[Techtalk] Am I Running an Open Relay? Help!

Kai MacTane kai at mactane.org
Tue Dec 2 19:25:46 UTC 2014 

Thanks, Maria. I already have a thing I hacked together to stop SSH
dictionary attacks some years ago. But the one you linked to looks more
mature; maybe I'll switch.

On Mon, December 1, 2014 8:32 pm, Maria McKinley wrote:
> Also install denyhosts asap.
>
> http://denyhosts.sourceforge.net/
>
> If someone tries a bruteforce attack, it cuts off that user.
>
> cheers,
> Maria
>
> On Mon, Dec 1, 2014 at 8:12 PM, Kai MacTane <kai at mactane.org> wrote:
>
>> Thanks for this advice. I changed the user's password this morning, and
>> haven't seen any more SASL lines in my logs.
>>
>> Sending this back to the list, too, so there'll be a record in the
>> archives for future searchers.
>>
>> On 12/1/2014 7:35, James Sutherland wrote:
>>
>>> Yes, someone has brute-forced that user's password, and is now using it
>>> to relax spam. Change their password asap! (I've had a lot of attempts
>>> at
>>> this on my own servers - all unsuccessful so far.) A genuine open relay
>>> is
>>> hard to find now (and easy to blacklist when found), so spammers are
>>> using
>>> weak passwords like this instead.
>>>
>>>
>>> James.
>>>
>>>  On 1 Dec 2014, at 10:35, Kagan MacTane <kagan at mactane.org> wrote:
>>>>
>>>> I'm running an Ubuntu 14.04.1 server with Postfix using SASL and TLS.
>>>> The Postfix was originally installed many years ago, and has been
>>>> upgraded
>>>> and switched around so many times I can't keep anything straight in my
>>>> config. Things used to be fine, but recently I've been getting back
>>>> messages from Gmail saying my messages are rejected because there's
>>>> too
>>>> much spam coming from my IP address. Uh-oh!
>>>>
>>>> I tried the open relay checker at http://www.mailradar.com/openrelay/
>>>> and it comes up clean. However, the one at http://www.spamhelp.org/
>>>> shopenrelay/ says "*Testing 162.245.20.11 on port 25... **Error* -
>>>> could not connect to server" (which is weird as hell, because the
>>>> world can
>>>> send me email just fine), and the one at http://checkor.com/ just
>>>> comes
>>>> up blank, apparently doing nothing.
>>>>
>>>> But my mail queue is full of messages that are from and/or to other
>>>> domains, with nothing to do with any of my users or people they
>>>> communicate
>>>> with. (I have a very small userbase, of people who I know personally,
>>>> so I
>>>> can see that none of this stuff has anything to do with them.)
>>>> Seriously,
>>>> it looks like I've got roughly 30,000 spam messages cluttering up my
>>>> mail
>>>> queue, trying and failing to be delivered to addresses at Gmail,
>>>> Hotmail,
>>>> and suchlike.
>>>>
>>>> Also, my mail log is full of lines like these:
>>>>
>>>> Nov 30 18:49:55 finrod postfix/smtpd[23941]: 0457921C727E:
>>>> client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:49:55 finrod postfix/smtpd[23984]: 86C5021C7320:
>>>> client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:06 finrod postfix/smtpd[23941]: AD50621C76EA:
>>>> client=unknown[109.251.106.76], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:07 finrod postfix/smtpd[24190]: 3754921C7776:
>>>> client=unknown[123.22.39.19], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:13 finrod postfix/smtpd[24217]: A9A0421C7A89:
>>>> client=unknown[37.151.88.33], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:31 finrod postfix/smtpd[23941]: 8367221C81E2:
>>>> client=unknown[37.214.118.38], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:35 finrod postfix/smtpd[23984]: 64BFC21C82B6:
>>>> client=unknown[203.81.71.54], sasl_method=PLAIN, sasl_username=
>>>> digitalsidhe at silmemar.org
>>>> Nov 30 18:50:47 finrod postfix/smtpd[24174]: C6ED621C85BE:
>>>> client=unknown
>>>> [178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe@
>>>> silmemar.org
>>>> Nov 30 18:51:01 finrod postfix/smtpd[24174]: BCACC21C874C:
>>>> client=unknown
>>>> [178.172.155.61], sasl_method=PLAIN, sasl_username=digitalsidhe@
>>>> silmemar.org
>>>>
>>>> ...where digitalsidhe at silmemar.org is a valid address on one of my
>>>> domains. Has someone gotten this user's password and is using it to
>>>> authenticate via SASL, and then send spam through my machine?
>>>>
>>>> I've gone over my main.cf looking at my SASL and general restrictions
>>>> areas, but I've been out of the mail-admin game so long, I can't make
>>>> heads
>>>> or tails of it. I *think* it's okay, but am not sure. I can post it if
>>>> folks want, or I can just wrap up this cry for help before it becomes
>>>> too
>>>> long.
>>>>
>>>> My profoundest thanks for any assistance anyone can provide.
>>>>
>>>> --
>>>> Kagan MacTane
>>>>
>>>> _______________________________________________
>>>> Techtalk mailing list
>>>> Techtalk at linuxchix.org
>>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>>
>>>
>>> --
>>> Kagan MacTane
>>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>
>
>
>
> --
> Maria Mckinley
> Software Developer
> Buffalo Lab
> Physiology and Biophysics
> Box 357290
> University of Washington
> (206) 898-5309
> parody at uw.edu <parody at u.washington.edu>
> mariakathryn.net
>


-- 
Kai MacTane

More information about the Techtalk mailing list