SPAM sendo enviado pelo meu dominio

1. SPAM sendo enviado pelo meu dominio

Felipe Leira
camun

(usa Ubuntu)

Enviado em 03/12/2019 - 16:00h

Prezados, possuo um servidor de email com postfix, dovecote, amavis, spamassasim, saslauthd e clamvd, tudo rodando perfeito, porem ontem fui invadido e meu servidor mando email de usuarios que nao existe mais com @meudominio.com.br, alguem sabe o q pode ser? eu nao entendo porque o relay ta fechado e mesmo assim nao consigo tirar esse cara do meu servidor.
olha o log abaixo esse usuario ubsghpbtz@meudominio.com.br nao existe no meu servidor, sendo que tem configuração pra impedir q usuarios q nao existam enviem email.

segue log
Dec 3 15:51:56 mail postfix/smtpd[2530]: Anonymous TLS connection established from rtrom.datem.abc.br[107.150.57.46]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Dec 3 15:51:56 mail postfix/smtpd[2619]: connect from hwsrv-643173.hostwindsdns.com[142.11.242.245]
Dec 3 15:51:57 mail postfix/smtpd[2616]: connect from hwsrv-643173.hostwindsdns.com[142.11.242.245]
Dec 3 15:51:57 mail postfix/smtpd[2530]: disconnect from rtrom.datem.abc.br[107.150.57.46]
Dec 3 15:51:57 mail postfix/smtpd[2619]: 6BF2D6BC0092: client=hwsrv-643173.hostwindsdns.com[142.11.242.245]
Dec 3 15:51:57 mail postfix/smtpd[2619]: 6BF2D6BC0092: reject: RCPT from hwsrv-643173.hostwindsdns.com[142.11.242.245]: 554 5.7.1 <queriam@uol.com.br>: Relay access denied; from=<ubsghpbtz@meudominio.com.br> to=<queriam@uol.com.br> proto=ESMTP helo=<mail.meudominio.com.br>
Dec 3 15:51:57 mail postfix/smtpd[2618]: connect from unknown[46.38.144.57]
Dec 3 15:51:58 mail postfix/cleanup[2014]: 6BF2D6BC0092: message-id=<>
Dec 3 15:51:58 mail postfix/qmgr[27425]: 6BF2D6BC0092: from=<ubsghpbtz@meudominio.com.br>, size=2167, nrcpt=1 (queue active)
Dec 3 15:51:58 mail postfix/smtpd[2762]: connect from localhost[127.0.0.1]
Dec 3 15:51:58 mail postfix/smtpd[2762]: 21E156BC0093: client=localhost[127.0.0.1]
Dec 3 15:51:58 mail postfix/cleanup[2015]: 21E156BC0093: message-id=<20191203175158.21E156BC0093@meudominio.com.br>
Dec 3 15:51:58 mail postfix/smtpd[2762]: disconnect from localhost[127.0.0.1]
Dec 3 15:51:58 mail postfix/qmgr[27425]: 21E156BC0093: from=<ubsghpbtz@meudominio.com.br>, size=2898, nrcpt=1 (queue active)
Dec 3 15:51:58 mail amavis[2399]: (02399-12) Passed CLEAN, [142.11.242.245] [142.11.242.245] <ubsghpbtz@meudominio.com.br> -> <queriam@terra.com.br>, mail_id: 5FKaOYtDZrcR, Hits: 6.197, size: 2167, queued_as: 21E156BC0093, 104 ms
Dec 3 15:51:58 mail postfix/smtp[2099]: 6BF2D6BC0092: to=<queriam@terra.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.91, delays=0.81/0/0/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=02399-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 21E156BC0093)

Dec 3 15:51:58 mail postfix/qmgr[27425]: 6BF2D6BC0092: removed
Dec 3 15:51:58 mail postfix/smtpd[2616]: NOQUEUE: reject: RCPT from hwsrv-643173.hostwindsdns.com[142.11.242.245]: 554 5.7.1 <quasetudo@hotmail.com>: Relay access denied; from=<apyzlqsx@meudominio.com.br> to=<quasetudo@hotmail.com> proto=ESMTP helo=<mail.meudominio.com.br>




segue log de como tem bloqueio para usaurios desconhecidos, mais mesmo assim ele enviou
Dec 3 00:13:51 mail postfix/smtpd[14347]: connect from hwsrv-643173.hostwindsdns.com[142.11.242.245]
Dec 3 00:13:51 mail postfix/smtpd[14289]: 9F5676BC0091: reject: RCPT from hwsrv-643173.hostwindsdns.com[142.11.242.245]: 554 5.7.1 <idesc@uol.com.br>: Relay access denied; from=<mkeqf@sotrel.com.br> to=<idesc@uol.com.br> proto=ESMTP helo=<mail.sotrel.com.br>
Dec 3 00:13:52 mail postfix/smtpd[14288]: connect from hwsrv-643173.hostwindsdns.com[142.11.242.245]
Dec 3 00:13:52 mail postfix/cleanup[14353]: 9F5676BC0091: message-id=<>
Dec 3 00:13:52 mail postfix/qmgr[7293]: 9F5676BC0091: from=<mkeqf@sotrel.com.br>, size=2165, nrcpt=1 (queue active)
Dec 3 00:13:52 mail postfix/smtpd[14357]: initializing the server-side TLS engine
Dec 3 00:13:52 mail postfix/smtpd[14357]: connect from localhost[127.0.0.1]
Dec 3 00:13:52 mail postfix/smtpd[14357]: 5F28A6BC0092: client=localhost[127.0.0.1]
Dec 3 00:13:52 mail postfix/cleanup[14353]: 5F28A6BC0092: message-id=<20191203021352.5F28A6BC0092@sotrel.com.br>
Dec 3 00:13:52 mail postfix/smtpd[14357]: disconnect from localhost[127.0.0.1]
Dec 3 00:13:52 mail postfix/qmgr[7293]: 5F28A6BC0092: from=<mkeqf@sotrel.com.br>, size=2898, nrcpt=1 (queue active)
Dec 3 00:13:52 mail amavis[13547]: (13547-17) Passed CLEAN, [142.11.242.245] [142.11.242.245] <mkeqf@sotrel.com.br> -> <ideokebh@terra.com.br>, mail_id: 3fjeCnQqHxBT, Hits: 6.197, size: 2165, queued_as: 5F28A6BC0092, 120 ms
Dec 3 00:13:52 mail postfix/smtp[14354]: 9F5676BC0091: to=<ideokebh@terra.com.br>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.94, delays=0.81/0/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=13547-17, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5F28A6BC0092)
Dec 3 00:13:52 mail postfix/qmgr[7293]: 9F5676BC0091: removed
Dec 3 00:13:59 mail postfix/local[14360]: 3E59E6BC0093: to=<mkeqf@sotrel.com.br>, relay=local, delay=0.08, delays=0.03/0/0/0.04, dsn=5.1.1, status=bounced (unknown user: "mkeqf")




segue configuração do meu main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = meudominio.com.br
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = meudominio.com.br, mail.meudominio.com.br
relayhost =
mynetworks = 192.168.5.0/24, 127.0.0.1
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 15240000

queue_run_delay = 30s
minimal_backoff_time = 900s
maximal_backoff_time = 3600s
maximal_queue_lifetime = 1h

recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain = meudominio.com.br
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 2
smtp_connect_timeout = 10s
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
inet_protocols = ipv4
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_helo_required = yes

smtpd_sender_restrictions = reject_unknown_recipient_domain,permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unauth_pipelining, check_sender_access regexp:/etc/postfix/sender-proibidos,reject_unknown_sender_domain

#Alterações antisapm
#mtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access regexp:/etc/postfix/sender-proibidos, reject_unauth_destination, reject_rbl_client cart00ney.surriel.com, reject_rbl_client dnsbl.kempt.net, reject_rbl_client escalations.dnsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client dnsbl.kempt.net, reject_rbl_client escalations.dnsbl.sorbs.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net, reject_rbl_client no-more-funn.moensted.dk, reject_rbl_client pss.spambusters.org.ar, reject_rbl_client recent.dnsbl.sorbs.net, reject_rbl_client mail-abuse.blacklist.jippg.org, reject_rbl_client new.dnsbl.sorbs.net, reject_rbl_client rbl.snark.net, reject_rbl_client relays.bl.kundenserver.de, reject_rbl_client rsbl.aupads.org, reject_rbl_client socks.dnsbl.sorbs.net, reject_rbl_client spamguard.leadmon.net, reject_rbl_client xbl.spamhaus.org,reject_rbl_client zen.spamhaus.org, reject_rbl_client blackholes.wirehub.net, reject_rbl_client blocked.hilli.dk, reject_rbl_client xbl.spamhaus.org, reject_rbl_client zen.spamhaus.org,reject_unknown_sender_domain
#mtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain,reject_non_fqdn_sender, reject_unauth_pipelining, check_sender_access regexp:/etc/postfix/sender-proibidos, reject_unknown_recipient_domain
#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_client
#smtpd_helo_required = yes
# tempo limite para identificacao do Helo
smtp_helo_timeout = 600s
#Mais Praticas alterado 16112012
# Bloquear apos o comando RCPT TO
smtpd_delay_reject = yes
# Numero Maximo de destinatario em uma mensagem
smtpd_recipient_limit = 20
# Caixa postal inexistente devolver erro 500 para nao processar varias vezes
unknown_local_recipient_reject_code = 500
# Rejeitar enderecos desconhecidos
unknown_address_reject_code = 500
# Rejeitar hostname desconhecidos
unknown_hostname_reject_code = 500
# Rejeitar clientes desconhecidos
unknown_client_reject_code = 500
#Conexoes remotas no servidor destino
smtp_destination_concurrency_limit = 4
# Maximo de Conexoes simultanaes em nosso servidor
smtp_destination_recipient_limit = 3
#numeros de erros 500 que podem ser cometidos, depois desconecta
smtpd_hard_error_limit = 3
# numero de erros 400 que podem ser cometidos, depois desconecta
smtpd_soft_error_limit = 3
# Numero de conexao que podem fazer por minuto
smtpd_client_connection_count_limit = 9
# Numero de mensagens enviadas por minuto
smtpd_client_message_rate_limit = 6
# Travar os spammers a cada erro por 30s
smtpd_error_sleep_time = 30000s
# final das praticas adicionado em 16112012
# Enderecos envelopados com <>
strict_rfc821_envelopes = yes

#smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access hash:/etc/postfix/ip-access, reject_unknown_recipient_domain, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
smtpd_helo_restrictions = check_helo_access regexp:/etc/postfix/helo-proibidos, permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining,reject_non_fqdn_hostname, reject_unknown_recipient_domain
mime_header_checks=regexp:/etc/postfix/anexos
body_checks = regexp:/etc/postfix/anexos
content_filter=smtp-amavis:[127.0.0.1]:10024
bounce_notice_recipient = postmaster@meudominio.com.br
2bounce_notice_recipient = postmaster@meudominio.com.br
delay_notice_recipient = postmaster@meudominio.com.br
error_notice_recipient = postmaster@meudominio.com.br
~






  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts