[postfix-users] Spam von local - schon wieder ...

Matthias Schmidt beta at admilon.net
Di Sep 18 03:03:21 CEST 2012 

Hallo,
bei mir sind gestern wieder über rund 45 Minuten mails eingegangen und teilweise wegen Spam abgelehnt worden.
Als das das erste mal passiert ist, hab ich den Rat von Uwe befolgt und meine main.cf so geändert:

smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_use_pw_server = yes
#mit Greylisting
#smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
#ohne Greylisting
smtpd_recipient_restrictions = 
		permit_sasl_authenticated
		permit_mynetworks
		permit_tls_clientcerts
		check_sender_access hash:/etc/postfix/whitelist
		reject_non_fqdn_hostname
		reject_unknown_reverse_client_hostname 
		reject_unauth_destination
		reject_rbl_client cbl.abuseat.org 
		reject_rbl_client zen.spamhaus.org
		
smtpd_pw_server_security_options = login,gssapi,cram-md5
data_directory = /var/lib/postfix
smtpd_client_restrictions = 
smtpd_sender_restrictions = 
	check_sender_access regexp:/etc/postfix/tag_as_originating.re
	permit_mynetworks
	permit_sasl_authenticated
	permit_tls_clientcerts
	check_sender_access regexp:/etc/postfix/tag_as_foreign.re

smtpd_data_restrictions = reject_unauth_pipelining
mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
virtual_transport = virtual


Die Mails kommen mit sasl_username=ftp hier an. Beim (Sytem-Benutzer) ftp ist Mail nicht aktiviert.


Das Mail sieht so aus:
Content type: Spam
Internal reference code for the message is 20536-07/3+yiMXOQhcE5

First upstream SMTP client IP address: [65.200.13.203] 
According to a 'Received:' trace, the message apparently originated at:
 [17.45.146.70], nico-lae.qr.32.de [17.45.146.70]

Return-Path: <dagata at ma-pu.plm.com>
From:
 Co-operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk
Message-ID:
 <E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
X-Mailer: Stylatule-decouvrez 6.4
Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
Not quarantined.

The message WAS NOT relayed to:
<mod9966 at hotmail.com>:
  250 2.7.0 Ok, discarded, id=20536-07 - SPAM

SpamAssassin report:
Spam detection software, running on the system "mcgregor.admilon.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
websensei at admilon.net for details.

Content preview:  ACCESS TO YOUR ACCOUNT HAS BEEN TEMPORARILY SUSPENDED. The
  reason for this issue: - UNUSUAL NUMBER OF INVALID LOGIN ATTEMPTS ON YOUR
  ACCOUNT To restore your account, please click below: [...] 

Content analysis details:   (13.0 points, 25.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 MSGID_MULTIPLE_AT      Message-ID contains multiple '@' characters
0.9 DKIM_ADSP_NXDOMAIN     No valid author signature and domain not in DNS
2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE
-0.0 BAYES_40               BODY: Bayes spam probability is 20 to 40%
                           [score: 0.3950]
1.5 HTML_IMAGE_ONLY_20     BODY: HTML: images with 1600-2000 bytes of words
0.3 HTML_MESSAGE           BODY: HTML included in message
0.7 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                           above 50%
                           [cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                           [cf: 100]
4.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
0.0 TO_EQ_FM_HTML_ONLY     To == From and HTML only
0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML
Return-Path: <dagata at ma-pu.plm.com>
Received: from [128.2.1.64] (unknown [65.200.13.203])
	by mcgregor.admilon.net (Postfix) with ESMTPA id 25AF01DBA536
	for <mod9966 at hotmail.com>; Mon, 17 Sep 2012 22:22:07 +0900 (JST)
X-TM-AS-Result: No--7.291-5.0-31-1
X-Recommended-Action: accept
X-IronPort-AV: E=Sophos;i="4.80,368,1344186000";
X-Envelope-From: hsbc-uk-mintea-nji-iasti-ebay-de.fr-dultzii at nico-lae.qr.32.de
Content-type: text/html
X-Proofpoint-Spam-Details: rule=notspam policy=default score=11 spamscore=11 suspectscore=3
X-SpamExpertAristo-Outgoing-Evidence: Combined (0.24)
X-SpamExpertAristo-Username: 61.8.92.97
X-Mailer: Stylatule-decouvrez 6.4
To: mod9966 at hotmail.com
Date: Mon, 17 Sep 2012 13:22:08 GMT
X-Barracuda-Start-Time: 135755806806600
Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
X-Copfilter-Virus-Scanned: ClamAV 0.684.2
Received: from nico-lae.qr.32.de ([17.45.146.70]) by ghs-fw (Copfilter 0.84beta4)
X-IronPort-Anti-Spam-Filtered: true
From: Co-operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk
X-Filter-ID: XtLePq6GTMn8G68F0comdleehesxkccwnpq66380849601991cmBIW/8OODKS1A/6t51a7Dur
X-Filtered-With: Copfilter Version 0.84beta4 (ProxSMTP 1.8)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855,1.0.431,0.0.000
X-OriginalArrivalTime: 04 Sep 2012 16:53:23.0515 (UTC) FILETIME=[CBBBD8B0:01CD8ABD]
X-SpamExpertAristo-Domain: joomlabouwer.nl
Message-ID: <E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
X-Originating-IP: 61.8.92.97
X-imss-scan-details: No--7.291-5.0-31-1
X-Copfilter-Originating-IP: 89.105.199.76
X-SpamExpertAristo-Outgoing-Class: ham
X-TM-IMSS-Message-ID: <2c625bfa00003402 at bodyshape.co.th>
X-IronPort-Anti-Spam-Result: tc597710475692009648zbf1847zhfdijebku$
X-TM-AS-Product-Ver: IMSS-7.0.0.6126-6.8.0.1017-19162.000
Authentication-Results: aristo-internet.nl;auth=pass () smtp.auth=61.8.92.97
Content-Transfer-Encoding: 7bit


Im Protokoll sieht das so aus:

Sep 17 22:22:05 mcgregor postfix/smtpd[20603]: connect from unknown[65.200.13.203]
Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: NOQUEUE: filter: RCPT from unknown[65.200.13.203]: <dagata at ma-pu.plm.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dagata at ma-pu.plm.com> to=<mod9966 at hotmail.com> proto=ESMTP helo=<[128.2.1.64]>
Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: 25AF01DBA536: client=unknown[65.200.13.203], sasl_method=CRAM-MD5, sasl_username=ftp
Sep 17 22:22:17 mcgregor postfix/cleanup[20650]: 25AF01DBA536: message-id=<E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
Sep 17 22:22:17 mcgregor postfix/qmgr[505]: 25AF01DBA536: from=<dagata at ma-pu.plm.com>, size=3817, nrcpt=1 (queue active)
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) loaded policy bank "ORIGINATING"
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) process_request: fileno sock=12, STDIN=0, STDOUT=1
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ESMTP::10026 /var/amavis/tmp/amavis-20120917T221431-20536: <dagata at ma-pu.plm.com> -> <mod9966 at hotmail.com> Received: from mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <mod9966 at hotmail.com>; Mon, 17 Sep 2012 22:22:17 +0900 (JST)
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) smtp connection cache, dt: 85.1, state: 0
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) body hash: b55bb74e4d5c950db7ed42aa282aa202
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking: 3+yiMXOQhcE5 ORIGINATING [65.200.13.203] <dagata at ma-pu.plm.com> -> <mod9966 at hotmail.com>
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) 2822.From: <Co-operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk>, 2821.Mail_From: <dagata at ma-pu.plm.com>
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p001 1 Content-Type: text/html, size: 1755 B, name: 
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking for banned types and filenames
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) INFO: unknown banned table name ALT-RULES, recip=mod9966 at hotmail.com
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) collect banned table[0]: mod9966 at hotmail.com, tables: 
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p.path mod9966 at hotmail.com: "P=p001,L=1,M=text/html,T=html"
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Connecting to socket  /var/amavis/clamd
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n to UNIX socket /var/amavis/clamd
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd): CLEAN
Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd) result: clean
Sep 17 22:22:18 mcgregor postfix/smtpd[20603]: disconnect from unknown[65.200.13.203]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) spam_scan: score=13.043 autolearn=no tests=[BAYES_40=-0.001,DKIM_ADSP_NXDOMAIN=0.9,HTML_IMAGE_ONLY_20=1.546,HTML_MESSAGE=0.3,MIME_HTML_ONLY=0.723,MSGID_MULTIPLE_AT=0.001,RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=4,RDNS_NONE=0.793,TO_EQ_FM_HTML_ONLY=0.001,TO_NO_BRKTS_NORDNS_HTML=0.001,TVD_PH_BODY_ACCOUNTS_PRE=2.393]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) blocking contents category is (6) for mod9966 at hotmail.com
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth=
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) skip local delivery(3): <> -> <spam-quarantine>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) SPAM, <dagata at ma-pu.plm.com> -> <mod9966 at hotmail.com>, Yes, score=13.043 tag=-999 tag2=7 kill=12 tests=[BAYES_40=-0.001, DKIM_ADSP_NXDOMAIN=0.9, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.3, MIME_HTML_ONLY=0.723, MSGID_MULTIPLE_AT=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=4, RDNS_NONE=0.793, TO_EQ_FM_HTML_ONLY=0.001, TO_NO_BRKTS_NORDNS_HTML=0.001, TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no, quarantine 3+yiMXOQhcE5 (spam-quarantine)
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: candidate originators: 2822.From:<websensei at admilon.net>, 2821.mail_from:<websensei at admilon.net>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: signing (author), From: <websensei at admilon.net>, KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>admilon.net, s=>default, ttl=>1814400, x=>1349702537.86839
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp session: setting up a new session
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp creating socket by IO::Socket::INET to [127.0.0.1]:10027
Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: connect from localhost[127.0.0.1]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to greeting: 220 mcgregor.admilon.net ESMTP Postfix
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> EHLO localhost
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to EHLO: 250 mcgregor.admilon.net\nPIPELINING\nSIZE 41943040\nVRFY\nETRN\nAUTH LOGIN CRAM-MD5 GSSAPI\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) AUTH not needed, user='', MTA offers 'LOGIN CRAM-MD5 GSSAPI'
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> MAIL FROM:<websensei at admilon.net> ENVID=AM..20120917T132223Z at mcgregor.admilon.net
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> RCPT TO:<websensei at admilon.net>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> DATA
Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: E8B861DBA541: client=localhost[127.0.0.1]
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to MAIL (pip): 250 2.1.0 Ok
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to RCPT (pip) (<websensei at admilon.net>): 250 2.1.5 Ok
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF>
Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> QUIT

irgendwo ist da also noch ein Loch, an welche Schraube muss ich denn drehen um dem einen Riegel vorzuschieben?
Danke und Gruss
Matthias

Mehr Informationen über die Mailingliste postfix-users