[Postfixbuch-users] Frage zum Envelope Sender und from
Stefan.Schmidt at rw-wireless.de
Stefan.Schmidt at rw-wireless.de
Do Sep 27 09:25:09 CEST 2007
Hi,
so ohne html :)
>> ich bekomme in letzter Zeit viele Beschwerden dass ich / mein Server spammen soll, aber
>> so weit ich diese Spam eMails verstehe bin ich nicht der Spammer, sonder Opfer einer
>> gefakten "From: " Zeile im Header.
>Zeig mal dein logfile zu einer solchen Mail oder besser zu der unten angeführten
>Wer beschwert sich
>Sind das Catchall?
Log file siehe unten...
Beschweren tut sich der User dem das Postfach gehört, also user at example.com.
Es ist kein catchall Postfach.
wie Matthias Haegele mir schon schrieb ist das ein Joe-Job, und tun kann man da wenig wie ich das verstehe.
>Nicht Zustellbenachrichtigungen gehen immer an den Vermeintlichen Absender (Bounces)
>Und wenn die vom Empfänger kommen den du nicht angeschrieben hast dann nennt man das
>Backscatter
Ah ok aber das ist ja kein Bounce sonder ein "normales" spammail
von 08b at ac-martinique.fr
an user at example.com
das in From: behauptet
von "Alfreda Schmitz"@DOM.TLD zu sein
ein Bouce müsste im SMTP "Mail from:" ein <> haben und als "From:" MAILER-DAEMON at .. oder so?
Das Logfile passend zu der Mail:
Sep 25 07:16:36 Cleo postfix/smtpd[6181]: connect from host001.t6n.sotline.ru[80.89.131.1]
Sep 25 07:16:36 Cleo postfix/smtpd[6181]: BB30A8349B: client=host001.t6n.sotline.ru[80.89.131.1]
Sep 25 07:16:36 Cleo postfix/cleanup[6210]: BB30A8349B: message-id=<016705177.53099374603477 at ac-martinique.fr>
Sep 25 07:16:36 Cleo postfix/qmgr[2233]: BB30A8349B: from=<08b at ac-martinique.fr>, size=2089, nrcpt=1 (queue active)
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) ESMTP::10024 /var/lib/amavis/amavis-20070925T071637-06073: <08b at ac-martinique.fr> -> <user at example.com>
Received: SIZE=2089 from mx01.rw-wireless.de ([127.0.0.1]) by localhost (Cleo [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06073-01
for <user at example.com>; Tue, 25 Sep 2007 07:16:37 +0200 (CEST)
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) body hash: 806f04e7311e967e122c093168b0f3a1
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Checking: <08b at ac-martinique.fr> -> <user at example.com>
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Connecting to SQL database server
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) connect_to_sql: 'DBI:mysql:postfix:127.0.0.1' succeeded
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Checking for banned MIME types and names
Sep 25 07:16:37 Cleo postfix/smtpd[6181]: disconnect from host001.t6n.sotline.ru[80.89.131.1]
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Checking for banned (contents-based) file types, 2 parts
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Using Clam Antivirus-clamd: (built-in interface)
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Clam Antivirus-clamd: Connecting to socket /var/run/clamav/clamd.ctl
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Clam Antivirus-clamd: Sending CONTSCAN /var/lib/amavis/amavis-20070925T071637-06073/parts\n to UNIX socket /var/run/clamav/clamd.ctl
Sep 25 07:16:37 Cleo amavis[6073]: (06073-01) Clam Antivirus-clamd result: /var/lib/amavis/amavis-20070925T071637-06073/parts: OK\n
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) spam_scan: hits=17.604 tests=BAYES_99,HTML_FONT_FACE_BAD,HTML_MESSAGE,HTML_TITLE_EMPTY,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_kill_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_tag_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_tag2_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_kill_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_kill_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) local delivery: <> -> <spam-quarantine>, mbx=/var/lib/amavis/virusmails/spam-806f04e7311e967e122c093168b0f3a1-20070925-071642-06073-01.gz
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) SPAM, <08b at ac-martinique.fr> -> <user at example.com>, Yes, hits=17.6 tag1=-1000.0 tag2=3.0 kill=8.0 tests=BAYES_99, HTML_FONT_FACE_BAD, HTML_MESSAGE,
HTML_TITLE_EMPTY, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_WS_SURBL, quarantine spam-806f04e7311e967e122c093168b0f3a1-20070925-071642-06073-01 (spam-quarantine)Sep 25 07:16:42 Cleo amavis[6073]:
(06073-01) lookup_sql_field(spam_tag_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_tag2_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) lookup_sql_field(spam_kill_level) (WARNING: no such field in the SQL table), "user at example.com" matches, result=undef
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) headers CLUSTERING: done all 1 recips in one go
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) SPAM-TAG, <08b at ac-martinique.fr> -> <user at example.com>, Yes, hits=17.6 tagged_above=-1000.0 required=3.0 tests=BAYES_99,
HTML_FONT_FACE_BAD, HTML_MESSAGE, HTML_TITLE_EMPTY, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_WS_SURBL
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) FWD via SMTP: [127.0.0.1]:10025 <08b at ac-martinique.fr> -> <user at example.com>
Sep 25 07:16:42 Cleo postfix/smtpd[6219]: connect from localhost[127.0.0.1]
Sep 25 07:16:42 Cleo postfix/smtpd[6219]: 70BD2834A4: client=localhost[127.0.0.1]
Sep 25 07:16:42 Cleo postfix/cleanup[6210]: 70BD2834A4: message-id=<016705177.53099374603477 at ac-martinique.fr>
Sep 25 07:16:42 Cleo postfix/qmgr[2233]: 70BD2834A4: from=<08b at ac-martinique.fr>, size=2802, nrcpt=1 (queue active)
Sep 25 07:16:42 Cleo postfix/smtpd[6219]: disconnect from localhost[127.0.0.1]
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) mail_via_smtp: 250 2.6.0 Ok, id=06073-01, from MTA: 250 Ok: queued as 70BD2834A4
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) Passed, <08b at ac-martinique.fr> -> <user at example.com>, quarantine spam-806f04e7311e967e122c093168b0f3a1-20070925-071642-06073-01,
Message-ID: <016705177.53099374603477 at ac-martinique.fr>, Hits: 17.604
Sep 25 07:16:42 Cleo amavis[6073]: (06073-01) TIMING [total 5527 ms] - sql-prepare: 4 (0%), SMTP EHLO: 7 (0%), SMTP pre-MAIL: -0 (-0%), mkdir tempdir: 1 (0%), create email.txt: 2 (0%),
SMTP pre-DATA-flush: 6 (0%), SMTP DATA: 37 (1%), body hash: 2 (0%), mkdir parts: 2 (0%), sql-connect: 23 (0%), lookup_sql: 2 (0%), mime_decode: 29 (1%), get-file-type: 25 (0%),
get-file-type: 25 (0%), decompose_part: 5 (0%), decompose_part: 0 (0%), parts: -0 (-0%), AV-scan-1: 21 (0%), SA msg read: 3 (0%), SA parse: 5 (0%), SA check: 5146 (93%), write-header: 37 (1%),
save-to-local-mailbox: 17 (0%), fwd-connect: 46 (1%), fwd-mail-from: 4 (0%), fwd-rcpt-to: 7 (0%), write-header: 3 (0%), fwd-data: -0 (-0%), fwd-data-end: 56 (1%), fwd-rundown: 3 (0%), unlink-2-files: 5 (0%), rundown: 2 (0%)
Sep 25 07:16:42 Cleo postfix/smtp[6211]: BB30A8349B: to=<user at example.com>, relay=127.0.0.1[127.0.0.1], delay=6, status=sent (250 2.6.0 Ok, id=06073-01, from MTA: 250 Ok: queued as 70BD2834A4)
Sep 25 07:16:42 Cleo postfix/qmgr[2233]: BB30A8349B: removed
Sep 25 07:16:42 Cleo postfix/virtual[6221]: 70BD2834A4: to=<user at example.com>, relay=virtual, delay=0, status=sent (delivered to maildir)
>> was ich mich nun Frage kann ich das verhindern? Und wenn ja wie?
>Nicht alles aber einiges kann man verhindern postconf -n um mal einen Blick in die Konfig
>zu werfen
mein postconf -n sagt:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 51200000
mydestination = localhost
myhostname = mx01.DOM.TLD
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps $smtpd_sender_login_maps
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = $virtual_alias_maps
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = virtual
virtual_uid_maps = static:5000
Gruss Stefan
>>>ich bekomme in letzter Zeit viele Beschwerden dass ich / mein Server spammen soll, aber so weit ich diese Spam eMails verstehe bin ich nicht der >>>
>>>Spammer, sonder Opfer einer gefakten "From: " Zeile im Header.
>>>Dabei is das Problem das der Fake zu meiner Domäne passt, die Opfer und meine Domäne auf dem selben Server als Virtuelle Domänen laufen.
>>>user at example.com ist das Opfer des Spammers
>>>08b at ac-martinique.fr der echte Absender auch laut mail.log
>>>"Alfreda Schmitz"@DOM.TLD ist die gefakte From: Zeile, wo bei es keinen "Alfreda..." gibt.
>>>was mich auch ein bissel stört sind die """ darf man das in der From: überhaupt?
>>>was ich mich nun Frage kann ich das verhindern? Und wenn ja wie?
>>>Gruss Stefan
>>>guckst du hier:
>>>Return-Path: <08b at ac-martinique.fr>
>>>X-Original-To: user at example.com
>>>Delivered-To: user at example.com
>>>Received: from localhost (localhost [127.0.0.1])
>>> by mx01.DOM.TLD (Postfix) with ESMTP id 70BD2834A4
>>> for <user at example.com>; Tue, 25 Sep 2007 07:16:42 +0200 (CEST)
>>>Received: from mx01.DOM.TLD ([127.0.0.1])
>>> by localhost (Cleo [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
>>> id 06073-01 for <user at example.com>;
>>> Tue, 25 Sep 2007 07:16:37 +0200 (CEST)
>>>Received: from host001.t6n.sotline.ru (host001.t6n.sotline.ru [80.89.131.1])
>>> by mx01.DOM.TLD (Postfix) with ESMTP id BB30A8349B
>>> for <user at example.com>; Tue, 25 Sep 2007 07:16:36 +0200 (CEST)
>>>Received: from [80.89.131.1] by pasteur.ac-martinique.fr; Tue, 25 Sep 2007 11:20:08 +0600
>>>Date: Tue, 25 Sep 2007 11:20:08 +0600
>>>From: "Alfreda Schmitz"@DOM.TLD
>>>X-Mailer: The Bat! (v2.12.00) Personal
>>>Reply-To: 08b at ac-martinique.fr
>>>X-Priority: 3 (Normal)
>>>Message-ID: <016705177.53099374603477 at ac-martinique.fr>
>>>To: user at example.com
>>>Subject: +++SPAM+++ RE: Thanks for taking our survey
>>>MIME-Version: 1.0
>>>Content-Type: multipart/alternative;
>>> boundary="----------13DA297BFDA059E"
>>>X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at localhost
>>>X-Spam-Status: Yes, hits=17.6 tagged_above=-1000.0 required=3.0
>>> tests=BAYES_99, HTML_FONT_FACE_BAD, HTML_MESSAGE, HTML_TITLE_EMPTY,
>>> URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_WS_SURBL
>>>X-Spam-Level: *****************
>>>X-Spam-Flag: YES
Mehr Informationen über die Mailingliste Postfixbuch-users