[postfix-es] Correos y spam
David Gonzalez
david en delpozo.org
Jue Oct 23 21:33:46 CEST 2008
Buenas,
en estos casos, lo primero es mirar la ip de origen del mail, deberia
coincidir con la de tu servidor para saber si es o no problema tuyo.
desde hace un tiempo, los sistemas de envio de los virus/spam y similares se
inventan (o no) las direcciones de correo del remitente, para que pasen por
correos buenos, por lo que no es raro, recibir correos que nunca han salido
ni de tu sistema ni de ningun usuario tuyo.
Si miras/investigas un poco, veras que esta al alcance de cualquiera el
falsificar la direccion de remitente en un mail, por lo que cualquiera puede
enviar un correo haciendose pasar por otro.
Luego, si la direccion original es tuya, mira a ver si el usuario ha enviado o
no esos correos, si es desde webmail no es porque el usuario en concreto
tenga un virus, pero quizá haya alguna vulnerabilidad en el squirrelmail que
permita, de una manera sencilla enviar esos correos, no seria la primera vez
que pasa
Un saludo
El Thursday 23 October 2008 20:37:53 Pablo Gentilel escribió:
> Salian correos con un usuario en particular, si me fijo en el encabezado
> dice que usa como useragent a squirrelmail user credondo.
> Mi pregunta es: si no hay open relay, y en main.cf mydestination esta de
> esta forma: mydestination = $mydomain, myhostname , localhost ..
> la opcion mynetworks = 192.168.0.0 ,127.0.0.1 como se entiende que
> salgan correos con dominio que no sean el propio?
> Aqui les dejo parte del log de postfix y el mail de la lista negra que
> me mando avisandome en ese orden.
> La manera en que lo solucioné de momento es cambiando la contraseñan de
> correo, asi no puede enviar correo ni con el webmail, ni autorizando con
> sasl, ya que me olvide de decirles que el usuario está fuera de mi lan ,
> asi que le habia habilitado una cuenta con sasl2
> Desde ya muchas gracias
>
>
>
>
> Mail de lista negra.
>
> his is an automated email abuse report from the folks at
> junkemailfilter.com for an email message received from IP address
> [201.251.7.126] on Wed, 22 Oct 2008 17:12:05 -0700.
>
> The nature of this spam indicates possible fraud. Pay close attention to
> both the from address ]"THE CASINO-WEB LOTTERY AWARD" <info en casino.com>]
> and the reply-to address [].
>
> We hope this information will help you in determining the source of the
> problem and shut it down. The original message is attached in MIME format
> with complete headers. For more information about this standardized abuse
> report format [ARF] please visit http://www.mipassoc.org/arf/ If you would
> prefer abuse reports in text format let us know.
>
> If you have any questions or feedback about this abuse report or are
> interested in learning about our spam filtering technology feel free to
> contact us. If this is not spam please accept our apologies and let us know
> so we can fix the problem. Pay close attention to the REASON listed. Marc
> Perkel - Fearless Leader
> Junk Email Filter dot com
> http://www.junkemailfilter.com
>
> * Date: Wed, 22 Oct 2008 17:12:05 -0700
> * From: "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
> * Subject: Dear Lottery Winner,
> * Host: mail.royalmercosur.com [201.251.7.126]
> * Reason: 419scam Freemail - Reply-to does not match From -
> R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD"
> <info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126]
> HELO=[mail.royalmercosur.com] F=[info en casino.com] T=[acordov
>
> For more information about these abuse reports:
> http://wiki.junkemailfilter.com/index.php/Spam_abuse To test or be removed
> from our blacklist:
> http://ipadmin.junkemailfilter.com/remove.php?ip=201.251.7.126
>
> ======== Original Headers ========
>
> Delivery-date: Wed, 22 Oct 2008 17:12:05 -0700
> Received: from mail.royalmercosur.com ([201.251.7.126])
> by pascal.junkemailfilter.com with esmtp (Exim 4.68)
> id 1Ksno4-0007zw-JQ on interface=65.49.42.60
> for acordova en metromedicalservices.com; Wed, 22 Oct 2008 17:12:05 -0700
> Received: from localhost (localhost [127.0.0.1])
> by mail.royalmercosur.com (Postfix) with ESMTP id 09E9A8C304;
> Wed, 22 Oct 2008 15:44:25 -0300 (ART)
> X-Virus-Scanned: amavisd-new at royalmercosur.com
> Received: from mail.royalmercosur.com ([127.0.0.1])
> by localhost (mail.royalmercosur.com [127.0.0.1]) (amavisd-new, port
> 10024) with ESMTP id 7+tKuGv-tLND; Wed, 22 Oct 2008 15:44:24 -0300 (ART)
> Received: from mail.royalmercosur.com (localhost [127.0.0.1])
> by mail.royalmercosur.com (Postfix) with ESMTP id 123A58C2F6;
> Wed, 22 Oct 2008 15:44:23 -0300 (ART)
> Received: from 81.199.88.72
> (SquirrelMail authenticated user credondo)
> by mail.royalmercosur.com with HTTP;
> Wed, 22 Oct 2008 15:44:23 -0300 (ART)
> Message-ID: <3057.81.199.88.72.1224701063.squirrel en mail.royalmercosur.com>
> Date: Wed, 22 Oct 2008 15:44:23 -0300 (ART)
> Subject: Dear Lottery Winner,
> From: "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
> Reply-To: barr_jasonsoper2 en hotmail.com
> User-Agent: SquirrelMail/1.4.9a
> MIME-Version: 1.0
> Content-Type: text/plain;charset=iso-8859-1
> X-Priority: 3 (Normal)
> Importance: Normal
> To: undisclosed-recipients:;
> Content-Transfer-Encoding: quoted-printable
> X-Sender-Domain: royalmercosur.com
> X-Freemail-From: casino.com
> X-Freemail-Reply-to: hotmail.com
> X-Spamfilter-host: pascal.junkemailfilter.com -
> http://www.junkemailfilter.com X-Mail-from: info en casino.com
> X-From-name-part: the casino-web lottery award
> X-Spam-Class: SPAM-HIGH-VERY - 419scam Freemail - Reply-to does not match
> From - R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD"
> <info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126]
> HELO=[mail.royalmercosur.com] F=[info en casino.com]
> T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the
> casino-web lottery award ] X-Spamsave: Yes - 419scam Freemail - Reply-to
> does not match From - R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB
> LOTTERY AWARD" <info en casino.com> - X=pascal H=mail.royalmercosur.com
> [201.251.7.126] HELO=[mail.royalmercosur.com] F=[info en casino.com]
> T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the
> casino-web lottery award ] X-Sender-Host-Address: 201.251.7.126
> X-Sender-Host-Name: mail.royalmercosur.com
> X-Original-helo: mail.royalmercosur.com
>
> ------------------------------------------------------------------------
>
> Feedback-Type: abuse
> User-Agent: JunkEmailFilter - Abuse Reporter/1.0 - Testing - Feedback
> Appreciated Version: 0.1
> Original-Mail-From: "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
> Original-Rcpt-To: undisclosed-recipients:;
> Received-Date: Wed, 22 Oct 2008 17:12:05 -0700
> Source-IP: 201.251.7.126
>
>
> ------------------------------------------------------------------------
>
> Asunto:
> Dear Lottery Winner,
> De:
> "THE CASINO-WEB LOTTERY AWARD" <info en casino.com>
> Fecha:
> Wed, 22 Oct 2008 15:44:23 -0300 (ART)
>
> Para:
> undisclosed-recipients:;
>
> Delivery-date:
> Wed, 22 Oct 2008 17:12:05 -0700
> Received:
> from mail.royalmercosur.com ([201.251.7.126]) by
> pascal.junkemailfilter.com with esmtp (Exim 4.68) id 1Ksno4-0007zw-JQ on
> interface=65.49.42.60 for acordova en metromedicalservices.com; Wed, 22 Oct
> 2008 17:12:05 -0700
> Received:
> from localhost (localhost [127.0.0.1]) by mail.royalmercosur.com
> (Postfix) with ESMTP id 09E9A8C304; Wed, 22 Oct 2008 15:44:25 -0300 (ART)
> X-Virus-Scanned:
> amavisd-new at royalmercosur.com
> Received:
> from mail.royalmercosur.com ([127.0.0.1]) by localhost
> (mail.royalmercosur.com [127.0.0.1]) (amavisd-new, port 10024) with
> ESMTP id 7+tKuGv-tLND; Wed, 22 Oct 2008 15:44:24 -0300 (ART)
> Received:
> from mail.royalmercosur.com (localhost [127.0.0.1]) by
> mail.royalmercosur.com (Postfix) with ESMTP id 123A58C2F6; Wed, 22 Oct
> 2008 15:44:23 -0300 (ART)
> Received:
> from 81.199.88.72 (SquirrelMail authenticated user credondo) by
> mail.royalmercosur.com with HTTP; Wed, 22 Oct 2008 15:44:23 -0300 (ART)
> Message-ID:
> <3057.81.199.88.72.1224701063.squirrel en mail.royalmercosur.com>
> Responder a:
> barr_jasonsoper2 en hotmail.com
> Agente de usuario::
> SquirrelMail/1.4.9a
> MIME-Version:
> 1.0
> Content-Type:
> text/plain;charset=iso-8859-1
> X-Priority:
> 3 (Normal)
> Importance:
> Normal
> Content-Transfer-Encoding:
> quoted-printable
> X-Sender-Domain:
> royalmercosur.com
> X-Freemail-From:
> casino.com
> X-Freemail-Reply-to:
> hotmail.com
> X-Spamfilter-host:
> pascal.junkemailfilter.com - http://www.junkemailfilter.com
> X-Mail-from:
> info en casino.com
> X-From-name-part:
> the casino-web lottery award
> X-Spam-Class:
> SPAM-HIGH-VERY - 419scam Freemail - Reply-to does not match From -
> R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD"
> <info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126]
> HELO=[mail.royalmercosur.com] F=[info en casino.com]
> T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the
> casino-web lottery award ]
> X-Spamsave:
> Yes - 419scam Freemail - Reply-to does not match From -
> R=barr_jasonsoper2 en hotmail.com F="THE CASINO-WEB LOTTERY AWARD"
> <info en casino.com> - X=pascal H=mail.royalmercosur.com [201.251.7.126]
> HELO=[mail.royalmercosur.com] F=[info en casino.com]
> T=[acordova en metromedicalservices.com] S=[Dear Lottery Winner,] FN=[the
> casino-web lottery award ]
> X-Sender-Host-Address:
> 201.251.7.126
> X-Sender-Host-Name:
> mail.royalmercosur.com
> X-Original-helo:
> mail.royalmercosur.com
>
>
> from=<info en casino.com>, size=2711, nrcpt=50 (queue active)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 324259209E:
> from=<info en casino.com>, size=2711, nrcpt=50 (queue active)
> Oct 23 09:02:36 localhost postfix/smtp[13709]: connect to
> cluster2.eu.messagelabs.com[195.245.231.83]: Connection refused (port 25)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 11FC62C6FD: from=<>,
> size=8265, nrcpt=1 (queue active)
> Oct 23 09:02:36 localhost postfix/smtp[13714]: connect to
> cluster2.eu.messagelabs.com[195.245.231.67]: Connection refused (port 25)
> Oct 23 09:02:36 localhost postfix/smtp[13708]: connect to
> cluster2.eu.messagelabs.com[193.109.255.131]: Connection refused (port 25)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: DB15DD186: from=<>,
> size=5438, nrcpt=1 (queue active)
> Oct 23 09:02:36 localhost postfix/smtp[13710]: connect to
> cluster2.eu.messagelabs.com[195.245.230.179]: Connection refused (port 25)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 1D6398B789: from=<>,
> size=4385, nrcpt=1 (queue active)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 60CF52D600:
> from=<info en uk.com>, size=2108, nrcpt=50 (queue active)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 194248D2A7: from=<>,
> size=27838, nrcpt=1 (queue active)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 3835AC379: from=<>,
> size=9172, nrcpt=1 (queue active)
> Oct 23 09:02:36 localhost postfix/qmgr[13699]: 1597E8B342: from=<>,
> size=14778,
>
> Esto se repite durante unas cuantas paginas,
>
>
> _______________________________________________
> List de correo postfix-es para tratar temas del MTA postfix en español
> postfix-es en lists.wl0.org
> http://lists.wl0.org/mailman/listinfo/postfix-es
--
David Gonzalez
david en delpozo.org
Http://www.guadawireless.net
GNU/Linux registered user #139902
jabber: david en jabber.guadawireless.org
Enlace a un proyecto que tengo en marcha:
http://tiendasderegalos.biz
More information about the postfix-es
mailing list