[Postfixbuch-users] My mailserver on a virtual machine/server used as spam-relay

reiner otto augustus_meyer at yahoo.de
Sa Feb 14 13:31:52 CET 2009


Since a week, one of my private mailservers was used as a spam-relay, and listed in several public spam-lists. 
This mailserver uses dovecot, postfix, sasl-auth, and was running for months without problem. 
The speciality is, that this compromised mailserver is running in a virtual machine. 

I guess, that this might be one "vulnarability" used by the spammers, because ifconfig of my virtual machine shows: 
----------- 
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0 
          UP LOOPBACK RUNNING  MTU:16436  Metric:1 
          RX packets:20200422 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:3438831 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:0 
          RX bytes:2334475480 (2226.3 Mb)  TX bytes:1480411708 (1411.8 Mb) 

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0 Mask:255.255.255.255 
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1 
          RX packets:3707143 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:4003471 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:0 
          RX bytes:556695194 (530.9 Mb)  TX bytes:619693220 (590.9 Mb) 

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:012.345.678.891  P-t-P:012.345.678.891 Bcast:0.0.0.0  Mask:255.255.255.255 
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1 

-------------------------------------------- 

Now I solved the problem using a "quick fix", by eliminating "permit_mynetworks" from 
smtpd_recipient_restrictions in main.cf of postfix. 

Excerpt from my actual main.cf (no more spams): 
--------- 
smtpd_recipient_restrictions = 
        reject_invalid_hostname, 
        reject_unknown_recipient_domain, 
        reject_unauth_pipelining, 
#       permit_mynetworks, 
        permit_sasl_authenticated, 
        check_sender_access hash:/etc/postfix/access 
        reject_unauth_destination, 
        reject_unknown_recipient_domain, 
    reject_rbl_client zen.spamhaus.org, 
        reject_rbl_client zen.spamhaus.org, 
        reject_rbl_client bl.spamcop.net, 
        reject_rbl_client dnsbl.sorbs.net, 
        reject_rbl_client cbl.abuseat.org, 
        reject_rbl_client ix.dnsbl.manitu.net, 
        reject_rbl_client ob.surbl.org, 
        reject_non_fqdn_sender, 
        reject_non_fqdn_hostname, 
        check_policy_service inet:127.0.0.1:10023 
---------------------------------------- 

Another vulnerability, which helped the spammers, was the fact, they used malformed destinations, having "0.0.0.0" in the MX-record. 
Excerpt from my actual logs: 
-------------------------------------- 

Feb 14 06:28:22 h123456 postfix/smtpd[1463]: warning: numeric domain name in resource data of MX record for seed.net: 0.0.0.0 
Feb 14 06:28:22 h123456 postfix/smtpd[1463]: NOQUEUE: reject: RCPT from h123456.stratoserver.net[127.0.0.1]: 554 5.7.1 <dpggy1 at seed.net>: Relay access denied; from=<jennifer_joan at msn.com> to=<dpggy1 at seed.net> proto=SMTP helo=<ppp-217-77-221-14.wildpark.net> 
Feb 14 06:28:23 h123456 postfix/smtpd[1463]: warning: numeric domain name in resource data of MX record for seed.net: 0.0.0.0 

---------------------------------- 

In case, "permit_mynetworks" would still be allowed in smtpd_recipient_restrictions, 
now my server would have sent spam. 


So, now my question is, how to reject mail with destination "0.0.0.0" because of invalid MX record ? That should be a better solution compared to commenting permit_mynetworks. 


Or any other comments ? 



Regards, 

Dipl. Ing. Reiner Karlsberg 



      
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20090214/a723cb9e/attachment.html>


Mehr Informationen über die Mailingliste Postfixbuch-users