Home » Forums » Development » Hacks

How to prevent spoofing from Postfix/local part

  • nihal
  • 01/10/08
  • Offline
Posted: Wed, 2009-04-29 02:39

Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=..., lip=... .... Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....

But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) .... Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed

Do you have any idea to solve this problem?


Re:How to prevent spoofing from Postfix/local part

  • Joe
  • 10/23/08
  • Offline
  • Wed, 2009-04-29 11:49
  • Copy comment link
When i connect to my mail server to sent or receive my mail it look like Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***

This is receiving mail. POP3 is a mail retrieval protocol. Dovecot is a POP3/IMAP server. This is not sending mail.

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

This is mail being directed into procmail via Postfix. It is what any mail sent to your server looks like. It is not indicative of a problem, and it is not "spoofing".

What is the actual problem? The logs you've given us give no indication of spoofing. They look like normal delivery via procmail.


Re:How to prevent spoofing from Postfix/local part

  • nihal
  • 01/10/08
  • Offline
  • Wed, 2009-04-29 21:12
  • Copy comment link

ı attach my maillog to understand that what i want to say. Most of the mail users sends spam mails themselves that is shown in attachment.

Most of listed queue like below. Apr 30 11:00:22 ns1 postfix/local[6357]: 7D0383584F0: to=<destek-domain.net@ns1.mydomain.com>, orig_to=<destek@domain.net>, relay=local, delay=1043, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) Apr 30 11:00:22 ns1 postfix/qmgr[30193]: 7D0383584F0: removed

and all this mail sending all user as spam. But i can not find the trigger of this spam. This is the only local part problem. Ä° think this spam attact doing to Internet from our server, because http://www.backscatterer.org/index.php list server IP in blacklist. The attact history given below that is listed in http://www.backscatterer.org/index.php.

A total of 103 Impacts were seen during this listing. Last was 2009/04/30 05:32 Earliest date this IP can expire is 2009/05/28.

History:2008/03/27 22:28 listed 2008/04/24 23:30 expired 2008/07/06 11:15 listed 2008/08/03 11:30 expired 2008/10/25 21:59 listed 2008/11/22 21:03 expired 2008/11/28 13:20 listed 2008/12/26 14:03 expired 2009/01/18 12:24 listed 2009/02/15 13:05 expired 2009/02/26 22:00 listed.

[file name=maillog.txt size=45442]http://www.virtualmin.com/components/com_fireboard/uploaded/files/maillog.txt[/file]