- Previous message: Kevin Pang: "Re: Spam Problems"
- In reply to: Kevin Pang: "Re: Spam Problems"
- Next in thread: Matt Fretwell: "Re: Spam Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: D. Walsh (no email)
Date: Sun May 15 2005 - 13:20:45 EDT
On May 15, 2005, at 12:44 PM, Kevin Pang wrote:
> "Robin Lynn Frank" wrote:
>
>> There is a known exploit of all but the most recent Awstats that can
>> produce exactly this type of problem. There was a thread on this
>> list
>> several months ago. Check the archives.
>>
>
> Unfortunately I can't find any threads related with Awstats exploit. I
> didn't Awstats could also be used as mail log analyzer and I use it
> for
> apache log only.
>
> The spam email entry in the log file look like:
> May 14 14:55:03 pang postfix/smtp[46011]: EC0C595C90:
> to=<>,
> relay=mail2.iecc.com[208.31.42.98], delay=724, status=sent (250 ok
> 1116100192 qp 2255)
You don't provide enough log information and you should enable
verbose logging in postfix.
smtp inet n - n - - smtpd -v
> What kind of information can I get from it? It would be great if I
> can find
> which script the spammer used, then I can remove it and start my
> mail server
> again. Also probably find how the spammer achieve it.
From one line, not very much, from the logs you would see something
like the following (partial) which contains a wealth of information.
May 15 12:40:55 dellc postfix/smtpd[15835]: name_mask: host
May 15 12:40:55 dellc postfix/smtpd[15835]: mynetworks: 127.0.0.1/32
10.1.100.11/32 10.1.100.20/32 10.1.100.21/32
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string: mynetworks
~? debug_peer_list
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string: mynetworks
~? fast_flush_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string: mynetworks
~? mynetworks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? debug_peer_list
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? fast_flush_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? mynetworks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? permit_mx_backup_networks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? qmqpd_authorized_clients
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
relay_domains ~? relay_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
permit_mx_backup_networks ~? debug_peer_list
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
permit_mx_backup_networks ~? fast_flush_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
permit_mx_backup_networks ~? mynetworks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
permit_mx_backup_networks ~? permit_mx_backup_networks
May 15 12:40:55 dellc postfix/smtpd[15835]: dict_open:
unix:passwd.byname
May 15 12:40:55 dellc postfix/smtpd[15835]: dict_open: hash:/etc/
postfix/aliases
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: user = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: password = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: dbname = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: table = alias
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: select_field = goto
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: where_field = address
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: additional_conditions =
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_alias_maps.cf: hosts = localhost
May 15 12:40:55 dellc postfix/smtpd[15835]: mysqlname_parse: /etc/
postfix/mysql_virtual_alias_maps.cf: adding host 'localhost' to list
of mysql server hosts
May 15 12:40:55 dellc postfix/smtpd[15835]: dict_open: mysql:/etc/
postfix/mysql_virtual_alias_maps.cf
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: user = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: password = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: dbname = postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: table = mailbox
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: select_field = maildir
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: where_field = username
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: additional_conditions = and active = '1'
May 15 12:40:55 dellc postfix/smtpd[15835]: cfg_get_str: /etc/postfix/
mysql_virtual_mailbox_maps.cf: hosts = localhost
May 15 12:40:55 dellc postfix/smtpd[15835]: mysqlname_parse: /etc/
postfix/mysql_virtual_mailbox_maps.cf: adding host 'localhost' to
list of mysql server hosts
May 15 12:40:55 dellc postfix/smtpd[15835]: dict_open: mysql:/etc/
postfix/mysql_virtual_mailbox_maps.cf
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? debug_peer_list
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? fast_flush_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? mynetworks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? permit_mx_backup_networks
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? qmqpd_authorized_clients
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? relay_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
smtpd_access_maps ~? smtpd_access_maps
May 15 12:40:55 dellc postfix/smtpd[15835]: name_mask: login
May 15 12:40:55 dellc postfix/smtpd[15835]: name_mask: plain
May 15 12:40:55 dellc postfix/smtpd[15835]: smtpd_sasl_initialize:
SASL config file is smtpd.conf
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
fast_flush_domains ~? debug_peer_list
May 15 12:40:55 dellc postfix/smtpd[15835]: match_string:
fast_flush_domains ~? fast_flush_domains
May 15 12:40:55 dellc postfix/smtpd[15835]: watchdog_create:
0x130a6a8 18000
May 15 12:40:55 dellc postfix/smtpd[15835]: watchdog_stop: 0x130a6a8
May 15 12:40:55 dellc postfix/smtpd[15835]: watchdog_start: 0x130a6a8
May 15 12:40:55 dellc postfix/smtpd[15835]: connection established
May 15 12:40:55 dellc postfix/smtpd[15835]: master_notify: status 0
May 15 12:40:55 dellc postfix/smtpd[15835]: name_mask: resource
May 15 12:40:55 dellc postfix/smtpd[15835]: name_mask: software
May 15 12:40:55 dellc postfix/smtpd[15835]: connect from russian-
caravan.cloud9.net[168.100.1.4]
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match: russian-
caravan.cloud9.net: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match:
168.100.1.4: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match: russian-
caravan.cloud9.net: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match:
168.100.1.4: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 220 daleenterprise.com ESMTP Postfix
May 15 12:40:55 dellc postfix/smtpd[15835]: watchdog_pat: 0x130a6a8
May 15 12:40:55 dellc postfix/smtpd[15835]: < russian-
caravan.cloud9.net[168.100.1.4]: EHLO russian-caravan.cloud9.net
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-daleenterprise.com
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-PIPELINING
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-SIZE 10240000
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-VRFY
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-ETRN
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250-AUTH LOGIN PLAIN
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match: russian-
caravan.cloud9.net: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: match_list_match:
168.100.1.4: no match
May 15 12:40:55 dellc postfix/smtpd[15835]: > russian-
caravan.cloud9.net[168.100.1.4]: 250 8BITMIME
May 15 12:40:55 dellc postfix/smtpd[15835]: watchdog_pat: 0x130a6a8
May 15 12:40:55 dellc postfix/smtpd[15835]: < russian-
caravan.cloud9.net[168.100.1.4]: MAIL FROM:<owner-postfix-
> SIZE=3031
May 15 12:40:55 dellc postfix/smtpd[15835]: extract_addr: input:
<>
May 15 12:40:55 dellc postfix/smtpd[15835]: smtpd_check_addr:
addr=
May 15 12:40:55 dellc postfix/smtpd[15835]: connect to subsystem
private/rewrite
May 15 12:40:55 dellc postfix/smtpd[15835]: send attr request = rewrite
May 15 12:40:55 dellc postfix/smtpd[15835]: send attr rule =
canonicalize
May 15 12:40:55 dellc postfix/smtpd[15835]: send attr address = owner-
May 15 12:40:55 dellc postfix/smtpd[15835]: private/rewrite socket:
wanted attribute: address
May 15 12:40:55 dellc postfix/smtpd[15835]: input attribute name:
address
May 15 12:40:55 dellc postfix/smtpd[15835]: input attribute value:
May 15 12:40:55 dellc postfix/smtpd[15835]: private/rewrite socket:
wanted attribute: (list terminator)
May 15 12:40:55 dellc postfix/smtpd[15835]: input attribute name: (end)
>
> David Cary Hart Wrote:
>
>> As an aside, your IPa(s) are now probably listed in one or more RBLs
>> (block lists). You'll need to review this and request removal
>> AFTER you
>> are sure that the problem is solved.
>>
> Thanks for the reminding. I will do it after I fix the problem.
>
> Kevin
-- Dale
|
|
|