[Techtalk] Am I Running an Open Relay? Help!

Kagan MacTane kagan at mactane.org
Tue Dec 2 04:16:50 UTC 2014


Oooh, good idea about blocklisting the IPs. Unfortunately, I'd already 
changed the user's password before I got your message.

Still, I can grep the previous ones out of the logs and block them 
now... not that I'm sure it matters at this point.

It turns out the user's password was pretty strong. However, he was 
using it for other services, and with the number of high-profile leaks 
in the past 6 months, it's anybody's guess whose insecure password 
database made its way to the spammer behind this situation.

Now, I just need to try to get my IP address off the bad reputation 
lists. If anyone knows how to get Google, in particular, to look at me 
again, I'd sure appreciate advice.

On 12/1/2014 14:31, Lisa Kachold wrote:
> Change the password of that user after you write a quit script to 
> watch the logs and drop everyone of those guys into ip tables deny. 
>  You can also lockdown the receiving user to keep him from sending 
> mail while also monitoring his connection attempts by changing the 
> permissions on his mail spool. The real user will contact you (or you 
> him) and enforce stricter password policies.  In the meantime you will 
> have most of the rogue iOS denied.
>
> I can give you more ip table refs or a script with more info later if 
> you like (on phone now().
>
> it-clowns.com <http://it-clowns.com>
> (503) 754-4452
>
> On Nov 30, 2014, at 8:07 PM, Kagan MacTane <kagan at mactane.org 
> <mailto:kagan at mactane.org>> wrote:
>
>> I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS. 
>> The Postfix was originally installed many years ago, and has been 
>> upgraded and switched around so many times I can't keep anything 
>> straight in my config. Things used to be fine, but recently I've been 
>> getting back messages from Gmail saying my messages are rejected 
>> because there's too much spam coming from my IP address. Uh-oh!
>>
>> I tried the open relay checker at http://www.mailradar.com/openrelay/ 
>> and it comes up clean. However, the one at 
>> http://www.spamhelp.org/shopenrelay/ says "*Testing 162.245.20.11 on 
>> port 25... **Error* - could not connect to server" (which is weird as 
>> hell, because the world can send me email just fine), and the one at 
>> http://checkor.com/ just comes up blank, apparently doing nothing.
>>
>> But my mail queue is full of messages that are from and/or to other 
>> domains, with nothing to do with any of my users or people they 
>> communicate with. (I have a very small userbase, of people who I know 
>> personally, so I can see that none of this stuff has anything to do 
>> with them.) Seriously, it looks like I've got roughly 30,000 spam 
>> messages cluttering up my mail queue, trying and failing to be 
>> delivered to addresses at Gmail, Hotmail, and suchlike.
>>
>> Also, my mail log is full of lines like these:
>>
>> Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E: 
>> client=unknown[109.251.106.76], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320: 
>> client=unknown[203.81.71.54], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA: 
>> client=unknown[109.251.106.76], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776: 
>> client=unknown[123.22.39.19], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89: 
>> client=unknown[37.151.88.33], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2: 
>> client=unknown[37.214.118.38], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6: 
>> client=unknown[203.81.71.54], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE: 
>> client=unknown[178.172.155.61], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>> Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C: 
>> client=unknown[178.172.155.61], sasl_method=PLAIN, 
>> sasl_username=digitalsidhe at silmemar.org 
>> <mailto:sasl_username=digitalsidhe at silmemar.org>
>>
>> ...where digitalsidhe at silmemar.org <mailto:digitalsidhe at silmemar.org> 
>> is a valid address on one of my domains. Has someone gotten this 
>> user's password and is using it to authenticate via SASL, and then 
>> send spam through my machine?
>>
>> I've gone over my main.cf looking at my SASL and general restrictions 
>> areas, but I've been out of the mail-admin game so long, I can't make 
>> heads or tails of it. I *think* it's okay, but am not sure. I can 
>> post it if folks want, or I can just wrap up this cry for help before 
>> it becomes too long.
>>
>> My profoundest thanks for any assistance anyone can provide.
>>
>> -- 
>> Kagan MacTane
>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org <mailto:Techtalk at linuxchix.org>
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk

-- 
Kagan MacTane



More information about the Techtalk mailing list