Tags Tags

My post mail server is used for spam

November 15th, 2011 - 03:50 am ET by Olivier BATARD | Report spam
Help Create a new topic
HI,


I'm a little in double because my postfix server is used to send an
huge amount of spam, generating huge logs like that :

postfix/error[2120]: 993AE145D: to=<xbeefon@yahoo.com.tw>, relay=none,
delay1, delays0/0.07/0/0.31, dsn=4.7.0, status=deferred
(delivery temporarily suspended: host
mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421
4.7.0 [TS01] Messages from 62.161.100.158 temporarily deferred due to
user complaints - 4.16.55.1; see
http://postmaster.yahoo.com/421-ts01.html)

I'm running squeeze, my account are secured with strong password, town
can I stop that ?

thanks,

Here's my postfix main.cnf :


#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert =no
smtp_tls_enforce_peername = no
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = VOLTALIAMSG.voltalia.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = voltalia.com VOLTALIAMSG.voltalia.local,
localhost.voltalia.local, localhost
#relayhost =  [smtp.fr.oleane.com]:587
#relayhost = [smtp.gmail.com]:587
mynetworks = 192.168.150.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CALvL=TNtZB...uCX5dsqCxg@mail.gmail.com
email Follow the discussionReplies 8 repliesReplies Make a reply

Replies

#1 Kevin Ross
November 15th, 2011 - 04:30 am ET | Report spam
On 11/15/2011 12:41 AM, Olivier BATARD wrote:
HI,


I'm a little in double because my postfix server is used to send an
huge amount of spam, generating huge logs like that :

postfix/error[2120]: 993AE145D: to=, relay=none,
delay1, delays0/0.07/0/0.31, dsn=4.7.0, status=deferred
(delivery temporarily suspended: host
mx1.mail.tw.yahoo.com[203.188.197.119] refused to talk to me: 421
4.7.0 [TS01] Messages from 62.161.100.158 temporarily deferred due to
user complaints - 4.16.55.1; see
http://postmaster.yahoo.com/421-ts01.html)

I'm running squeeze, my account are secured with strong password, town
can I stop that ?

thanks,



Some log entries from when the message was submitted from the spammer
into your mail system would be more useful, instead of the log entries
from when your mail server then tried to deliver it.

Is it possible you have an account on your system with an easy to guess
(or empty) password? Look in your system log for when the connection
came in from the spammer, and see if it shows they actually
authenticated with your server. It will look something like this:

Nov 15 00:50:09 xxx postfix/smtpd[9910]: connect from xx.xx.xx.xx
Nov 15 00:50:10 xxx postfix/smtpd[9910]: 8513115A13: client=xx.xx.xx.xx,
sasl_method=PLAIN, sasl_username=kevin

Followed by some lines detailing the specifics of the message that was
submitted to your mail server for delivery. If they authenticated, then
you need to change the password for that user (or disable the user). If
they didn't authenticate, then you're an open relay (doesn't seem
likely, looking at your main.cf).

Hope this helps!


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/

Similar topics

Make your own search :