[Postfixbuch-users] Spamming über SMTP Auth

Andreas Jung yet at gmx.de
So Feb 25 21:09:26 CET 2007


-------- Original-Nachricht --------
Datum: Sun, 25 Feb 2007 20:51:57 +0100
Von: "Andreas Pothe" <mailingliste-postfixbuch at pothe.com>
An: "\'Eine Diskussionsliste rund um das Postfix-Buch von Peer Heinlein.\'" <postfixbuch-users at listi.jpberlin.de>
CC: 
Betreff: Re: [Postfixbuch-users] Spamming über SMTP Auth

> Moin,
> 
> > Seit kurzer Zeit sehe ich, dass sich Spammer über SMTP (SASL) 
> > einloggen und dann relayen. Ich dachte eigentlich, dass mein 
> > System dicht ist, aber offensichtlich nicht.
> > Ich habe nur zwei Accounts für SASL konfiguriert aber die 
> > Spammer können sich 
> > doch offenbar über webmaster at meinedomain.de einloggen. Einen 
> 
> Wo sind die Logs?
> 
>Feb 25 21:05:19 h592443 postfix/smtpd[8434]: connect from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:19 h592443 postfix/smtpd[8434]: setting up TLS connection from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:19 h592443 postfix/smtpd[8434]: TLS connection established from p01c11o144.mxlogic.net[208.65.144.67]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 25 21:05:40 h592443 postfix/smtpd[8434]: warning: 67.144.65.208.relays.ordb.org: RBL lookup error: Host or domain name not found. Name service error for name=67.144.65.208.relays.ordb.org type=A: Host not found, try again
Feb 25 21:05:40 h592443 sqlgrey: 2007/02/25-21:05:40 CONNECT TCP Peer: "127.0.0.1:53263" Local: "127.0.0.1:2501"
Feb 25 21:05:40 h592443 sqlgrey: optin: greylisting active for britt at andreas-jung.com
Feb 25 21:05:41 h592443 sqlgrey: grey: unknown pattern: p01c11o144.mxlogic.net, 208.65.144.67: using C-class (208.65.144).
Feb 25 21:05:41 h592443 sqlgrey: spam: 151.51.107.136: visual at patcomm.com -> sampjg at andreas-jung.com at 1172345725
Feb 25 21:05:41 h592443 sqlgrey: spam: 84.166.117.212: jnazerqv at calassoc-hoa.com -> s78ha at andreas-jung.com at 1172345749
Feb 25 21:05:41 h592443 sqlgrey: spam: 87.20.253.62: fe at pcbs.pna.org -> parkrose at andreas-jung.com at 1172345772
Feb 25 21:05:41 h592443 sqlgrey: spam: 151.46.41.137: bynes at pas-reform.com -> lee_m_gibbs at andreas-jung.com at 1172345795
Feb 25 21:05:41 h592443 sqlgrey: spam: 151.44.80.13: ltcodegt at orientstoreint.teamon.com -> lehnertz at andreas-jung.com at 1172345865
Feb 25 21:05:41 h592443 sqlgrey: spam: 87.20.25.152: waking at oppman.com -> mayur05 at andreas-jung.com at 1172345900
Feb 25 21:05:41 h592443 sqlgrey: spam: 84.220.169.197: dee at ourhrsite.com -> mieko_itou at andreas-jung.com at 1172345908
Feb 25 21:05:41 h592443 sqlgrey: spam: 87.21.112.183: himself at pareast.com -> superponpon at andreas-jung.com at 1172345925
Feb 25 21:05:41 h592443 sqlgrey: spam: 87.16.50.19: served at pandinus.com -> metaldetectingenthusiast at andreas-jung.com at 1172345936
Feb 25 21:05:41 h592443 sqlgrey: spam: 86.199.77.176: th at otac.com -> rschn at andreas-jung.com at 1172345952
Feb 25 21:05:41 h592443 sqlgrey: spam: 87.17.74.78: salesin at paradyszmatera.com -> malcomb at andreas-jung.com at 1172345968


...

Feb 25 21:05:41 h592443 sqlgrey: spam: 87.14.245.24: weve at parrotmedia.com -> orsi_vale at andreas-jung.com at 1172347500
Feb 25 21:05:41 h592443 sqlgrey: spam: 85.160.16.209: jabbittopey at goplano.com -> rurich at andreas-jung.com at 1172347506
Feb 25 21:05:41 h592443 sqlgrey: spam: 85.178.116.133: guia at option168.com -> mapsr at andreas-jung.com at 1172347511
Feb 25 21:05:41 h592443 sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (110)
Feb 25 21:05:41 h592443 sqlgrey: grey: new: 208.65.144(208.65.144.67), -undef- at -undef- -> britt at andreas-jung.com
Feb 25 21:05:41 h592443 postfix/smtpd[8434]: NOQUEUE: reject: RCPT from p01c11o144.mxlogic.net[208.65.144.67]: 450 <britt at andreas-jung.com>: Recipient address rejected: Greylisted for 5 minutes; from=<> to=<britt at andreas-jung.com> proto=ESMTP helo=<p01c11o144.mxlogic.net>
Feb 25 21:05:42 h592443 postfix/smtpd[8434]: disconnect from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:43 h592443 postfix/smtpd[8434]: connect from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:44 h592443 postfix/smtpd[8434]: setting up TLS connection from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:44 h592443 dovecot: auth(default): client in: AUTH 1       PLAIN   service=IMAP    secured lip=81.169.137.22       rip=72.254.192.46       resp=AGFqdW5nAHlldHN1eCQk
Feb 25 21:05:44 h592443 dovecot: auth(default): client out: OK  1       user=ajung
Feb 25 21:05:44 h592443 dovecot: auth(default): master in: REQUEST      2296    8431    1
Feb 25 21:05:44 h592443 dovecot: auth(default): master out: USER        2296    ajung   system_user=ajung       uid=1000        gid=100 home=/home/ajung
Feb 25 21:05:44 h592443 dovecot: imap-login: Login: user=<ajung>, method=PLAIN, rip=72.254.192.46, lip=81.169.137.22, TLS
Feb 25 21:05:44 h592443 postfix/smtpd[8434]: TLS connection established from p01c11o144.mxlogic.net[208.65.144.67]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 25 21:05:45 h592443 sqlgrey: optin: greylisting active for britt at andreas-jung.com
Feb 25 21:05:45 h592443 sqlgrey: grey: unknown pattern: p01c11o144.mxlogic.net, 208.65.144.67: using C-class (208.65.144).
Feb 25 21:05:45 h592443 sqlgrey: grey: early reconnect: 208.65.144(208.65.144.67), -undef- at -undef- -> britt at andreas-jung.com
Feb 25 21:05:45 h592443 postfix/smtpd[8434]: NOQUEUE: reject: RCPT from p01c11o144.mxlogic.net[208.65.144.67]: 450 <britt at andreas-jung.com>: Recipient address rejected: Greylisted for 5 minutes; from=<> to=<britt at andreas-jung.com> proto=ESMTP helo=<p01c11o144.mxlogic.net>
Feb 25 21:05:45 h592443 dovecot: IMAP(ajung): Disconnected: Logged out
Feb 25 21:05:45 h592443 postfix/smtpd[8434]: disconnect from p01c11o144.mxlogic.net[208.65.144.67]
Feb 25 21:05:54 h592443 postfix/smtpd[8434]: connect from unknown[220.232.171.139]
Feb 25 21:05:56 h592443 postfix/smtpd[8434]: 87C103B0101: client=unknown[220.232.171.139], sasl_method=LOGIN, sasl_username=webmaster at zopyx.biz
Feb 25 21:06:08 h592443 postfix/master[8331]: terminating on signal 15


Einen Account 'webmaster at zopyx.biz' ist nirgendwo konfigurier. Weder gibt  es einen 'webmaster' Account noch einen Eintrag in der /etc/sasldb2.

Andreas
-- 
Andreas Jung




Mehr Informationen über die Mailingliste Postfixbuch-users