[Techtalk] Am I Running an Open Relay? Help!

Kai MacTane kai at mactane.org
Tue Dec 2 04:12:17 UTC 2014 

Thanks for this advice. I changed the user's password this morning, and 
haven't seen any more SASL lines in my logs.

Sending this back to the list, too, so there'll be a record in the 
archives for future searchers.

On 12/1/2014 7:35, James Sutherland wrote:
> Yes, someone has brute-forced that user's password, and is now using it to relax spam. Change their password asap! (I've had a lot of attempts at this on my own servers - all unsuccessful so far.) A genuine open relay is hard to find now (and easy to blacklist when found), so spammers are using weak passwords like this instead.
>
>
> James.
>
>> On 1 Dec 2014, at 10:35, Kagan MacTane <kagan at mactane.org> wrote:
>>
>> I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS. The Postfix was originally installed many years ago, and has been upgraded and switched around so many times I can't keep anything straight in my config. Things used to be fine, but recently I've been getting back messages from Gmail saying my messages are rejected because there's too much spam coming from my IP address. Uh-oh!
>>
>> I tried the open relay checker at http://www.mailradar.com/openrelay/ and it comes up clean. However, the one at http://www.spamhelp.org/shopenrelay/ says "*Testing 162.245.20.11 on port 25... **Error* - could not connect to server" (which is weird as hell, because the world can send me email just fine), and the one at http://checkor.com/ just comes up blank, apparently doing nothing.
>>
>> But my mail queue is full of messages that are from and/or to other domains, with nothing to do with any of my users or people they communicate with. (I have a very small userbase, of people who I know personally, so I can see that none of this stuff has anything to do with them.) Seriously, it looks like I've got roughly 30,000 spam messages cluttering up my mail queue, trying and failing to be delivered to addresses at Gmail, Hotmail, and suchlike.
>>
>> Also, my mail log is full of lines like these:
>>
>> Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E: client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320: client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA: client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776: client=unknown[123.22.39.19], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89: client=unknown[37.151.88.33], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2: client=unknown[37.214.118.38], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6: client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE: client=unknown[178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>> Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C: client=unknown[178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
>>
>> ...where digitalsidhe at silmemar.org is a valid address on one of my domains. Has someone gotten this user's password and is using it to authenticate via SASL, and then send spam through my machine?
>>
>> I've gone over my main.cf looking at my SASL and general restrictions areas, but I've been out of the mail-admin game so long, I can't make heads or tails of it. I *think* it's okay, but am not sure. I can post it if folks want, or I can just wrap up this cry for help before it becomes too long.
>>
>> My profoundest thanks for any assistance anyone can provide.
>>
>> -- 
>> Kagan MacTane
>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>
> -- 
> Kagan MacTane

More information about the Techtalk mailing list