[lug] Am I spamming? postfix log question

George Sexton georges at mhsoftware.com
Wed Sep 3 13:47:38 MDT 2014


You might want to this tool here:

http://mxtoolbox.com/SuperTool.aspx

to check your ip. Click on the button to change the check type to blacklist.

On 9/3/2014 8:40 AM, Chip Atkinson wrote:
> Thanks for that information.  It looks like a good set of restrictions 
> to put in place.  When scrutinizing my config files further I did 
> discover that the server was misconfigured and the source of the 
> problem was "backscatter", where a spammer will connect saying they 
> are from hotmail or whatever, and my server would dutifully contact 
> hotmail saying no such user.  That problem is fixed.  I'll put these 
> in place to further tighten things up.
>
> Chip
>
>
>  On Wed, 3 Sep 2014, George Sexton wrote:
>
>> A reasonable smtpd_sender_restrictions would be:
>>
>> smtpd_sender_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_non_fqdn_sender 
>>
>> ,reject_unknown_sender_domain,reject_rbl_client zen.spamhaus.org,permit
>>
>>
>>
>> On 9/1/2014 12:59 PM, Chip Atkinson wrote:
>>       Hi folks,
>>
>>       I'm going through my maillogs and I see entries like this:
>>
>>       maillog-20140811:Aug  5 00:03:46 tedward 
>> postfix/cleanup[23181]: B64A11AE3AB2:
>> message-id=<20140805060346.B64A11AE3AB2 at tedward.pupman.com>
>>
>>       maillog-20140811:Aug  5 00:03:46 tedward postfix/qmgr[6868]: 
>> B64A11AE3AB2:
>>       from=<>, size=10913, nrcpt=1 (queue active)
>>
>>       maillog-20140811:Aug  5 00:03:46 tedward postfix/bounce[23183]: 
>> 84C3A1AE3AA9:
>>       sender non-delivery notification: B64A11AE3AB2
>>
>>       maillog-20140811:Aug  5 00:03:46 tedward postfix/smtp[23187]: 
>> B64A11AE3AB2:
>>       to=<BureauScores at natric.eu>, 
>> relay=hgsp68.natric.eu[162.253.152.22]:25,
>>       delay=0.24, delays=0/0.01/0.23/0, dsn=4.4.2, status=deferred 
>> (lost connection
>>       with hgsp68.natric.eu[162.253.152.22] while receiving the 
>> initial server
>>       greeting)
>>
>>       maillog-20140811:Aug  5 00:12:38 tedward postfix/qmgr[6868]: 
>> B64A11AE3AB2:
>>       from=<>, size=10913, nrcpt=1 (queue active)
>>
>>       maillog-20140811:Aug  5 00:12:38 tedward postfix/smtp[1505]: 
>> B64A11AE3AB2:
>>       to=<BureauScores at natric.eu>, 
>> relay=hgsp68.natric.eu[162.253.152.22]:25,
>>       delay=532, delays=532/0.01/0.19/0, dsn=4.4.2, status=deferred 
>> (lost connection
>>       with hgsp68.natric.eu[162.253.152.22] while receiving the 
>> initial server
>>       greeting)
>>
>>       (Gaps added for clarity due to wrapping)
>>
>>       To me it looks like my server got some email from "<>" and then 
>> tried to deliver
>>       to BureauScores at natric.edu.
>>
>>       Is my interpretation correct, and if so, any suggestions on how 
>> to combat the
>>       problem?
>>
>>       Here's postconf -n's output if that helps.
>>
>>       Thanks in advance.
>>
>>       Chip
>>
>>
>>       alias_database = hash:/etc/aliases
>>       alias_maps = hash:/etc/aliases, 
>> hash:/usr/local/mailman/data/aliases
>>       command_directory = /usr/sbin
>>       config_directory = /etc/postfix
>>       daemon_directory = /usr/libexec/postfix
>>       data_directory = /var/lib/postfix
>>       debug_peer_level = 2
>>       debug_peer_list = 167.88.120.115
>>       html_directory = no
>>       in_flow_delay = 1s
>>       inet_interfaces = all
>>       inet_protocols = ipv4
>>       local_recipient_maps =
>>       mail_owner = postfix
>>       mail_spool_directory = /var/spool/mail
>>       mailq_path = /usr/bin/mailq.postfix
>>       manpage_directory = /usr/share/man
>>       masquerade_domains = pupman.com
>>       message_size_limit = 20480000
>>       mydestination = $myhostname, localhost.$mydomain, localhost, 
>> $mydomain,
>>       mail.$mydomain, www.$mydomain, chip1.$mydomain, 
>> tedward.pupman.com,
>>       www.pupman.com
>>       mydomain = pupman.com
>>       myhostname = tedward.pupman.com
>>       mynetworks = 127.0.0.0/8, 167.88.120.115 [::1]/128
>>       myorigin = $mydomain
>>       newaliases_path = /usr/bin/newaliases.postfix
>>       owner_request_special = no
>>       proxy_interfaces = 167.88.120.115
>>       queue_directory = /var/spool/postfix
>>       readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>>       recipient_delimiter = +
>>       relay_domains = $mydestination, pupman.com,
>>       sample_directory = /usr/share/doc/postfix-2.6.6/samples
>>       sendmail_path = /usr/sbin/sendmail.postfix
>>       setgid_group = postdrop
>>       smtpd_client_restrictions = permit_mynetworks
>>       smtpd_data_restrictions = permit_mynetworks, 
>> reject_unauth_pipelining,
>>       reject_unauth_destination
>>       smtpd_helo_required = yes
>>       smtpd_helo_restrictions = permit_mynetworks, 
>> reject_non_fqdn_hostname,
>>       reject_invalid_hostname,    permit
>>       smtpd_recipient_restrictions = permit_mynetworks,
>>       permit_sasl_authenticated, reject_non_fqdn_sender,
>>       reject_non_fqdn_recipient, reject_non_fqdn_hostname,
>>       reject_invalid_hostname, reject_unauth_pipelining,
>>       reject_unauth_destination,       check_client_access
>>       hash:/etc/postfix/rbl_override, reject_unknown_sender_domain,
>>       reject_unknown_recipient_domain, reject_rbl_client
>>       zen.spamhaus.org,           reject_rbl_client dnsbl.njabl.net, 
>> reject_rbl_client
>>       bl.spamcop.net,           reject_rbl_client cbl.abuseat.org,
>>       reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender
>>       dbl.spamhaus.org,           permit
>>       smtpd_sender_restrictions = permit_mynetworks, 
>> reject_unknown_sender_domain,
>>       reject_unknown_address
>>       unknown_local_recipient_reject_code = 550
>>
>>       _______________________________________________
>>       Web Page:  http://lug.boulder.co.us
>>       Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>       Join us on IRC: irc.hackingsociety.org port=6667 
>> channel=#hackingsociety
>>
>>
>> -- 
>> George Sexton
>> MH Software, Inc.
>> Voice: 303 438 9585
>> http://www.mhsoftware.com
>>
>>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

-- 
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140903/0c4802df/attachment.html>


More information about the LUG mailing list