Date: Sun, 25 Nov 2012 10:27:50 -0800 From: trafdev <trafdev@mail.ru> To: Kim Culhan <w8hdkim@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: postfix mail server infected ? Message-ID: <50B26326.3070008@mail.ru> In-Reply-To: <CAKZxVQWOtqaDc%2BFOnh6refL3ej8SkF02MnK7w_M2vs-=ecjxgw@mail.gmail.com> References: <CAKZxVQWOtqaDc%2BFOnh6refL3ej8SkF02MnK7w_M2vs-=ecjxgw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. Can you please point me to some discussions and solutions related to this problem? Thanks. On Sun Nov 25 02:43:10 2012, Kim Culhan wrote: > On Sat, November 24, 2012 1:08 pm, trafdev wrote: > > Hi. I've a dedicated stand-alone FreeBSD server: > > > uname -a > > FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: > > Tue Jun 12 02:52:29 UTC 2012 > > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC > <mailto:root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC> > amd64 > > > > Server has one external interface (re0) with IP 206.239.112.241 and > > postfix service installed on 25 port. > > > > Yesterday I've noticed huge amount of emails sending out: > > > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from > > f116.sd.com <http://f116.sd.com>[206.239.112.241] > > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D: > > from=<wkktxh@f116.sd.com <mailto:wkktxh@f116.sd.com>>, size=1211, > nrcpt=10 (queue active) > > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2: > > to=<reco.motos@yahoo.com.br <mailto:reco.motos@yahoo.com.br>>, > relay=none, delay=25715, > > delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery > > temporarily suspended: host mta7.am0.yahoodns.net > <http://mta7.am0.yahoodns.net>[66.94.236.34] refused > > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > > temporarily deferred due to user complaints - 4.16.55.1; see > > http://postmaster.yahoo.com/421-ts01.html) > > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711: > > to=<tayd@yahoo.com.br <mailto:tayd@yahoo.com.br>>, relay=none, > delay=29716, > > delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery > > temporarily suspended: host mta7.am0.yahoodns.net > <http://mta7.am0.yahoodns.net>[66.94.236.34] refused > > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > > temporarily deferred due to user complaints - 4.16.55.1; see > > http://postmaster.yahoo.com/421-ts01.html) > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49: > > to=<luziarodrigues757@terra.com.br > <mailto:luziarodrigues757@terra.com.br>>, > > relay=vip-us-br-mx.terra.com > <http://vip-us-br-mx.terra.com>[208.84.244.133]:25, delay=26077, > > delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host > > vip-us-br-mx.terra.com > <http://vip-us-br-mx.terra.com>[208.84.244.133] said: 450 4.7.1 You've > exceeded > > your sending limit to this domain. (in reply to end of DATA command)) > > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D: > > to=<a925er@yahoo.com.br <mailto:a925er@yahoo.com.br>>, relay=none, > delay=6984, > > delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery > > temporarily suspended: host mta7.am0.yahoodns.net > <http://mta7.am0.yahoodns.net>[66.94.236.34] refused > > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241 > > temporarily deferred due to user complaints - 4.16.55.1; see > > http://postmaster.yahoo.com/421-ts01.html) > > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53: > > from=<t9zir@f116.sd.com <mailto:t9zir@f116.sd.com>>, size=1143, > nrcpt=10 (queue active) > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413: > > client=f116.sd.com <http://f116.sd.com>[206.239.112.241] > > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF: > > to=<duscherer1@yahoo.com.br <mailto:duscherer1@yahoo.com.br>>, > relay=none, delay=5587, > > delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily > > suspended: host mta7.am0.yahoodns.net > <http://mta7.am0.yahoodns.net>[66.94.236.34] refused to talk to > > me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred > > due to user complaints - 4.16.55.1; see > > http://postmaster.yahoo.com/421-ts01.html) > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0: > > to=<gvfg@terra.com.br <mailto:gvfg@terra.com.br>>, > relay=vip-us-br-mx.terra.com > <http://vip-us-br-mx.terra.com>[208.84.244.133]:25, > > conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1, > > status=deferred (host vip-us-br-mx.terra.com > <http://vip-us-br-mx.terra.com>[208.84.244.133] said: 450 > > 4.7.1 You've exceeded your sending limit to this domain. (in reply to > > end of DATA command)) > > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989: > > to=<elc.moura@bol.com.br <mailto:elc.moura@bol.com.br>>, > relay=mx3.bol.com.br <http://mx3.bol.com.br>[200.147.36.13]:25, > > delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host > > mx3.bol.com.br <http://mx3.bol.com.br>[200.147.36.13] said: 450 > 4.7.1 <elc.moura@bol.com.br <mailto:elc.moura@bol.com.br>>: > > Recipient address rejected: MX-BOL-04 - Too many messages, try again > > later. (in reply to RCPT TO command)) > > > > Where f116.sd.com <http://f116.sd.com>[206.239.112.241] is an IP and > host assigned for > > external interface (re0). > > > > Due to "permit_mynetworks" policy enabled in postfix conf mail was > > sending out without authentication. However all externally connected > > clients were rejected which is proper and expected behavior: > > > > Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from > > a2-starfury4.uol.com.br <http://a2-starfury4.uol.com.br>[200.147.33.227] > > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE: > > reject: RCPT from a2-starfury4.uol.com.br > <http://a2-starfury4.uol.com.br>[200.147.33.227]: 550 5.1.1 > > <pehw@f116.sd.com <mailto:pehw@f116.sd.com>>: Recipient address > rejected: User unknown in virtual > > mailbox table; from=<> to=<pehw@f116.sd.com > <mailto:pehw@f116.sd.com>> proto=ESMTP > > helo=<mx.uol.com.br <http://mx.uol.com.br>>; > > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect > > from a2-starfury4.uol.com.br > <http://a2-starfury4.uol.com.br>[200.147.33.227] > > > > Then, I've tried: > > > > $cmd 001 deny all from any to me dst-port 25 in via re0 > > $cmd 002 deny all from any to me dst-port 25 out via re0 > > > > and cleaned local mail queue with > > postsuper -d ALL > > > > This didn't changed anything - server continued to send huge amount of > > emails. > > > > However restrictions on lo0: > > $cmd 001 deny all from any to me dst-port 25 in via lo0 > > $cmd 002 deny all from any to me dst-port 25 out via lo0 > > > > did the trick - emailing had stopped. So by fact - problem solved, but > > the real reason wasn't not found. > > > > I've launched clamav and f-prot scans - nothing suspicious found. > > > > The main question I have - how it's possible on stand-alone dedicated > > server - who and how is connecting on behalf of it's own ext ip and uses > > local interface to send emails? Is this possible to do from outside, or > > server was infected from inside? > It appears the delivery failures are failed attempts to deliver bounce > messages which likely are generated in response to receiving emails > with a Delivered-To: header with the address the same as the delivery > address. > The email has a forged sender address where postfix tries to send the > bounce message. > This activity seems to be increasing and we can guess at what the > motivation might be.. > Though its not a FreeBSD problem, there is very little discussion on > the 'net about this and it probably causes a lot of grief for those on > the receiving end of the bounce messages. > Would be good if users of postfix on FreeBSD were aware of this and > took some action. > Google searching will find a few possibilities for that action, none I > found were without some potential negative effects. > Hope this helps.. > -kim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B26326.3070008>