On Sun, Jan 7, 2018 at 9:33 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2018-01-08 00:48, Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
Oh my :-(
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Troubleshooting advice appreciated.
First all the malicious emails have "Banco" in the content of the email, so I'm cleaning up all the deferred emails that are now accumulating via:
cd /var/spool/postfix/deferred grep -l Banco */* | sed -r 's/^.{2}//' | postsuper -d -
I've deleted about 100,000 emails total by running the above a few times over the last day.
Goodness! :-/
No massive emails sent in the last 12 hours.
But additional emails show up within several hours. (I'm not checking every hour or more.)
The contents of /etc/postfix/relay are: # for relaying domain # domain.de OK IAC-Forensics.com OK
That means, I think, that you accept email from them, to relay them to the outside. Could they fake it? Maybe you need smtp auth.
It should show up in the headers, right. I didn't see that. I've deleted all the malicious emails, so I don't have any to look at until more appear.
http://www.postfix.org/SMTPD_ACCESS_README.html
I do not find an authoritative doc for that file. I'm googling for:
"postfix/relay" site:www.postfix.org
but I think you need setting up the "relay_ccerts" file. It says:
# See /usr/share/doc/packages/postfix/samples/sample-tls.cf # for more details
But I can't find that file either. I have a copy of it dated 2006!
You could look at greylisting.
So, I think I only relay emails for that domain, but the malicious emails are not to or from that domain.
Hum.
Exactly
FYI: The server has been RBL Blacklisted. It's a minor issue that I assume will clear up in a day or two. In the meantime, I can ignore the problem. This server originates very little email.
Well, I would start by looking at some of the mail headers for clues, and at the mail log, to try find out how they are entering, and where from, and perhaps guess what loophole they use.
Then I would look in detail at the entire /etc/postfix/ config files.
Feel free to email that info to me off list if you wish. I can not guarantee success, but I can try.
I sent you a copy of the /etc/postfix directory. More in my reply to Per. (soon to be written). Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org