How to prevent spoofing from Postfix/local part

3 posts / 0 new
Last post
#1 Wed, 04/29/2009 - 05:39
nihal

How to prevent spoofing from Postfix/local part

Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=..., lip=... .... Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....

But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) .... Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed

Do you have any idea to solve this problem?

Wed, 04/29/2009 - 14:49
Joe
Joe's picture

<div class='quote'>When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=&lt;user@mydomain.com&gt;, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***</div>

This is receiving mail. POP3 is a mail retrieval protocol. Dovecot is a POP3/IMAP server. This is not sending mail.

<div class='quote'>Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=&lt;user-mydomain.com@ns1.mydns.com&gt;, orig_to=&lt;user@mydomain.com&gt;, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)</div>

This is mail being directed into procmail via Postfix. It is what <i>any</i> mail sent to your server looks like. It is not indicative of a problem, and it is not &quot;spoofing&quot;.

What is the actual problem? The logs you've given us give no indication of spoofing. They look like normal delivery via procmail.

--

Check out the forum guidelines!

Thu, 04/30/2009 - 00:12 (Reply to #2)
nihal

&Auml;&plusmn; attach my maillog to understand that what i want to say. Most of the mail users sends spam mails themselves that is shown in attachment.

Most of listed queue like below. Apr 30 11:00:22 ns1 postfix/local[6357]: 7D0383584F0: to=&lt;destek-domain.net@ns1.mydomain.com&gt;, orig_to=&lt;destek@domain.net&gt;, relay=local, delay=1043, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Apr 30 11:00:22 ns1 postfix/qmgr[30193]: 7D0383584F0: removed

and all this mail sending all user as spam. But i can not find the trigger of this spam. This is the only local part problem. &Auml;&deg; think this spam attact doing to Internet from our server, because http://www.backscatterer.org/index.php list server IP in blacklist.
The attact history given below that is listed in http://www.backscatterer.org/index.php.

A total of 103 Impacts were seen during this listing. Last was 2009/04/30 05:32
Earliest date this IP can expire is 2009/05/28.

History:2008/03/27 22:28 listed
2008/04/24 23:30 expired
2008/07/06 11:15 listed
2008/08/03 11:30 expired
2008/10/25 21:59 listed
2008/11/22 21:03 expired
2008/11/28 13:20 listed
2008/12/26 14:03 expired
2009/01/18 12:24 listed
2009/02/15 13:05 expired
2009/02/26 22:00 listed.

[file name=maillog.txt size=45442]http://www.virtualmin.com/components/com_fireboard/uploaded/files/maillo...

Topic locked