[postfix-users] Spam von local - schon wieder ...
Uwe Drießen
driessen at fblan.de
Di Sep 18 09:05:31 CEST 2012
> Auftrag von Matthias Schmidt
>
> Hallo,
> bei mir sind gestern wieder über rund 45 Minuten mails eingegangen und
> teilweise wegen Spam abgelehnt worden.
> Als das das erste mal passiert ist, hab ich den Rat von Uwe befolgt und
meine
> main.cf so geändert:
Ich hatte dir empfohlen alle Restrictionen unter
smtpd_recipient_restrictions =
Zusammenzufassen.
Du fragst immer noch smtpd_sender_restrictions = extra ab
>
> smtpd_sasl_auth_enable = yes
> smtpd_helo_required = yes
> smtpd_use_pw_server = yes
> #mit Greylisting
> #smtpd_recipient_restrictions = permit_sasl_authenticated
> permit_mynetworks reject_unauth_destination check_policy_service
> unix:private/policy permit
> #ohne Greylisting
> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> permit_mynetworks
> permit_tls_clientcerts
> check_sender_access hash:/etc/postfix/whitelist
> reject_non_fqdn_hostname
> reject_unknown_reverse_client_hostname
> reject_unauth_destination
> reject_rbl_client cbl.abuseat.org
> reject_rbl_client zen.spamhaus.org
>
> smtpd_pw_server_security_options = login,gssapi,cram-md5
> data_directory = /var/lib/postfix
> smtpd_client_restrictions =
> smtpd_sender_restrictions =
> check_sender_access regexp:/etc/postfix/tag_as_originating.re
> permit_mynetworks
> permit_sasl_authenticated
> permit_tls_clientcerts
> check_sender_access regexp:/etc/postfix/tag_as_foreign.re
>
> smtpd_data_restrictions = reject_unauth_pipelining
> mydestination = $myhostname, localhost.$mydomain, localhost,
> mail.$mydomain, liste.$mydomain, $mydomain
> virtual_transport = virtual
>
>
> Die Mails kommen mit sasl_username=ftp hier an. Beim (Sytem-Benutzer)
> ftp ist Mail nicht aktiviert.
Dann Prüfe deine adressmaps ob da evtl. doch ein ftp@ drin steht.
Deine Userüberprüfung ist scheinbar nicht korrekt.
Wenn da jemand sowas über deinen Server wegschickt und sich angemeldet hat
dann ist das ein eigener User dem es erlaubt ist unter falscher Mailadresse
zu senden.
Ich hatte dir eine Beispielreihenfolge und einiges mehr an Restriktionen
gezeigt. Da waren auch welche darunter die verhindern das da jemand unter
einer anderen Mailadresse sendet wie er angemeldet ist
Es reicht die normale Ausgabe des Logfiles (kein -v -vv usw in der
Master.cf)
Postconf -n ist eigentlich Pflicht mitzuschicken wenn dir da jemand in die
Konfig schauen soll.
>
>
> Das Mail sieht so aus:
> Content type: Spam
> Internal reference code for the message is 20536-07/3+yiMXOQhcE5
>
> First upstream SMTP client IP address: [65.200.13.203]
> According to a 'Received:' trace, the message apparently originated at:
> [17.45.146.70], nico-lae.qr.32.de [17.45.146.70]
>
> Return-Path: <dagata at ma-pu.plm.com>
> From:
> Co-operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-
> cooperative-online.co.uk
> Message-ID:
> <E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-alert-
> id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
> X-Mailer: Stylatule-decouvrez 6.4
> Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
> Not quarantined.
>
> The message WAS NOT relayed to:
> <mod9966 at hotmail.com>:
> 250 2.7.0 Ok, discarded, id=20536-07 - SPAM
>
> SpamAssassin report:
> Spam detection software, running on the system "mcgregor.admilon.net",
> has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> websensei at admilon.net for details.
>
> Content preview: ACCESS TO YOUR ACCOUNT HAS BEEN TEMPORARILY
> SUSPENDED. The
> reason for this issue: - UNUSUAL NUMBER OF INVALID LOGIN ATTEMPTS
> ON YOUR
> ACCOUNT To restore your account, please click below: [...]
>
> Content analysis details: (13.0 points, 25.0 required)
>
> pts rule name description
> ---- ----------------------
--------------------------------------------------
> 0.0 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
> 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in
> DNS
> 2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE
> -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40%
> [score: 0.3950]
> 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of
> words
> 0.3 HTML_MESSAGE BODY: HTML included in message
> 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]
> 4.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.8 RDNS_NONE Delivered to internal network by a host with no
rDNS
> 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only
> 0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML
> Return-Path: <dagata at ma-pu.plm.com>
> Received: from [128.2.1.64] (unknown [65.200.13.203])
> by mcgregor.admilon.net (Postfix) with ESMTPA id 25AF01DBA536
> for <mod9966 at hotmail.com>; Mon, 17 Sep 2012 22:22:07 +0900 (JST)
> X-TM-AS-Result: No--7.291-5.0-31-1
> X-Recommended-Action: accept
> X-IronPort-AV: E=Sophos;i="4.80,368,1344186000";
> X-Envelope-From: hsbc-uk-mintea-nji-iasti-ebay-de.fr-dultzii at nico-
> lae.qr.32.de
> Content-type: text/html
> X-Proofpoint-Spam-Details: rule=notspam policy=default score=11
> spamscore=11 suspectscore=3
> X-SpamExpertAristo-Outgoing-Evidence: Combined (0.24)
> X-SpamExpertAristo-Username: 61.8.92.97
> X-Mailer: Stylatule-decouvrez 6.4
> To: mod9966 at hotmail.com
> Date: Mon, 17 Sep 2012 13:22:08 GMT
> X-Barracuda-Start-Time: 135755806806600
> Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ]
> X-Copfilter-Virus-Scanned: ClamAV 0.684.2
> Received: from nico-lae.qr.32.de ([17.45.146.70]) by ghs-fw (Copfilter
> 0.84beta4)
> X-IronPort-Anti-Spam-Filtered: true
> From: Co-operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-
> cooperative-online.co.uk
> X-Filter-ID:
> XtLePq6GTMn8G68F0comdleehesxkccwnpq66380849601991cmBIW/8OODKS
> 1A/6t51a7Dur
> X-Filtered-With: Copfilter Version 0.84beta4 (ProxSMTP 1.8)
> X-Proofpoint-Virus-Version: vendor=fsecure
> engine=2.50.10432:5.7.7855,1.0.431,0.0.000
> X-OriginalArrivalTime: 04 Sep 2012 16:53:23.0515 (UTC)
> FILETIME=[CBBBD8B0:01CD8ABD]
> X-SpamExpertAristo-Domain: joomlabouwer.nl
> Message-ID: <E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-
> alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
> X-Originating-IP: 61.8.92.97
> X-imss-scan-details: No--7.291-5.0-31-1
> X-Copfilter-Originating-IP: 89.105.199.76
> X-SpamExpertAristo-Outgoing-Class: ham
> X-TM-IMSS-Message-ID: <2c625bfa00003402 at bodyshape.co.th>
> X-IronPort-Anti-Spam-Result: tc597710475692009648zbf1847zhfdijebku$
> X-TM-AS-Product-Ver: IMSS-7.0.0.6126-6.8.0.1017-19162.000
> Authentication-Results: aristo-internet.nl;auth=pass ()
smtp.auth=61.8.92.97
> Content-Transfer-Encoding: 7bit
>
>
> Im Protokoll sieht das so aus:
>
> Sep 17 22:22:05 mcgregor postfix/smtpd[20603]: connect from
> unknown[65.200.13.203]
> Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: NOQUEUE: filter: RCPT from
> unknown[65.200.13.203]: <dagata at ma-pu.plm.com>: Sender address
> triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<dagata at ma-
> pu.plm.com> to=<mod9966 at hotmail.com> proto=ESMTP
> helo=<[128.2.1.64]>
> Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: 25AF01DBA536:
> client=unknown[65.200.13.203], sasl_method=CRAM-MD5,
> sasl_username=ftp
> Sep 17 22:22:17 mcgregor postfix/cleanup[20650]: 25AF01DBA536: message-
> id=<E1T94zk-2493-Bo at Co-operative-Bank-p.l.c.UK.363@e-mail-alert-
> id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl>
> Sep 17 22:22:17 mcgregor postfix/qmgr[505]: 25AF01DBA536:
> from=<dagata at ma-pu.plm.com>, size=3817, nrcpt=1 (queue active)
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) loaded policy bank
> "ORIGINATING"
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) process_request: fileno
> sock=12, STDIN=0, STDOUT=1
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ESMTP::10026
> /var/amavis/tmp/amavis-20120917T221431-20536: <dagata at ma-
> pu.plm.com> -> <mod9966 at hotmail.com> Received: from
> mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net
> [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for
> <mod9966 at hotmail.com>; Mon, 17 Sep 2012 22:22:17 +0900 (JST)
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) smtp connection cache,
> dt: 85.1, state: 0
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) body hash:
> b55bb74e4d5c950db7ed42aa282aa202
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking:
> 3+yiMXOQhcE5 ORIGINATING [65.200.13.203] <dagata at ma-pu.plm.com> ->
> <mod9966 at hotmail.com>
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) 2822.From: <Co-
> operative-Bank-p.l.c.UK.363 at e-mail-alert-id.9656.review-24-hrs-
> cooperative-online.co.uk>, 2821.Mail_From: <dagata at ma-pu.plm.com>
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p001 1 Content-Type:
> text/html, size: 1755 B, name:
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking for banned
> types and filenames
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) INFO: unknown banned
> table name ALT-RULES, recip=mod9966 at hotmail.com
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) collect banned
table[0]:
> mod9966 at hotmail.com, tables:
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p.path
> mod9966 at hotmail.com: "P=p001,L=1,M=text/html,T=html"
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ask_av Using (ClamAV-
> clamd): CONTSCAN /var/amavis/tmp/amavis-20120917T221431-
> 20536/parts\n
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd:
> Connecting to socket /var/amavis/clamd
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Sending
> CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n to
> UNIX socket /var/amavis/clamd
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd):
> CLEAN
> Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd)
> result: clean
> Sep 17 22:22:18 mcgregor postfix/smtpd[20603]: disconnect from
> unknown[65.200.13.203]
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) spam_scan:
> score=13.043 autolearn=no tests=[BAYES_40=-
> 0.001,DKIM_ADSP_NXDOMAIN=0.9,HTML_IMAGE_ONLY_20=1.546,HTML_
> MESSAGE=0.3,MIME_HTML_ONLY=0.723,MSGID_MULTIPLE_AT=0.001,RAZO
> R2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_
> CHECK=4,RDNS_NONE=0.793,TO_EQ_FM_HTML_ONLY=0.001,TO_NO_BRKT
> S_NORDNS_HTML=0.001,TVD_PH_BODY_ACCOUNTS_PRE=2.393]
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) blocking contents
> category is (6) for mod9966 at hotmail.com
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) do_notify_and_quar:
> ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean,
> "0":CatchAll) ccat_block=(6), qar_mth=
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) skip local delivery(3):
<>
> -> <spam-quarantine>
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) SPAM, <dagata at ma-
> pu.plm.com> -> <mod9966 at hotmail.com>, Yes, score=13.043 tag=-999
> tag2=7 kill=12 tests=[BAYES_40=-0.001, DKIM_ADSP_NXDOMAIN=0.9,
> HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.3,
> MIME_HTML_ONLY=0.723, MSGID_MULTIPLE_AT=0.001,
> RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
> RAZOR2_CHECK=4, RDNS_NONE=0.793, TO_EQ_FM_HTML_ONLY=0.001,
> TO_NO_BRKTS_NORDNS_HTML=0.001,
> TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no, quarantine
> 3+yiMXOQhcE5 (spam-quarantine)
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: candidate
> originators: 2822.From:<websensei at admilon.net>,
> 2821.mail_from:<websensei at admilon.net>
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: signing (author),
> From: <websensei at admilon.net>, KEY.key_ind=>0, a=>rsa-sha256,
> c=>relaxed/simple, d=>admilon.net, s=>default, ttl=>1814400,
> x=>1349702537.86839
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp session: setting
up
> a new session
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp creating socket by
> IO::Socket::INET to [127.0.0.1]:10027
> Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: connect from
> localhost[127.0.0.1]
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to greeting:
> 220 mcgregor.admilon.net ESMTP Postfix
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> EHLO
> localhost
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to EHLO: 250
> mcgregor.admilon.net\nPIPELINING\nSIZE 41943040\nVRFY\nETRN\nAUTH
> LOGIN CRAM-MD5
> GSSAPI\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) AUTH not needed,
> user='', MTA offers 'LOGIN CRAM-MD5 GSSAPI'
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> MAIL
> FROM:<websensei at admilon.net>
> ENVID=AM..20120917T132223Z at mcgregor.admilon.net
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> RCPT
> TO:<websensei at admilon.net>
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> DATA
> Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: E8B861DBA541:
> client=localhost[127.0.0.1]
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to MAIL
(pip):
> 250 2.1.0 Ok
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to RCPT (pip)
> (<websensei at admilon.net>): 250 2.1.5 Ok
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to DATA: 354
> End data with <CR><LF>.<CR><LF>
> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> QUIT
>
> irgendwo ist da also noch ein Loch, an welche Schraube muss ich denn
> drehen um dem einen Riegel vorzuschieben?
> Danke und Gruss
> Matthias
Mit freundlichen Grüßen
Uwe Drießen
--
Software & Computer
Uwe Drießen
Lembergstraße 33
67824 Feilbingert
Tel.: 06708660045
Mehr Informationen über die Mailingliste postfix-users