O postfix ainda está enviando SPAM apesar de fechar o famoso "Open Relay"

Navegue suas respostas
1

Vamos fingir por um segundo, o site do meu cliente é thatshowithappened.com Algumas semanas atrás, nosso servidor era um retransmissor aberto, corrigimos isso.

E agora, depois de colocar 

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
#       check_policy_service inet:127.0.0.1:10101,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client psbl.surriel.com,
#       reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client b.barracudacentral.org

Ele fez o truque e eu acidentalmente corri a fila de mensagens, agora eu não posso saber qual script foi responsável por enviar SPAM, desde que eu já verifiquei que não é um CRON Job , Então é isso que entra em meus logs de correio 

Mar 20 06:39:53 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:39:57 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:00 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:03 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:07 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:10 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:13 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:16 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:19 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:22 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:31 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:35 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:38 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:41 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:44 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:48 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:50 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:54 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:57 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:00 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:03 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:07 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked

parece que existe um dicionário de palavras que o spammer está a usar com o nosso próprio domínio thatshowithappened.com , não sei onde procurar ou, pelo menos, como saber a mensagem cabeçalhos depois que a mensagem já foi enviada ou rejeitada como acima.

eu tentei mailq e postqueue -p Mas é sempre vazio, e é verdade, já que as mensagens não estão na fila nem são adiadas direito? 

# postcat -q 4DEC51723309
postcat: fatal: open queue file 4DEC51723309: No such file or directory

A CPU está entre 90% - 100%, embora não esteja enviando SPAM, mas mata minha máquina (Centos7 executando o Postfix 2.x).

O que você sugere que façamos? Alguma outra maneira de depurar isso?

PS: I 've enabled the PHP headers so as to track which script is sending out SPAM mail.add_x_header = On mail.log = /var/log/phpmail.log

BTW Espero que a pergunta não seja como " Meu PC não funciona. O que fazer? ": D

I 've tried checking out other questions like this which are similar to mine, but no luck.

Por favor, ajude.

    
por Fahad 22.03.2018 / 16:29

1 resposta

3

As entradas de registro que você postou mostram que alguma outra máquina está tentando retransmitir spam através de seu servidor de e-mail, mas seu servidor de e-mail está rejeitando-as.

Se isso estiver causando sua alta carga de CPU, considere o firewall do endereço IP remoto temporariamente para que ele não possa mais se conectar. Isso deve trazer um alívio imediato. 

iptables -I INPUT -s 104.168.142.169 -j DROP

Você também pode usar o fail2ban para fazer isso, pois ele já tem jail pré-configurados que processam os logs do postfix; eles meramente precisam ser habilitados. Por exemplo, coloque seu jail.local : 

[postfix]
enabled = true
    
por 22.03.2018 / 17:51

Tags

Salvaguardas Terraform Problema ao substituir domínios não www no nginx