlt. Nicht mehr und nicht weniger.

Jammy said:
Welche Möglichlkeiten habe ich um dies zu verhindern?

Du kannst den MTA beenden.

Natürlich könnte man auch einfach prüfen, ob ein Client, der als Absender eine E-Mail-Adresse mit einer deiner Domains verwendet, auch authentifiziert bzw. allgemein dazu berechtigt ist, bevor man diese annimmt. Postfix bietet dazu diverse Möglichkeiten.

Jammy · Nov 10, 2011

Natürlich könnte man auch einfach prüfen, ob ein Client, der als Absender eine E-Mail-Adresse mit einer deiner Domains verwendet, auch authentifiziert bzw. allgemein dazu berechtigt ist, bevor man diese annimmt. Postfix bietet dazu diverse Möglichkeiten.

Hast du da ein paar Stichpunkte wonach ich Suchen sollte?

Roger Wilco · Nov 10, 2011

smtpd_sender_restrictions

Jammy · Nov 10, 2011

Danke dir

(verflixten 10 Zeichen

)

Joe User · Nov 10, 2011

In dem ganzen Logwust steht nur, dass Dein Postfix eine Mail von Paypal gegreylistet und die From/To postmaster@ angenommen hat, der Rest wurde mit unterschiedlichen Begründungen abgelehnt.

Du solltest Dir dringend einiges an Fachliteratur zulegen und den Inhalt innerhalb weniger Tage aus dem FF anwenden und wiedergeben können. Andernfalls möchte ich Dich eindringlich darum bitten, den Server solange komplett vom Netz zu nehmen, bis Du es kannst. Vielen Dank im Voraus.

dommi81 · Nov 13, 2011

Hallo,

ich bin zwar nicht so fit mit Mailserver aber ich würde via IPtables die IP "droppen"

MfG
Dominik

Thunderbyte · Nov 13, 2011

dommi81 said:
ich bin zwar nicht so fit mit Mailserver aber ich würde via IPtables die IP "droppen"

Das bringt doch nix. Damit braucht man gar nicht erst manuell anfangen.

dommi81 · Nov 13, 2011

Thunderbyte said:
Das bringt doch nix. Damit braucht man gar nicht erst manuell anfangen.

Jo, im normalfall nicht, da gebe ich dir Recht. Aber nachdem in den Log's nur diese eine IP auftaucht.....

PS: Geile Signatur

Thunderbyte · Nov 13, 2011

Das ist schätzungsweise sowieso eine dynamische Internetprovider IP, die schon 24 Std später jemand anderes hatte. Ergo: Nein, das bringt nichts, wenn man nicht anfangen will, ganze Länder per Geo IP auszuschließen.

Undicher Mail Server?

Jammy

New Member

Roger Wilco

Active Member

Jammy

New Member

Roger Wilco

Active Member

Jammy

New Member

Roger Wilco

Active Member

Jammy

New Member

Joe User

Zentrum der Macht

dommi81

New Member

Thunderbyte

Moderator

dommi81

New Member

Thunderbyte

Moderator

We value your privacy