SMTP relay?
Dalibor Straka
dast na panelnet.cz
Pondělí Leden 7 13:06:54 CET 2008
Bodre podoledne,
On Mon, Jan 07, 2008 at 08:57:07AM +0100, Czechtony wrote:
> Zdravim,
> adresa jednoho z mych serveru se dostala na spamhaus :-(
> Zkousel jsem relay test z abuse a podle nej jsem v pohode,
> bohuzel se mi ve fronte zridka objevuje posta jako tato:
>
1. delate nekomu smtp gatewa?y -> dohledat zlobivce
2. dela stroj nekomu nat? -> treba pres nej posilaji spamy
>
> Jan 7 08:15:05 gate postfix/smtpd[5882]: connect from
> 136-124-223-201.adsl.terra.cl[201.223.124.136]
> Jan 7 08:15:07 gate postfix/smtpd[5882]: D87DBC1F7:
> client=136-124-223-201.adsl.terra.cl[201.223.124.136]
> Jan 7 08:15:12 gate postfix/cleanup[5890]: D87DBC1F7:
> message-id=<4d49701c850fd$05a05240$0201a8c
> 0 na francisc4l24p3>
> Jan 7 08:15:12 gate postfix/qmgr[2600]: D87DBC1F7:
> from=<AngelinetridiagonalGoldman na engadgethd.c
> om>, size=3164, nrcpt=2 (queue active)
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) AM.CL
> /var/spool/amavis/amavis-XX97PKKv: <Angelinet
> ridiagonalGoldman na engadgethd.com> ->
> <gtczechtony na strojvimp.cz>,<halada na strojvimp.cz>
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) Checking:
> <AngelinetridiagonalGoldman na engadgethd.co
> m> -> <gtczechtony na strojvimp.cz>,<halada na strojvimp.cz>
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) spam_scan: hits=7.407
> tests=DATE_IN_PAST_06_12,FORG
> ED_MUA_OUTLOOK,HTML_40_50,HTML_FONT_FACE_ODD,HTML_MESSAGE,NO_STRINGS,OFFERS_ETC
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) SEND via SMTP:
> [127.0.0.1:10025] <Angelinetridiagon
> alGoldman na engadgethd.com> -> <bordel na strojvimp.cz>
> Jan 7 08:15:12 gate postfix/smtpd[6865]: connect from
> localhost.localdomain[127.0.0.1]
> Jan 7 08:15:12 gate postfix/smtpd[6865]: B03BAD691:
> client=localhost.localdomain[127.0.0.1]
> Jan 7 08:15:12 gate postfix/cleanup[5889]: B03BAD691:
> message-id=<4d49701c850fd$05a05240$0201a8c
> 0 na francisc4l24p3>
> Jan 7 08:15:12 gate postfix/qmgr[2600]: B03BAD691:
> from=<AngelinetridiagonalGoldman na engadgethd.c
> om>, size=3765, nrcpt=1 (queue active)
> Jan 7 08:15:12 gate postfix/smtpd[6865]: disconnect from
> localhost.localdomain[127.0.0.1]
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) SPAM,
> <AngelinetridiagonalGoldman na engadgethd.com> -
> > <gtczechtony na strojvimp.cz>,<halada na strojvimp.cz>, Yes, hits=7.4
> tag1=2.9 tag2=3.7 kill=3.7 test
> s=DATE_IN_PAST_06_12, FORGED_MUA_OUTLOOK, HTML_40_50,
> HTML_FONT_FACE_ODD, HTML_MESSAGE, NO_STRING
> S, OFFERS_ETC, quarantine
> spam-138173aefcfa1854fc2957fc88b32882-20080107-081512-XX97PKKv (bordel@
> strojvimp.cz)
> Jan 7 08:15:12 gate amavis[6433]: (XX97PKKv) Not-Delivered,
> <AngelinetridiagonalGoldman na engadget
> hd.com> -> <gtczechtony na strojvimp.cz>,<halada na strojvimp.cz>, quarantine
> spam-138173aefcfa1854fc29
> 57fc88b32882-20080107-081512-XX97PKKv, Message-ID:
> <4d49701c850fd$05a05240$0201a8c0 na francisc4l24p
> 3>, Hits: 7.407
>
Vyse uvedeny log je uplne mimo, protoze se pripojil nejaky zombik
136-124-223-201.adsl.terra.cl[201.223.124.136], poslal spam, amavis ho
zahodil a znovu.... Posilal ho na spravnou domenu strojvimp.cz, takze
mu neni co vytknout. Zejmena ne open relay.
> Jan 7 08:15:12 gate postfix/pipe[5978]: D87DBC1F7:
> to=<gtczechtony na strojvimp.cz>, relay=vscan, d
> elay=5, status=bounced (service unavailable)
>
Tady nejak nefunguje vscan
> Jan 7 08:15:13 gate postfix/cleanup[5891]: 06C96D691:
> message-id=<20080107071513.06C96D691 na vimpe
> rk006.ceskynet.cz>
> Jan 7 08:15:13 gate postfix/qmgr[2600]: 06C96D691: from=<>, size=4969,
> nrcpt=1 (queue active)
> Jan 7 08:15:13 gate postfix/smtpd[5882]: disconnect from
> 136-124-223-201.adsl.terra.cl[201.223.1
> 24.136]
> Jan 7 08:15:13 gate postfix/smtp[6886]: connect to
> mail.weblogsinc.com[206.252.131.157]: Connect
> ion refused (port 25)
> Jan 7 08:15:13 gate postfix/smtp[6886]: 06C96D691:
> to=<AngelinetridiagonalGoldman na engadgethd.com
> >, relay=none, delay=0, status=deferred (connect to
> mail.weblogsinc.com[206.252.131.157]: Connect
> ion refused)
Tady se mi zda, ze se server snazi dorucit zpravu o zahozeni spamu,
from=<> to <AngelinetridiagonalGoldman na engadgethd.com>. Pokud se
nepletu, klepnete se klacikem pres prstiky ;-).
-- Dalibor Straka
Další informace o konferenci Linux