[postfix-es] Correos y spam

Pablo Gentilel pablo en royalmercosur.com
Jue Oct 23 20:47:45 CEST 2008 

Hola a la lista:

Por favor , necesito si me dan una mano con esto,  tengo configurado  un 
postfix sobre debian etch , el cual anda al pelo desde hace un año mas o 
menos,  con spamassassin y postgrey, el saunto es que desde hace dos 
dias se me empezo a llenar de logs, para lo cual lo que hacia era 
borrarlos, pensando que la acumulacion de los mismos era que habia 
cambiado la cantidad que se gurdan los mismo en /etc/logrotate, pero 
paso que en realidad el servidor estaba enviando correos a lo pavote, y 
una lista negra me mando un aviso a la cuenta abuse, y ahi me di cuenta 
lo que pasaba.
Salian correos con un usuario en particular, si me fijo en el encabezado 
dice que usa como useragent a squirrelmail user credondo.
Mi pregunta es: si no hay open relay, y en main.cf mydestination esta de 
esta forma: mydestination =  $mydomain, myhostname , localhost ..
la opcion mynetworks = 192.168.0.0 ,127.0.0.1 como se entiende que 
salgan  correos  con dominio que no sean  el propio?
Aqui les dejo parte del log de postfix y el mail de la lista negra que 
me mando avisandome en ese orden.
La manera en que lo solucioné de momento es cambiando la contraseñan de 
correo, asi no puede enviar correo ni con el webmail, ni autorizando con 
sasl, ya que me olvide de decirles que el usuario está fuera de mi lan , 
asi que le habia habilitado una cuenta con sasl2
Desde ya muchas gracias




Mail de lista negra.

his is an automated email abuse report from the folks at 
junkemailfilter.com for an email message received from IP address 
[201.251.7.126] on Wed, 22 Oct 2008 17:12:05 -0700.
The nature of this spam indicates possible fraud. Pay close attention to 
both the from address ]"THE CASINO-WEB LOTTERY AWARD" <info en casino.com>] 
and the reply-to address [].

We hope this information will help you in determining the source of the 
problem and shut it down. The original message is attached in MIME 
format with complete headers. For more information about this 
standardized abuse report format [ARF] please visit 
http://www.mipassoc.org/arf/ If you would prefer abuse reports in text 
format let us know.

If you have any questions or feedback about this abuse report or are 
interested in learning about our spam filtering technology feel free to 
contact us. If this is not spam please accept our apologies and let us 
know so we can fix the problem. Pay close attention to the REASON listed.
Marc Perkel - Fearless Leader
Junk Email Filter dot com
http://www.junkemailfilter.com

* Date:    Wed, 22 Oct 2008 17:12:05 -0700
* From:    "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
* Subject: Dear Lottery Winner,
* Host:    mail.royalmercosur.com [201.251.7.126]
* Reason:  419scam Freemail - Reply-to does not match From - 
R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD" 
<info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126] 
HELO=[mail.royalmercosur.com] F=[info en casino.com] T=[acordov

For more information about these abuse reports: 
http://wiki.junkemailfilter.com/index.php/Spam_abuse
To test or be removed from our blacklist: 
http://ipadmin.junkemailfilter.com/remove.php?ip=201.251.7.126

======== Original Headers ========

Delivery-date: Wed, 22 Oct 2008 17:12:05 -0700
Received: from mail.royalmercosur.com ([201.251.7.126])
    by pascal.junkemailfilter.com with esmtp (Exim 4.68)
    id 1Ksno4-0007zw-JQ on interface=65.49.42.60
    for acordova en metromedicalservices.com; Wed, 22 Oct 2008 17:12:05 -0700
Received: from localhost (localhost [127.0.0.1])
    by mail.royalmercosur.com (Postfix) with ESMTP id 09E9A8C304;
    Wed, 22 Oct 2008 15:44:25 -0300 (ART)
X-Virus-Scanned: amavisd-new at royalmercosur.com
Received: from mail.royalmercosur.com ([127.0.0.1])
    by localhost (mail.royalmercosur.com [127.0.0.1]) (amavisd-new, port 
10024)
    with ESMTP id 7+tKuGv-tLND; Wed, 22 Oct 2008 15:44:24 -0300 (ART)
Received: from mail.royalmercosur.com (localhost [127.0.0.1])
    by mail.royalmercosur.com (Postfix) with ESMTP id 123A58C2F6;
    Wed, 22 Oct 2008 15:44:23 -0300 (ART)
Received: from 81.199.88.72
       (SquirrelMail authenticated user credondo)
       by mail.royalmercosur.com with HTTP;
       Wed, 22 Oct 2008 15:44:23 -0300 (ART)
Message-ID: <3057.81.199.88.72.1224701063.squirrel en mail.royalmercosur.com>
Date: Wed, 22 Oct 2008 15:44:23 -0300 (ART)
Subject: Dear Lottery Winner,
From: "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
Reply-To: barr_jasonsoper2 en hotmail.com
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;
Content-Transfer-Encoding: quoted-printable
X-Sender-Domain: royalmercosur.com
X-Freemail-From: casino.com
X-Freemail-Reply-to: hotmail.com
X-Spamfilter-host: pascal.junkemailfilter.com - 
http://www.junkemailfilter.com
X-Mail-from: info en casino.com
X-From-name-part: the casino-web lottery award X-Spam-Class: 
SPAM-HIGH-VERY - 419scam Freemail - Reply-to does not match From - 
R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD" 
<info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126] 
HELO=[mail.royalmercosur.com] F=[info en casino.com] 
T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the 
casino-web lottery award ]
X-Spamsave: Yes - 419scam Freemail - Reply-to does not match From - 
R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD" 
<info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126] 
HELO=[mail.royalmercosur.com] F=[info en casino.com] 
T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the 
casino-web lottery award ]
X-Sender-Host-Address: 201.251.7.126
X-Sender-Host-Name: mail.royalmercosur.com
X-Original-helo: mail.royalmercosur.com

------------------------------------------------------------------------

Feedback-Type: abuse
User-Agent: JunkEmailFilter - Abuse Reporter/1.0 - Testing - Feedback 
Appreciated
Version: 0.1
Original-Mail-From: "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
Original-Rcpt-To: undisclosed-recipients:;
Received-Date: Wed, 22 Oct 2008 17:12:05 -0700
Source-IP: 201.251.7.126


------------------------------------------------------------------------

Asunto:
Dear Lottery Winner,
De:
"THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
Fecha:
Wed, 22 Oct 2008 15:44:23 -0300 (ART)

Para:
undisclosed-recipients:;

Delivery-date:
Wed, 22 Oct 2008 17:12:05 -0700
Received:
from mail.royalmercosur.com ([201.251.7.126]) by 
pascal.junkemailfilter.com with esmtp (Exim 4.68) id 1Ksno4-0007zw-JQ on 
interface=65.49.42.60 for acordova en metromedicalservices.com; Wed, 22 Oct 
2008 17:12:05 -0700
Received:
from localhost (localhost [127.0.0.1]) by mail.royalmercosur.com 
(Postfix) with ESMTP id 09E9A8C304; Wed, 22 Oct 2008 15:44:25 -0300 (ART)
X-Virus-Scanned:
amavisd-new at royalmercosur.com
Received:
from mail.royalmercosur.com ([127.0.0.1]) by localhost 
(mail.royalmercosur.com [127.0.0.1]) (amavisd-new, port 10024) with 
ESMTP id 7+tKuGv-tLND; Wed, 22 Oct 2008 15:44:24 -0300 (ART)
Received:
from mail.royalmercosur.com (localhost [127.0.0.1]) by 
mail.royalmercosur.com (Postfix) with ESMTP id 123A58C2F6; Wed, 22 Oct 
2008 15:44:23 -0300 (ART)
Received:
from 81.199.88.72 (SquirrelMail authenticated user credondo) by 
mail.royalmercosur.com with HTTP; Wed, 22 Oct 2008 15:44:23 -0300 (ART)
Message-ID:
<3057.81.199.88.72.1224701063.squirrel en mail.royalmercosur.com>
Responder a:
barr_jasonsoper2 en hotmail.com
Agente de usuario::
SquirrelMail/1.4.9a
MIME-Version:
1.0
Content-Type:
text/plain;charset=iso-8859-1
X-Priority:
3 (Normal)
Importance:
Normal
Content-Transfer-Encoding:
quoted-printable
X-Sender-Domain:
royalmercosur.com
X-Freemail-From:
casino.com
X-Freemail-Reply-to:
hotmail.com
X-Spamfilter-host:
pascal.junkemailfilter.com - http://www.junkemailfilter.com
X-Mail-from:
info en casino.com
X-From-name-part:
the casino-web lottery award
X-Spam-Class:
SPAM-HIGH-VERY - 419scam Freemail - Reply-to does not match From - 
R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD" 
<info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126] 
HELO=[mail.royalmercosur.com] F=[info en casino.com] 
T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the 
casino-web lottery award ]
X-Spamsave:
Yes - 419scam Freemail - Reply-to does not match From - 
R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD" 
<info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126] 
HELO=[mail.royalmercosur.com] F=[info en casino.com] 
T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the 
casino-web lottery award ]
X-Sender-Host-Address:
201.251.7.126
X-Sender-Host-Name:
mail.royalmercosur.com
X-Original-helo:
mail.royalmercosur.com


from=<info en casino.com>, size=2711, nrcpt=50 (queue active)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 324259209E: 
from=<info en casino.com>, size=2711, nrcpt=50 (queue active)
Oct 23 09:02:36 localhost postfix/smtp[13709]: connect to 
cluster2.eu.messagelabs.com[195.245.231.83]: Connection refused (port 25)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 11FC62C6FD: from=<>, 
size=8265, nrcpt=1 (queue active)
Oct 23 09:02:36 localhost postfix/smtp[13714]: connect to 
cluster2.eu.messagelabs.com[195.245.231.67]: Connection refused (port 25)
Oct 23 09:02:36 localhost postfix/smtp[13708]: connect to 
cluster2.eu.messagelabs.com[193.109.255.131]: Connection refused (port 25)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: DB15DD186: from=<>, 
size=5438, nrcpt=1 (queue active)
Oct 23 09:02:36 localhost postfix/smtp[13710]: connect to 
cluster2.eu.messagelabs.com[195.245.230.179]: Connection refused (port 25)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 1D6398B789: from=<>, 
size=4385, nrcpt=1 (queue active)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 60CF52D600: 
from=<info en uk.com>, size=2108, nrcpt=50 (queue active)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 194248D2A7: from=<>, 
size=27838, nrcpt=1 (queue active)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 3835AC379: from=<>, 
size=9172, nrcpt=1 (queue active)
Oct 23 09:02:36 localhost postfix/qmgr[13699]: 1597E8B342: from=<>, 
size=14778,

Esto se repite durante unas cuantas paginas,

More information about the postfix-es mailing list