From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 25 10:43:11 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 442DA5D8 for ; Sun, 25 Nov 2012 10:43:11 +0000 (UTC) (envelope-from w8hdkim@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id E998D8FC08 for ; Sun, 25 Nov 2012 10:43:10 +0000 (UTC) Received: by mail-vb0-f54.google.com with SMTP id l1so2352881vba.13 for ; Sun, 25 Nov 2012 02:43:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=L6f82iXS3hnoh6macm8525k4vb91UpBEK5wvSizInBA=; b=qxlLvhOSTsCw0Td5yZ78UhxeSRezNVPBYylygq4GF+yK5GU6ErhJwYDTl6RERvqCnH he3yyPsfqorTI/nOMIy5bVreMeLBJCND1ZSazwtzAFdN8a15rBePJKVxis/4D0CGtl4z 2Nw+m3+yqEynnyAMAC02mwU6v5PlRTGdngLhZokVjcEykd3fhY3zp6A/wMsHdpMRf6Q3 M+PPJnTlYwvejVurMWRgWcoPbxxMxKm+yoh1iavHQ9fljohy0Ib8tQ/5p27gwjE0LfLB gqjW/Mlb/jxoChPII2oSHKj8kXRs12zcHBs2/sSixhsdXknZvx9YWu+YJUrlOmpQf3iX 5Hsw== MIME-Version: 1.0 Received: by 10.58.15.72 with SMTP id v8mr14161953vec.55.1353840190176; Sun, 25 Nov 2012 02:43:10 -0800 (PST) Received: by 10.58.226.163 with HTTP; Sun, 25 Nov 2012 02:43:10 -0800 (PST) Date: Sun, 25 Nov 2012 05:43:10 -0500 Message-ID: Subject: Re: postfix mail server infected ? From: Kim Culhan To: trafdev X-Mailman-Approved-At: Sun, 25 Nov 2012 13:36:23 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 10:43:11 -0000 On Sat, November 24, 2012 1:08 pm, trafdev wrote: > Hi. I've a dedicated stand-alone FreeBSD server: > > uname -a > FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: > Tue Jun 12 02:52:29 UTC 2012 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 > > Server has one external interface (re0) with IP 206.239.112.241 and > postfix service installed on 25 port. > > Yesterday I've noticed huge amount of emails sending out: > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from > f116.sd.com[206.239.112.241] > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D: > from=, size=1211, nrcpt=10 (queue active) > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2: > to=, relay=none, delay=25715, > delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery > temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > temporarily deferred due to user complaints - 4.16.55.1; see > http://postmaster.yahoo.com/421-ts01.html) > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711: > to=, relay=none, delay=29716, > delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery > temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > temporarily deferred due to user complaints - 4.16.55.1; see > http://postmaster.yahoo.com/421-ts01.html) > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: > to=, > relay=vip-us-br-mx.terra.com[208.84.244.133]:25, delay=26077, > delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host > vip-us-br-mx.terra.com[208.84.244.133] said: 450 4.7.1 You've exceeded > your sending limit to this domain. (in reply to end of DATA command)) > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D: > to=, relay=none, delay=6984, > delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery > temporarily suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > temporarily deferred due to user complaints - 4.16.55.1; see > http://postmaster.yahoo.com/421-ts01.html) > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53: > from=, size=1143, nrcpt=10 (queue active) > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413: > client=f116.sd.com[206.239.112.241] > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF: > to=, relay=none, delay=5587, > delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily > suspended: host mta7.am0.yahoodns.net[66.94.236.34] refused to talk to > me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred > due to user complaints - 4.16.55.1; see > http://postmaster.yahoo.com/421-ts01.html) > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: > to=, relay=vip-us-br-mx.terra.com[208.84.244.133]:25, > conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1, > status=deferred (host vip-us-br-mx.terra.com[208.84.244.133] said: 450 > 4.7.1 You've exceeded your sending limit to this domain. (in reply to > end of DATA command)) > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: > to=, relay=mx3.bol.com.br[200.147.36.13]:25, > delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host > mx3.bol.com.br[200.147.36.13] said: 450 4.7.1 : > Recipient address rejected: MX-BOL-04 - Too many messages, try again > later. (in reply to RCPT TO command)) > > Where f116.sd.com[206.239.112.241] is an IP and host assigned for > external interface (re0). > > Due to "permit_mynetworks" policy enabled in postfix conf mail was > sending out without authentication. However all externally connected > clients were rejected which is proper and expected behavior: > > Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from > a2-starfury4.uol.com.br[200.147.33.227] > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE: > reject: RCPT from a2-starfury4.uol.com.br[200.147.33.227]: 550 5.1.1 > : Recipient address rejected: User unknown in virtual > mailbox table; from=<> to= proto=ESMTP > helo= > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect > from a2-starfury4.uol.com.br[200.147.33.227] > > Then, I've tried: > > $cmd 001 deny all from any to me dst-port 25 in via re0 > $cmd 002 deny all from any to me dst-port 25 out via re0 > > and cleaned local mail queue with > postsuper -d ALL > > This didn't changed anything - server continued to send huge amount of > emails. > > However restrictions on lo0: > $cmd 001 deny all from any to me dst-port 25 in via lo0 > $cmd 002 deny all from any to me dst-port 25 out via lo0 > > did the trick - emailing had stopped. So by fact - problem solved, but > the real reason wasn't not found. > > I've launched clamav and f-prot scans - nothing suspicious found. > > The main question I have - how it's possible on stand-alone dedicated > server - who and how is connecting on behalf of it's own ext ip and uses > local interface to send emails? Is this possible to do from outside, or > server was infected from inside? It appears the delivery failures are failed attempts to deliver bounce messages which likely are generated in response to receiving emails with a Delivered-To: header with the address the same as the delivery address. The email has a forged sender address where postfix tries to send the bounce message. This activity seems to be increasing and we can guess at what the motivation might be.. Though its not a FreeBSD problem, there is very little discussion on the 'net about this and it probably causes a lot of grief for those on the receiving end of the bounce messages. Would be good if users of postfix on FreeBSD were aware of this and took some action. Google searching will find a few possibilities for that action, none I found were without some potential negative effects. Hope this helps.. -kim