Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:
Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?
When i connect to my mail server to sent or receive my mail it look like Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=..., lip=... .... Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....
But the attackers connect directly like below:
Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) .... Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed
Do you have any idea to solve this problem?
<div class='quote'>When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***</div>
This is receiving mail. POP3 is a mail retrieval protocol. Dovecot is a POP3/IMAP server. This is not sending mail.
<div class='quote'>Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)</div>
This is mail being directed into procmail via Postfix. It is what <i>any</i> mail sent to your server looks like. It is not indicative of a problem, and it is not "spoofing".
What is the actual problem? The logs you've given us give no indication of spoofing. They look like normal delivery via procmail.
--
Check out the forum guidelines!
ı attach my maillog to understand that what i want to say. Most of the mail users sends spam mails themselves that is shown in attachment.
Most of listed queue like below. Apr 30 11:00:22 ns1 postfix/local[6357]: 7D0383584F0: to=<destek-domain.net@ns1.mydomain.com>, orig_to=<destek@domain.net>, relay=local, delay=1043, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Apr 30 11:00:22 ns1 postfix/qmgr[30193]: 7D0383584F0: removed
and all this mail sending all user as spam. But i can not find the trigger of this spam. This is the only local part problem. Ä° think this spam attact doing to Internet from our server, because http://www.backscatterer.org/index.php list server IP in blacklist.
The attact history given below that is listed in http://www.backscatterer.org/index.php.
A total of 103 Impacts were seen during this listing. Last was 2009/04/30 05:32
Earliest date this IP can expire is 2009/05/28.
History:2008/03/27 22:28 listed
2008/04/24 23:30 expired
2008/07/06 11:15 listed
2008/08/03 11:30 expired
2008/10/25 21:59 listed
2008/11/22 21:03 expired
2008/11/28 13:20 listed
2008/12/26 14:03 expired
2009/01/18 12:24 listed
2009/02/15 13:05 expired
2009/02/26 22:00 listed.
[file name=maillog.txt size=45442]http://www.virtualmin.com/components/com_fireboard/uploaded/files/maillo...