PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Spammails werden vom eMail-Server versendet



Reiser
14.08.13, 17:57
Hallo,

ich habe seit 3 Tagen ein ziemliches Problem mit Spam-Mails auf meinem vServer. Und zwar bekomme ich nicht direkt Spam Mails, sondern stoßweise Abwesenheitsnachrichten von reellen Personen, also gehe ich davon aus, dass von meinem eMail-Server aus Spammails versendet werden!
Hier ein Screenshot:
http://img837.imageshack.us/img837/8792/dw9s.png (http://img837.imageshack.us/img837/8792/dw9s.png)

Mein Server ist ein Debian vServer bei Hetzner:

# uname -a
Linux vs1.master.com 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC 2012 x86_64 GNU/Linux
Es läuft ein Confixx mit aktuellster Version drauf.
Mail-Client ist postfix mit Spammassasin.
Ich habe mehrere Domains. Die Spammails kommen aber nur über eine Domain, ich nenne sie mal xyz.de. Ich lagere alle meine Mails im Postfach und leite sie gleich direkt an meine Gmail-Adresse weiter. Bei der xyz.de-Domain habe ich eine Wildcard-eMailadresse angelegt, sodass alle Mails-Aliases an mein Gmail weitergeleitet werden:
*@xyz.de ---> yyy@gmail.com
Die Abwesenheitsnachrichten zu den Spam-Mails bekomme ich über verschiedensten Aliases zugestellt, z.B.: An:
suprachorioideavuaq@xyz.de
alanhalla.chall@xyz.de
webjames-php-subscribe@xyz.de
debjjmk223134.9e6ef@xyz.de
narada@xyz.de

Ein Auszug aus der Log:
yyy@gmail.com ist meine Gmail-Adresse an die die alle meine Mails weitergeleitet werden.
web9p2 mein eMail-User/Postfach.
vs1.master.com ist der Hostname / Master-Domain des vServers.

Aug 14 10:22:20 vs1 postfix/smtpd[22502]: connect from proxy1075-fe.tm.cbsig.net[64.30.239.137]
Aug 14 10:22:21 vs1 postfix/policyd-weight[20538]: decided action=PREPEND X-policyd-weight: using cached result; rate: -6.4; <client=64.30.239.137> <helo=proxy1075-fe.tm.cbsig.net> <from=mail@proxy1075.tm.cbsig.net> <to=webjames-php-sub$
Aug 14 10:22:21 vs1 postgrey[1685]: action=pass, reason=triplet found, delay=1087, client_name=proxy1075-fe.tm.cbsig.net, client_address=64.30.239.137, sender=mail@proxy1075.tm.cbsig.net, recipient=webjames-php-subscribe@xyz.de
Aug 14 10:22:21 vs1 postfix/smtpd[22502]: 83603C3957: client=proxy1075-fe.tm.cbsig.net[64.30.239.137]
Aug 14 10:22:21 vs1 postfix/cleanup[22529]: 83603C3957: message-id=<201308140804.r7E84B6b003540@proxy1075.tm.cbsig.net>
Aug 14 10:22:21 vs1 postfix/qmgr[17207]: 83603C3957: from=<mail@proxy1075.tm.cbsig.net>, size=2272, nrcpt=1 (queue active)
Aug 14 10:22:21 vs1 spamd[21809]: spamd: connection from localhost [127.0.0.1] at port 51169
Aug 14 10:22:21 vs1 spamd[21809]: spamd: creating default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:22:21 vs1 spamd[21809]: spamd: failed to create readable default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:22:21 vs1 spamd[21809]: spamd: processing message <201308140804.r7E84B6b003540@proxy1075.tm.cbsig.net> for web9p2:1000
Aug 14 10:22:22 vs1 spamd[21809]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/email/web9p2/.spamassassin/bayes.lock.vs1.master.com.21809 for /home/email/web9p2/.spamassassin/bayes.lock: Permiss$
Aug 14 10:22:22 vs1 spamd[21809]: spamd: clean message (-2.3/5.0) for web9p2:1000 in 0.6 seconds, 2429 bytes.
Aug 14 10:22:22 vs1 spamd[21809]: spamd: result: . -2 - RCVD_IN_DNSWL_MED scantime=0.6,size=2429,user=web9p2,uid=1000,requir ed_score=5.0,rhost=localhost,raddr=127.0.0.1,rport =51169,mid=<201308140804.r7E84B6b003540@proxy1075.tm.cbsig.net>,$
Aug 14 10:22:22 vs1 postfix/local[22530]: 83603C3957: to=<web9p2@vs1.master.com>, orig_to=<webjames-php-subscribe@xyz.de>, relay=local, delay=1.2, delays=0.64/0/0/0.57, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSIO$
Aug 14 10:22:22 vs1 postfix/cleanup[22529]: 5B871C3958: message-id=<201308140804.r7E84B6b003540@proxy1075.tm.cbsig.net>
Aug 14 10:22:22 vs1 postfix/qmgr[17207]: 5B871C3958: from=<mail@proxy1075.tm.cbsig.net>, size=2410, nrcpt=1 (queue active)
Aug 14 10:22:22 vs1 postfix/local[22530]: 83603C3957: to=<confixx-du-7@vs1.master.com>, orig_to=<webjames-php-subscribe@xyz.de>, relay=local, delay=1.2, delays=0.64/0/0/0.57, dsn=2.0.0, status=sent (forwarded as 5B871C3958)
Aug 14 10:22:22 vs1 postfix/qmgr[17207]: 83603C3957: removed
Aug 14 10:22:22 vs1 spamd[1714]: prefork: child states: II
Aug 14 10:22:23 vs1 postfix/smtp[22624]: 5B871C3958: to=<yyy@gmail.com>, orig_to=<webjames-php-subscribe@xyz.de>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.87, delays=0/0/0.06/0.81, dsn=2.0.0, status=sent (250$
Aug 14 10:22:23 vs1 postfix/qmgr[17207]: 5B871C3958: removed
Aug 14 10:22:39 vs1 postfix/smtpd[22503]: warning: 85.112.139.130: address not listed for hostname mail.tre65.no
Aug 14 10:22:39 vs1 postfix/smtpd[22503]: connect from unknown[85.112.139.130]
Aug 14 10:22:39 vs1 postfix/policyd-weight[6069]: decided action=DUNNO NULL (<>) Sender; <client=85.112.139.130> <helo=mail.oslofrakt.no> <from=> <to=mrw@xyz.de>; delay: 0s
Aug 14 10:22:39 vs1 postgrey[1685]: action=greylist, reason=early-retry (114s missing), client_name=unknown, client_address=85.112.139.130, recipient=mrw@xyz.de
Aug 14 10:22:39 vs1 postfix/smtpd[22503]: NOQUEUE: reject: RCPT from unknown[85.112.139.130]: 450 4.2.0 <mrw@xyz.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xyz.de.html; from=<> to=<mrw@xyz.de>$
Aug 14 10:22:39 vs1 postfix/smtpd[22503]: disconnect from unknown[85.112.139.130]
Aug 14 10:23:06 vs1 postfix/smtpd[22677]: connect from exprod8ob105.obsmtp.com[64.18.3.89]
Aug 14 10:23:08 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=64.18.3.89> <helo=exprod8ob105.obsmtp.com> <from=> <to=narada@xyz.de>; delay: 0s
Aug 14 10:23:08 vs1 postgrey[1685]: action=greylist, reason=early-retry (50s missing), client_name=exprod8ob105.obsmtp.com, client_address=64.18.3.89, recipient=narada@xyz.de
Aug 14 10:23:08 vs1 postfix/smtpd[22677]: NOQUEUE: reject: RCPT from exprod8ob105.obsmtp.com[64.18.3.89]: 450 4.2.0 <narada@xyz.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xyz.de.html; from=<> t$
Aug 14 10:23:08 vs1 postfix/smtpd[22677]: disconnect from exprod8ob105.obsmtp.com[64.18.3.89]
Aug 14 10:23:18 vs1 postfix/smtpd[22518]: connect from de519.ispfr.net[195.14.0.236]
Aug 14 10:23:19 vs1 postfix/policyd-weight[20538]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1; <client=195.14.0.236> <helo=de519.ispfr.net> <from=serviceclient@ecigarette$
Aug 14 10:23:19 vs1 postfix/policyd-weight[20538]: decided action=PREPEND X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -7.6; <client=195.14.0.236> <helo=de519.ispf$
Aug 14 10:23:19 vs1 postgrey[1685]: action=greylist, reason=new, client_name=de519.ispfr.net, client_address=195.14.0.236, sender=serviceclient@ecigarette-france.com, recipient=dalzhopur@xyz.de
Aug 14 10:23:19 vs1 postfix/smtpd[22518]: NOQUEUE: reject: RCPT from de519.ispfr.net[195.14.0.236]: 450 4.2.0 <dalzhopur@xyz.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xyz.de.html; from=<servic$
Aug 14 10:23:19 vs1 postfix/smtpd[22518]: disconnect from de519.ispfr.net[195.14.0.236]
Aug 14 10:23:39 vs1 postfix/smtpd[22516]: warning: 85.112.139.130: address not listed for hostname mail.tre65.no
Aug 14 10:23:39 vs1 postfix/smtpd[22516]: connect from unknown[85.112.139.130]
Aug 14 10:23:39 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=85.112.139.130> <helo=mail.oslofrakt.no> <from=> <to=mrw@xyz.de>; delay: 0s
Aug 14 10:23:39 vs1 postgrey[1685]: action=greylist, reason=early-retry (54s missing), client_name=unknown, client_address=85.112.139.130, recipient=mrw@xyz.de
Aug 14 10:23:39 vs1 postfix/smtpd[22516]: NOQUEUE: reject: RCPT from unknown[85.112.139.130]: 450 4.2.0 <mrw@xyz.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xyz.de.html; from=<> to=<mrw@xyz.de>$
Aug 14 10:23:39 vs1 postfix/smtpd[22516]: disconnect from unknown[85.112.139.130]
Aug 14 10:23:46 vs1 postfix/smtpd[22518]: connect from smtp03.smtpout.orange.fr[80.12.242.125]
Aug 14 10:23:46 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=80.12.242.125> <helo=smtp.smtpout.orange.fr> <from=> <to=phcoetzee@xyz.de>; delay: 0s
Aug 14 10:23:46 vs1 postgrey[1685]: action=greylist, reason=new, client_name=smtp03.smtpout.orange.fr, client_address=80.12.242.125, recipient=phcoetzee@xyz.de
Aug 14 10:23:46 vs1 postfix/smtpd[22518]: NOQUEUE: reject: RCPT from smtp03.smtpout.orange.fr[80.12.242.125]: 450 4.2.0 <phcoetzee@xyz.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/xyz.de.html; fr$
Aug 14 10:23:46 vs1 postfix/smtpd[22518]: disconnect from smtp03.smtpout.orange.fr[80.12.242.125]
Aug 14 10:23:53 vs1 postfix/smtpd[22677]: connect from 154.30.66.86.rev.sfr.net[86.66.30.154]
Aug 14 10:23:53 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=86.66.30.154> <helo=france-galop.com> <from=> <to=debjjmk223134.9e6ef@xyz.de>; delay: 0s
Aug 14 10:23:53 vs1 postgrey[1685]: action=pass, reason=triplet found, delay=901, client_name=154.30.66.86.rev.sfr.net, client_address=86.66.30.154, recipient=debjjmk223134.9e6ef@xyz.de
Aug 14 10:23:53 vs1 postfix/smtpd[22677]: B774EC3957: client=154.30.66.86.rev.sfr.net[86.66.30.154]
Aug 14 10:23:53 vs1 postfix/cleanup[22529]: B774EC3957: message-id=<923e1ab992e941ffa85d279729473871@FGMSSV02.fgalop.c om>
Aug 14 10:23:53 vs1 postfix/qmgr[17207]: B774EC3957: from=<>, size=76994, nrcpt=1 (queue active)
Aug 14 10:23:53 vs1 spamd[21809]: spamd: connection from localhost [127.0.0.1] at port 51171
Aug 14 10:23:53 vs1 spamd[21809]: spamd: creating default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:23:53 vs1 spamd[21809]: spamd: failed to create readable default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:23:53 vs1 spamd[21809]: spamd: processing message <923e1ab992e941ffa85d279729473871@FGMSSV02.fgalop.c om> for web9p2:1000
Aug 14 10:23:54 vs1 postfix/smtpd[22677]: disconnect from 154.30.66.86.rev.sfr.net[86.66.30.154]
Aug 14 10:23:54 vs1 spamd[21809]: spamd: clean message (4.0/5.0) for web9p2:1000 in 0.7 seconds, 76026 bytes.
Aug 14 10:23:54 vs1 spamd[21809]: spamd: result: . 3 - DYN_RDNS_AND_INLINE_IMAGE,EXTRA_MPART_TYPE,HTML_ME SSAGE,RCVD_IN_RP_RNBL,RDNS_DYNAMIC scantime=0.7,size=76026,user=web9p2,uid=1000,requi red_score=5.0,rhost=localhost,raddr=127.0.0.1,rp$
Aug 14 10:23:54 vs1 postfix/local[22530]: B774EC3957: to=<web9p2@vs1.master.com>, orig_to=<debjjmk223134.9e6ef@xyz.de>, relay=local, delay=0.91, delays=0.24/0/0/0.66, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Aug 14 10:23:54 vs1 postfix/cleanup[22529]: 9A7E8C3958: message-id=<923e1ab992e941ffa85d279729473871@FGMSSV02.fgalop.c om>
Aug 14 10:23:54 vs1 postfix/qmgr[17207]: 9A7E8C3958: from=<>, size=77132, nrcpt=1 (queue active)
Aug 14 10:23:54 vs1 postfix/local[22530]: B774EC3957: to=<confixx-du-7@vs1.master.com>, orig_to=<debjjmk223134.9e6ef@xyz.de>, relay=local, delay=0.91, delays=0.24/0/0/0.67, dsn=2.0.0, status=sent (forwarded as 9A7E8C3958)
Aug 14 10:23:54 vs1 postfix/qmgr[17207]: 9A7E8C3958: from=<>, size=77132, nrcpt=1 (queue active)
Aug 14 10:23:54 vs1 postfix/local[22530]: B774EC3957: to=<confixx-du-7@vs1.master.com>, orig_to=<debjjmk223134.9e6ef@xyz.de>, relay=local, delay=0.91, delays=0.24/0/0/0.67, dsn=2.0.0, status=sent (forwarded as 9A7E8C3958)
Aug 14 10:23:54 vs1 postfix/qmgr[17207]: B774EC3957: removed
Aug 14 10:23:54 vs1 spamd[1714]: prefork: child states: II
Aug 14 10:23:55 vs1 postfix/smtp[22624]: 9A7E8C3958: to=<yyy@gmail.com>, orig_to=<debjjmk223134.9e6ef@xyz.de>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.56, delays=0/0/0.06/0.49, dsn=2.0.0, status=sent (250 2.$
Aug 14 10:23:55 vs1 postfix/qmgr[17207]: 9A7E8C3958: removed
Aug 14 10:24:09 vs1 postfix/smtpd[22503]: connect from exprod8ob118.obsmtp.com[64.18.3.35]
Aug 14 10:24:10 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=64.18.3.35> <helo=exprod8ob118.obsmtp.com> <from=> <to=narada@xyz.de>; delay: 0s
Aug 14 10:24:10 vs1 postgrey[1685]: action=pass, reason=triplet found, delay=312, client_name=exprod8ob118.obsmtp.com, client_address=64.18.3.35, recipient=narada@xyz.de
Aug 14 10:24:10 vs1 postfix/smtpd[22503]: 7D314C3957: client=exprod8ob118.obsmtp.com[64.18.3.35]
Aug 14 10:24:11 vs1 postfix/cleanup[22529]: 7D314C3957: message-id=<41db601a1af440bfb9cf858d86a6e582@CAS2.kennedy-center.org>
Aug 14 10:24:11 vs1 postfix/qmgr[17207]: 7D314C3957: from=<>, size=2094, nrcpt=1 (queue active)
Aug 14 10:24:11 vs1 spamd[21809]: spamd: connection from localhost [127.0.0.1] at port 51175
Aug 14 10:24:11 vs1 spamd[21809]: spamd: creating default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:11 vs1 spamd[21809]: spamd: failed to create readable default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:11 vs1 spamd[21809]: spamd: processing message <41db601a1af440bfb9cf858d86a6e582@CAS2.kennedy-center.org> for web9p2:1000
Aug 14 10:24:12 vs1 postfix/anvil[22495]: statistics: max connection rate 2/60s for (smtp:31.7.181.12) at Aug 14 10:14:38
Aug 14 10:24:12 vs1 postfix/anvil[22495]: statistics: max connection count 1 for (smtp:203.26.41.132) at Aug 14 10:14:17
Aug 14 10:24:12 vs1 postfix/anvil[22495]: statistics: max cache size 17 at Aug 14 10:15:35
Aug 14 10:24:12 vs1 spamd[21809]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/email/web9p2/.spamassassin/bayes.lock.vs1.master.com.21809 for /home/email/web9p2/.spamassassin/bayes.lock: Permiss$
Aug 14 10:24:12 vs1 spamd[21809]: spamd: clean message (-2.3/5.0) for web9p2:1000 in 0.2 seconds, 2186 bytes.
Aug 14 10:24:12 vs1 spamd[21809]: spamd: result: . -2 - RCVD_IN_DNSWL_MED scantime=0.2,size=2186,user=web9p2,uid=1000,requir ed_score=5.0,rhost=localhost,raddr=127.0.0.1,rport =51175,mid=<41db601a1af440bfb9cf858d86a6e582@CAS2.kennedy-center$
Aug 14 10:24:12 vs1 postfix/local[22530]: 7D314C3957: to=<web9p2@vs1.master.com>, orig_to=<narada@xyz.de>, relay=local, delay=1.8, delays=1.6/0/0/0.2, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Aug 14 10:24:12 vs1 postfix/cleanup[22529]: 1E97CC3958: message-id=<41db601a1af440bfb9cf858d86a6e582@CAS2.kennedy-center.org>
Aug 14 10:24:12 vs1 postfix/qmgr[17207]: 1E97CC3958: from=<>, size=2232, nrcpt=1 (queue active)
Aug 14 10:24:12 vs1 postfix/local[22530]: 7D314C3957: to=<confixx-du-7@vs1.master.com>, orig_to=<narada@xyz.de>, relay=local, delay=1.8, delays=1.6/0/0/0.2, dsn=2.0.0, status=sent (forwarded as 1E97CC3958)
Aug 14 10:24:12 vs1 postfix/qmgr[17207]: 7D314C3957: removed
Aug 14 10:24:12 vs1 spamd[1714]: prefork: child states: II
Aug 14 10:24:12 vs1 postfix/smtpd[22503]: disconnect from exprod8ob118.obsmtp.com[64.18.3.35]
Aug 14 10:24:12 vs1 postfix/smtp[22624]: 1E97CC3958: to=<yyy@gmail.com>, orig_to=<narada@xyz.de>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.63, delays=0/0/0.06/0.57, dsn=2.0.0, status=sent (250 2.0.0 OK 137646$
Aug 14 10:24:12 vs1 postfix/qmgr[17207]: 1E97CC3958: removed
Aug 14 10:24:15 vs1 postfix/smtpd[22518]: connect from xmail-pub.bluehost.com[69.89.16.10]
Aug 14 10:24:16 vs1 postfix/policyd-weight[20538]: decided action=PREPEND X-policyd-weight: using cached result; rate: -5.5; <client=69.89.16.10> <helo=xmail-pub.bluehost.com> <from=sagaroco@host320.hostmonster.com> <to=dz21bmt@xyz.de>$
Aug 14 10:24:16 vs1 postgrey[1685]: action=pass, reason=triplet found, delay=398, client_name=xmail-pub.bluehost.com, client_address=69.89.16.10, sender=sagaroco@host320.hostmonster.com, recipient=dz21bmt@xyz.de
Aug 14 10:24:16 vs1 postfix/smtpd[22518]: 33297C3957: client=xmail-pub.bluehost.com[69.89.16.10]
Aug 14 10:24:16 vs1 postfix/cleanup[22529]: 33297C3957: message-id=<>
Aug 14 10:24:16 vs1 postfix/qmgr[17207]: 33297C3957: from=<sagaroco@host320.hostmonster.com>, size=1783, nrcpt=1 (queue active)
Aug 14 10:24:16 vs1 spamd[21809]: spamd: connection from localhost [127.0.0.1] at port 51177
Aug 14 10:24:16 vs1 spamd[21809]: spamd: creating default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:16 vs1 spamd[21809]: spamd: failed to create readable default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:16 vs1 spamd[21809]: spamd: processing message (unknown) for web9p2:1000
Aug 14 10:24:17 vs1 postfix/smtpd[22518]: disconnect from xmail-pub.bluehost.com[69.89.16.10]
Aug 14 10:24:17 vs1 spamd[21809]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/email/web9p2/.spamassassin/bayes.lock.vs1.master.com.21809 for /home/email/web9p2/.spamassassin/bayes.lock: Permiss$
Aug 14 10:24:17 vs1 spamd[21809]: spamd: clean message (-0.4/5.0) for web9p2:1000 in 1.1 seconds, 1932 bytes.
Aug 14 10:24:17 vs1 spamd[21809]: spamd: result: . 0 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY, MISSING_MID,RCVD_IN_DNSWL_MED scantime=1.1,size=1932,user=web9p2,uid=1000,requir ed_score=5.0,rhost=localhost,raddr=127.0.0.1,rport =51$
Aug 14 10:24:17 vs1 postfix/local[22530]: 33297C3957: to=<web9p2@vs1.master.com>, orig_to=<dz21bmt@xyz.de>, relay=local, delay=2.2, delays=1.1/0/0/1.1, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Aug 14 10:24:17 vs1 postfix/cleanup[22529]: E64E4C3958: message-id=<>
Aug 14 10:24:17 vs1 postfix/qmgr[17207]: E64E4C3958: from=<sagaroco@host320.hostmonster.com>, size=1921, nrcpt=1 (queue active)
Aug 14 10:24:17 vs1 postfix/local[22530]: 33297C3957: to=<confixx-du-7@vs1.master.com>, orig_to=<dz21bmt@xyz.de>, relay=local, delay=2.2, delays=1.1/0/0/1.1, dsn=2.0.0, status=sent (forwarded as E64E4C3958)
Aug 14 10:24:17 vs1 postfix/qmgr[17207]: 33297C3957: removed
Aug 14 10:24:17 vs1 spamd[1714]: prefork: child states: II
Aug 14 10:24:18 vs1 postfix/smtp[22624]: E64E4C3958: to=<yyy@gmail.com>, orig_to=<dz21bmt@xyz.de>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.8, delays=0/0/0.06/0.73, dsn=2.0.0, status=sent (250 2.0.0 OK 137646$
Aug 14 10:24:18 vs1 postfix/qmgr[17207]: E64E4C3958: removed
Aug 14 10:24:40 vs1 postfix/smtpd[22516]: warning: 85.112.139.130: address not listed for hostname mail.tre65.no
Aug 14 10:24:40 vs1 postfix/smtpd[22516]: connect from unknown[85.112.139.130]
Aug 14 10:24:40 vs1 postfix/policyd-weight[20538]: decided action=DUNNO NULL (<>) Sender; <client=85.112.139.130> <helo=mail.oslofrakt.no> <from=> <to=mrw@xyz.de>; delay: 0s
Aug 14 10:24:40 vs1 postgrey[1685]: action=pass, reason=triplet found, delay=307, client_name=unknown, client_address=85.112.139.130, recipient=mrw@xyz.de
Aug 14 10:24:40 vs1 postfix/smtpd[22516]: 5C667C3957: client=unknown[85.112.139.130]
Aug 14 10:24:40 vs1 postfix/cleanup[22529]: 5C667C3957: message-id=<E0FF55046C22BE46BBCB4D559D52BECFCAE3CB16BD@OFSERVE R01.of.local>
Aug 14 10:24:40 vs1 postfix/qmgr[17207]: 5C667C3957: from=<>, size=5890, nrcpt=1 (queue active)
Aug 14 10:24:40 vs1 spamd[21809]: spamd: connection from localhost [127.0.0.1] at port 51179
Aug 14 10:24:40 vs1 spamd[21809]: spamd: creating default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:40 vs1 spamd[21809]: spamd: failed to create readable default_prefs: /home/email/web9p2/.spamassassin/user_prefs
Aug 14 10:24:40 vs1 spamd[21809]: spamd: processing message <E0FF55046C22BE46BBCB4D559D52BECFCAE3CB16BD@OFSERVE R01.of.local> for web9p2:1000
Aug 14 10:24:40 vs1 postfix/smtpd[22516]: disconnect from unknown[85.112.139.130]
Aug 14 10:24:40 vs1 spamd[21809]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/email/web9p2/.spamassassin/bayes.lock.vs1.master.com.21809 for /home/email/web9p2/.spamassassin/bayes.lock: Permiss$
Aug 14 10:24:40 vs1 postfix/smtpd[22516]: disconnect from unknown[85.112.139.130]
Aug 14 10:24:40 vs1 spamd[21809]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/email/web9p2/.spamassassin/bayes.lock.vs1.master.com.21809 for /home/email/web9p2/.spamassassin/bayes.lock: Permiss$
Aug 14 10:24:40 vs1 spamd[21809]: spamd: clean message (-1.0/5.0) for web9p2:1000 in 0.5 seconds, 5929 bytes.
Aug 14 10:24:40 vs1 spamd[21809]: spamd: result: . -1 - HTML_MESSAGE,RCVD_IN_DNSWL_MED,RDNS_NONE scantime=0.5,size=5929,user=web9p2,uid=1000,requir ed_score=5.0,rhost=localhost,raddr=127.0.0.1,rport =51179,mid=<E0FF55046C22BE46BBCB4D559D52B$
Aug 14 10:24:40 vs1 postfix/local[22530]: 5C667C3957: to=<web9p2@vs1.master.com>, orig_to=<mrw@xyz.de>, relay=local, delay=0.62, delays=0.11/0/0/0.51, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Aug 14 10:24:40 vs1 postfix/cleanup[22529]: F1138C3958: message-id=<E0FF55046C22BE46BBCB4D559D52BECFCAE3CB16BD@OFSERVE R01.of.local>
Aug 14 10:24:40 vs1 postfix/qmgr[17207]: F1138C3958: from=<>, size=6028, nrcpt=1 (queue active)
Aug 14 10:24:40 vs1 postfix/local[22530]: 5C667C3957: to=<confixx-du-7@vs1.master.com>, orig_to=<mrw@xyz.de>, relay=local, delay=0.62, delays=0.11/0/0/0.51, dsn=2.0.0, status=sent (forwarded as F1138C3958)
Aug 14 10:24:40 vs1 postfix/qmgr[17207]: 5C667C3957: removed
Aug 14 10:24:41 vs1 spamd[1714]: prefork: child states: II
Aug 14 10:24:41 vs1 postfix/smtp[22624]: F1138C3958: to=<yyy@gmail.com>, orig_to=<mrw@xyz.de>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.61, delays=0/0/0.06/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK 137646868$
Aug 14 10:24:41 vs1 postfix/qmgr[17207]: F1138C3958: removed

Meine /etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = vs1.master.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = myorigin, vs1.master.com, localhost.master.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myorigin
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, check_policy_service inet:127.0.0.1:12525, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10023
smtpd_sender_restrictions = permit_mynetworks, permit_tls_clientcerts, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unauth_pipelining, permit_sasl_authenticated
home_mailbox = Maildir/

### PARALLELS CONFIXX POSTFIX ENTRY ###

virtual_maps = hash:/etc/postfix/confixx_virtualUsers, hash:/etc/postfix/confixx_localDomains

### /PARALLELS CONFIXX POSTFIX ENTRY ###

Leider habe ich keine Ahnung wie die Spammails aussehen die von @xyz.de aus versendet werden, wie schon geschrieben bekomme ich nur Abwesenheitsnachrichten von diversen Personen.

Könnt ihr mir helfen, dass ich die Spammails von meinem Host aus vermeiden kann?z

muell200
15.08.13, 15:25
Könnt ihr mir helfen, dass ich die Spammails von meinem Host aus vermeiden kann?z

das wird nicht so einfach...

am besten server abschalten und genau pruefen!

denke der server hat sich was eingefangen.

d.h.:
- server vom netz nehmen, damit er keine spam mehr schickt
- ursache finden
- server neuaufsetzten und die sicherheitsluecke schliessen

genaueres kann man nur sagen, wenn man sich auf den server einwaehlt und nachschaut....

L00NIX
16.08.13, 13:04
Ein Catch-All einzurichten ist nie eine gute Idee. So werden auch ungültige E-Mailadressen von deinem Server angenommen und Dir ins Postfach geschoben.

Viele Spammer schicken E-Mails an generierte Namen einfach auf gut Glück und bei dir kommt der Mist eben an.

Alternativ kann auch sein, dass die Spammer deine Maildomäne als Absenderadressen nehmen, deshalb bekommst du dann die Abwesenheitsnachrichten zugeschickt.

Also: Stell die Weiterleitung an dein Postfach ab und lege genau die Mailadressen an, die du nutzt. Es sieht nicht so aus, als würde Spam von deiner Kiste aus versendet, aber wenn du das selbst nicht anhand von Logs sehen kannnst, solltest du den Mailserver nicht betreiben.

Gruß
L00NIX

muell200
16.08.13, 14:57
...aber wenn du das selbst nicht anhand von Logs sehen kannnst, solltest du den Mailserver nicht betreiben.

man sollte aber auch die logs lesen...
nach der ueberschrift, von dem threat kannte ich die anwort...
.. meinte ich

Kernel-Error
28.08.13, 20:05
Hey,

mir ist eines noch nicht ganz klar geworden. Verschickt nun dein Server die Spam E-Mails?

Sollte einfach nur deine Domain missbraucht werden könnte SPF (http://de.wikipedia.org/wiki/Sender_Policy_Framework) helfen. Zumindest suchen sich Spammer meist keine Domains aus, welche "geschützt" sind. Sie wollen ja möglichst viel Gewinn machen!

Das Thema ist nun vom 14.08 inzwischen wirst du aber sicher eine Lösung haben, oder?

Was war es denn nun und was hast du gemacht?