[postfix-es] SPAM @qq.com

Carina Barca cbarca en jujuytel.com.ar
Mie Ene 23 23:15:44 CET 2013 

Hola a todos: tengo configurado un servidor de correo electronico postfix+dovecot+spamassasin+clamav, el cual en los logs detecto que hasta ahora van 4 cuentas de correo envian mail a qq.com o 168.com

Jan 23 18:50:15 mail postfix/qmgr[3772]: BA7E7D9EDE: from=<micorreo en midominio.com.ar>, size=2091, nrcpt=11 (queue active)
Jan 23 18:50:15 mail amavis[5550]: (05550-19) Blocked SPAM, [58.61.196.237] [58.61.196.237] <micorreo en midominio.com.ar> -> <1375150443 en qq.com>,<1576166770 en qq.com>,<$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<1375150443 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (25$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<1576166770 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (25$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<1664050283 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (25$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<1758056014 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (25$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<2309102464 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (25$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<277210112 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<36147740 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250 $
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<469076755 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<499236938 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<583033679 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250$
Jan 23 18:50:15 mail postfix/smtp[5601]: BA7E7D9EDE: to=<924107967 en qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=14, delays=14/0/0/0.11, dsn=2.7.0, status=sent (250$
Jan 23 18:50:15 mail postfix/qmgr[3772]: BA7E7D9EDE: removed


Esto me genera un monton de trafico con el consiguiente riesgo de que me bloqueen en las listas negras de spam.
El comando postconf -n me tira lo siguiente

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = localhost, $myhostname
myhostname = mail.jujuytel.com.ar
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 xxx.xx.xx.0/24
mynetworks_style = host
myorigin = $myhostname
readme_directory = no
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_rbl_client bl.spamcop.net,reject_rbl_client zen.spamhaus.org,reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client dnsbl-1.uceprotect.net,check_recipient_access hash:/etc/postfix/recipient_access,reject_unauth_destination,regexp:/etc/postfix/bloqueados,check_policy_service inet:127.0.0.1:60000,permit
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = regexp:/etc/postfix/bloqueados
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

La version del postfix
mail_version = 2.7.1
Y esta instalado desde los repositorios de debían (Utilizo el squeeze)
Como veran intente bloquear ese dominio sin éxito, sigo teniendo mucho tráfico.
Lo que pude averiguar es que esto es un gusano que lo que hace es enviar spam utilizando los dominios qq.com y 168.com, como hago para que mis usuarios no envien esos mail?
Muchas gracias

Saludos

Más información sobre la lista de distribución postfix-es