[Techtalk] Am I Running an Open Relay? Help!

Lisa Kachold lisakachold at obnosis.com
Mon Dec 1 22:31:07 UTC 2014 

Change the password of that user after you write a quit script to watch the logs and drop everyone of those guys into ip tables deny.  You can also lockdown the receiving user to keep him from sending mail while also monitoring his connection attempts by changing the permissions on his mail spool. The real user will contact you (or you him) and enforce stricter password policies.  In the meantime you will have most of the rogue iOS denied.  

I can give you more ip table refs or a script with more info later if you like (on phone now().

it-clowns.com
(503) 754-4452

> On Nov 30, 2014, at 8:07 PM, Kagan MacTane <kagan at mactane.org> wrote:
> 
> I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS. The Postfix was originally installed many years ago, and has been upgraded and switched around so many times I can't keep anything straight in my config. Things used to be fine, but recently I've been getting back messages from Gmail saying my messages are rejected because there's too much spam coming from my IP address. Uh-oh!
> 
> I tried the open relay checker at http://www.mailradar.com/openrelay/ and it comes up clean. However, the one at http://www.spamhelp.org/shopenrelay/ says "*Testing 162.245.20.11 on port 25... **Error* - could not connect to server" (which is weird as hell, because the world can send me email just fine), and the one at http://checkor.com/ just comes up blank, apparently doing nothing.
> 
> But my mail queue is full of messages that are from and/or to other domains, with nothing to do with any of my users or people they communicate with. (I have a very small userbase, of people who I know personally, so I can see that none of this stuff has anything to do with them.) Seriously, it looks like I've got roughly 30,000 spam messages cluttering up my mail queue, trying and failing to be delivered to addresses at Gmail, Hotmail, and suchlike.
> 
> Also, my mail log is full of lines like these:
> 
> Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E: client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320: client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA: client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776: client=unknown[123.22.39.19], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89: client=unknown[37.151.88.33], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2: client=unknown[37.214.118.38], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6: client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE: client=unknown[178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C: client=unknown[178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe at silmemar.org
> 
> ...where digitalsidhe at silmemar.org is a valid address on one of my domains. Has someone gotten this user's password and is using it to authenticate via SASL, and then send spam through my machine?
> 
> I've gone over my main.cf looking at my SASL and general restrictions areas, but I've been out of the mail-admin game so long, I can't make heads or tails of it. I *think* it's okay, but am not sure. I can post it if folks want, or I can just wrap up this cry for help before it becomes too long.
> 
> My profoundest thanks for any assistance anyone can provide.
> 
> -- 
> Kagan MacTane
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list