[postfix-es] utilizan el metodo de local host para hacer Spam
Federico Alberto Sayd
fsayd en uncu.edu.ar
Jue Oct 4 15:17:11 CEST 2012
On 04/10/12 05:29, Iñaki Rodríguez wrote:
> Buenas,
>
> recibir spam desde localhost nunca es una buena señal. Muy posiblemente
> han comprometido tu servidor o alguna de las webs que alojas.
>
> Saludos
>
> Iñaki
>
> El 04/10/2012 7:39, Hans Suruy escribió:
>> Hola Compañeros tengo problema que me hacen spam en mi server y el
>> problema es que utilizan el localhost o el 127.0.0.1 para enviar el
>> correo , podría alguien ayudarme a evitar eso
>>
>>
>>
>> Les envio un segmento de mi main.cf
>>
>>
>>
>> broken_sasl_auth_clients = yes
>>
>> smtpd_sasl_auth_enable = yes
>>
>> smtpd_sasl_security_options = noanonymous
>>
>> smtpd_sasl_local_domain = $mydomain
>>
>>
>>
>> # Encryption with TLS
>>
>> # smtpd_tls_auth_only = yes
>>
>> smtpd_use_tls = yes
>>
>> smtpd_tls_cert_file = /etc/postfix/cert.pem
>>
>> smtpd_tls_key_file = /etc/postfix/key.pem
>>
>> smtpd_tls_loglevel = 1
>>
>>
>>
>> # Mail restrictions (note: Kolab policies are not implemented)
>>
>> #smtpd_recipient_restrictions = permit_sasl_authenticated,
>> permit_mynetworks, reject_unauth_destination, check_policy_service
>> unix:/var/spool/postfix/postgrey/socket
>>
>> #kolabpolicy_time_limit = 3600
>>
>> # kolabpolicy_max_idle = 20
>>
>>
>>
>> smtpd_recipient_restrictions = reject_invalid_hostname,
>> reject_unknown_recipient_domain, reject_unauth_pipelining,
>> permit_mynetworks, permit_sasl_authenticated, reject_unauth_d
>>
>> nation, reject_rbl_client multi.uribl.com, reject_rbl_client
>> dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net,
>> reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_clibl.spamcop.net,
>> reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org,
>> reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client
>> combined.rbl.msrbl.net, reject_rbient rabl.nuclearelephant.com,
>> check_policy_service unix:/var/spool/postfix/postgrey/socket,
>> check_client_access hash:/etc/postfix/blacklist, check_sender_access
>> hash:/etc/postfix/blacklist, permit
>>
>>
>>
>>
>>
>>
>>
>> # Mail routing
>>
>> mailbox_transport = mailpostfilter
>>
>> content_filter = mailprefilter
>>
>> transport_maps = hash:/etc/postfix/transport
>>
>>
>>
>> # Outbound SMTP authentication
>>
>> # smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>
>> # smtp_sasl_auth_enable = yes
>>
>> # smtp_sasl_security_options =
>>
>> unknown_local_recipient_reject_code = 550
>>
>> relay_domains = $mydestination, bcoinmob.com.gt
>>
>> # relay_domains = mail.bcoinmob.com.gt
>>
>> ##relayhost =
>>
>> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>>
>> relayhost =
>>
>>
>>
>> smtpd_helo_required = yes
>>
>> disable_vrfy_command = yes
>>
>> strict_rfc821_envelopes = yes
>>
>> invalid_hostname_reject_code = 554
>>
>> multi_recipient_bounce_reject_code = 554
>>
>> non_fqdn_reject_code = 554
>>
>> relay_domains_reject_code = 554
>>
>> unknown_address_reject_code = 554
>>
>> unknown_client_reject_code = 554
>>
>> unknown_hostname_reject_code = 554
>>
>> unknown_local_recipient_reject_code = 554
>>
>> unknown_relay_recipient_reject_code = 554
>>
>> unknown_sender_reject_code = 554
>>
>> unknown_virtual_alias_reject_code = 554
>>
>> unknown_virtual_mailbox_reject_code = 554
>>
>> unverified_recipient_reject_code = 554
>>
>> unverified_sender_reject_code = 554
>>
>>
>>
>> Descripción: picasso
>>
>>
>>
>>
>>
>> _______________________________________________
>> List de correo postfix-es para tratar temas del MTA postfix en español
>> postfix-es en lists.wl0.org
>> http://lists.wl0.org/mailman/listinfo/postfix-es
> _______________________________________________
> List de correo postfix-es para tratar temas del MTA postfix en español
> postfix-es en lists.wl0.org
> http://lists.wl0.org/mailman/listinfo/postfix-es
>
Hay miles de formas de que alguien pueda enviar correo desde localhost.
Si lo que está saliendo es spam, lo más seguro es que hayan comprometido
la seguridad de tu servidor. Puede tratarse de una vulnerabilidad de tu
webmail (si lo usas), de que hayan logrado acceder a tu sistema y estén
corriendo algún programa que usa tu postfix como relay o que algún
usuario haya cedido sus credenciales (phishing).
Saludos
Más información sobre la lista de distribución postfix-es