[Techtalk] Am I Running an Open Relay? Help!

Maria McKinley parody at u.washington.edu
Tue Dec 2 04:32:57 UTC 2014 

Also install denyhosts asap.

http://denyhosts.sourceforge.net/

If someone tries a bruteforce attack, it cuts off that user.

cheers,
Maria

On Mon, Dec 1, 2014 at 8:12 PM, Kai MacTane <kai at mactane.org> wrote:

> Thanks for this advice. I changed the user's password this morning, and
> haven't seen any more SASL lines in my logs.
>
> Sending this back to the list, too, so there'll be a record in the
> archives for future searchers.
>
> On 12/1/2014 7:35, James Sutherland wrote:
>
>> Yes, someone has brute-forced that user's password, and is now using it
>> to relax spam. Change their password asap! (I've had a lot of attempts at
>> this on my own servers - all unsuccessful so far.) A genuine open relay is
>> hard to find now (and easy to blacklist when found), so spammers are using
>> weak passwords like this instead.
>>
>>
>> James.
>>
>>  On 1 Dec 2014, at 10:35, Kagan MacTane <kagan at mactane.org> wrote:
>>>
>>> I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS.
>>> The Postfix was originally installed many years ago, and has been upgraded
>>> and switched around so many times I can't keep anything straight in my
>>> config. Things used to be fine, but recently I've been getting back
>>> messages from Gmail saying my messages are rejected because there's too
>>> much spam coming from my IP address. Uh-oh!
>>>
>>> I tried the open relay checker at http://www.mailradar.com/openrelay/
>>> and it comes up clean. However, the one at http://www.spamhelp.org/
>>> shopenrelay/ says "*Testing 162.245.20.11 on port 25... **Error* -
>>> could not connect to server" (which is weird as hell, because the world can
>>> send me email just fine), and the one at http://checkor.com/ just comes
>>> up blank, apparently doing nothing.
>>>
>>> But my mail queue is full of messages that are from and/or to other
>>> domains, with nothing to do with any of my users or people they communicate
>>> with. (I have a very small userbase, of people who I know personally, so I
>>> can see that none of this stuff has anything to do with them.) Seriously,
>>> it looks like I've got roughly 30,000 spam messages cluttering up my mail
>>> queue, trying and failing to be delivered to addresses at Gmail, Hotmail,
>>> and suchlike.
>>>
>>> Also, my mail log is full of lines like these:
>>>
>>> Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E:
>>> client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320:
>>> client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA:
>>> client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776:
>>> client=unknown[123.22.39.19], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89:
>>> client=unknown[37.151.88.33], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2:
>>> client=unknown[37.214.118.38], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6:
>>> client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=
>>> digitalsidhe at silmemar.org
>>> Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE: client=unknown
>>> [178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe@
>>> silmemar.org
>>> Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C: client=unknown
>>> [178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe@
>>> silmemar.org
>>>
>>> ...where digitalsidhe at silmemar.org is a valid address on one of my
>>> domains. Has someone gotten this user's password and is using it to
>>> authenticate via SASL, and then send spam through my machine?
>>>
>>> I've gone over my main.cf looking at my SASL and general restrictions
>>> areas, but I've been out of the mail-admin game so long, I can't make heads
>>> or tails of it. I *think* it's okay, but am not sure. I can post it if
>>> folks want, or I can just wrap up this cry for help before it becomes too
>>> long.
>>>
>>> My profoundest thanks for any assistance anyone can provide.
>>>
>>> --
>>> Kagan MacTane
>>>
>>> _______________________________________________
>>> Techtalk mailing list
>>> Techtalk at linuxchix.org
>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>
>>
>> --
>> Kagan MacTane
>>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>



-- 
Maria Mckinley
Software Developer
Buffalo Lab
Physiology and Biophysics
Box 357290
University of Washington
(206) 898-5309
parody at uw.edu <parody at u.washington.edu>
mariakathryn.net

More information about the Techtalk mailing list