Small amount of spam still routed through server andanotherproblem with spam
in [Postfix]
|
Prev: Relaying and backskatter problem
Next: Small amount of spam still routed through server and anotherproblemwith spam
From: Josh Cason on 24 Mar 2010 16:53 First I hope I'm posting a reply back. I'll try to explain better. Since I cannot find the log I need to post. The spam comes from any place. Mostly just foreign IP numbers. Yea we could block the ip numbers but they change. We also use postini and to my surprise it even show up through them. This problem does not last more than 2 weeks if that. For instance on postini it came in for about two weeks. Not every day. Then I assume postini or whoever fixes or kicks the spammer off-line. I went with a month and a half one time with no extra junk. Then it returned. All I see is a person connecting up. Dropping a message via a ip number. With or without spoofed address. Then it goes through the system and is sent back out to like 30 recepients. These messages are pretty harmless either. Sometimes not even a link. Just a stupid message. Example last night I had somebody go over 20 (that is our number) and we are okay since it was blocked. Then what we get back is from other email servers saying connection time out or users does not exist, etc, etc. I figured either my main.cf file is allowing a open relay that my testing is not picking up or I'm already doing everything I can to fight this type of spam. Yes we even put in more firewall rules and that helped too. I did find one other person having this issue with postini in general. The answer they got was to turn on autocreate and add all valid users to postini database. The problem is this cost money for each user address and I cannot believe this is the only answer. I admit I might have configured something incorrect even though it worked for more than a year. On the other problem. We still get email that is to/from the same person and it is not from our system. I found a page that said that said if you added something it will check to see the to/from is not from your ip number and kills the message. But I cannot find that info. Even though the ip number can be spoofed. Most of what I see is not. When you look at the message. Just the to/from address matches up. The ip does not. Thanks, Josh -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
From: Ansgar Wiechers on 24 Mar 2010 19:15
First and foremost, please read the fine Postfix Debugging HOWTO [1]. It will provide guidance in troubleshooting your problem. On 2010-03-24 Josh Cason wrote: > First I hope I'm posting a reply back. I'll try to explain better. > Since I cannot find the log I need to post. What operating system are you using? In case of Linux it's probably /var/log/mail.log or something like that. You'll find the exact name and location in your syslog configuration. Once you have located the file: please do *not* post the entire log file, but extract the relevant entries (e.g. grep for the queue ID of a suspicious transaction). > The spam comes from any place. Mostly just foreign IP numbers. Yea we > could block the ip numbers but they change. We also use postini and to > my surprise it even show up through them. This problem does not last > more than 2 weeks if that. For instance on postini it came in for > about two weeks. Not every day. Then I assume postini or whoever fixes > or kicks the spammer off-line. I went with a month and a half one time > with no extra junk. Then it returned. All I see is a person connecting > up. Dropping a message via a ip number. With or without spoofed > address. Then it goes through the system and is sent back out to like > 30 recepients. If an arbitrary external host can submit a message that is relayed to external recipients, then you do have an open relay. Which would be a Bad Thing(tm). However, given your vague description and non-existent evidence, it could be anything else just as well. Please do post the output of "postconf -n" and relevant log excerpts. > On the other problem. We still get email that is to/from the same > person and it is not from our system. I found a page that said that > said if you added something it will check to see the to/from is not > from your ip number and kills the message. But I cannot find that > info. Even though the ip number can be spoofed. Most of what I see is > not. When you look at the message. Just the to/from address matches > up. The ip does not. I think what you want can be done with a policy daemon or a proxy filter. I seem to recall a discussion about this very topic not too long ago, but was unable to find it when sifting through the list archive. [1] http://www.postfix.org/DEBUG_README.html Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky |