Доброго дня. Два дня пытался своими силами избавиться от вирусного спама с постового сервера. Прошу помощи. Молю даже.
Ситуация следующая. Примерно с 15 числа идет огромный спам с моего сервера или на мой и я уже пересылаю. Не пойму точно. Стоит postfix+dovecot+roudcube Настроен clamd+clamsmtpd+spamd
Я так понял проблема началась с ящика конкретного пользователя.
Если смотреть очередь через mailq, то там постоянно фигурирует nl.krivosheeva@gb2bel.ru. Это ящик с моего домена. очередь постоянно увеличивается.
5346E361A17 1753 Tue Jul 19 18:26:06 nl.krivosheeva@gb2bel.ru
(host as-av.iinet.net.au[203.0.178.180] refused to talk to me: 554-icp-osb-irony-in8.iinet.net.au 554 Your access to this mail system from 37.208.65.160 has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
chuckchunder@iinet.net.au
51B6B36199E 1566 Tue Jul 19 18:02:19 nl.krivosheeva@gb2bel.ru
(delivery temporarily suspended: lost connection with mx.bt.lon5.cpcloud.co.uk[65.20.0.49] while sending RCPT TO)
peter476@btinternet.com
5F5BD361FBA 1639 Tue Jul 19 20:17:33 nl.krivosheeva@gb2bel.ru
(delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.91.195] refused to talk to me: 554 5.7.1 : (RLY:B1) https://postmaster.aol.com/error-codes#554rlyb1)
horseloversx2@aol.com
5D59E361FEA 1510 Tue Jul 19 20:19:31 nl.krivosheeva@gb2bel.ru
(delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.91.195] refused to talk to me: 554 5.7.1 : (RLY:B1) https://postmaster.aol.com/error-codes#554rlyb1)
patkotn@aol.com
pnsarandos@aol.com
56E7F361D3F 1590 Tue Jul 19 19:12:52 nl.krivosheeva@gb2bel.ru
(delivery temporarily suspended: lost connection with mx.bt.lon5.cpcloud.co.uk[65.20.0.49] while sending RCPT TO)
nicolasmyth63@btinternet.com
527BE361F44 1799 Tue Jul 19 20:15:04 nl.krivosheeva@gb2bel.ru
(connect to faithfunding.com[107.23.198.240]:25: Connection timed out)
lisa.dillon@faithfunding.com
56C0F361601 1620 Tue Jul 19 17:20:54 nl.krivosheeva@gb2bel.ru
(host dbrwirnap01.dnb.com[158.151.214.66] refused to talk to me: 554 dbrwirnap01.dnb.com)
leonoral@mail.dnb.com
52808360FC0 1636 Tue Jul 19 16:28:42 nl.krivosheeva@gb2bel.ru
(Host or domain name not found. Name service error for name=vizionfurniture.dk type=MX: Host not found, try again)
cn@vizionfurniture.dk
Вот содержимое письма из очереди
mail ~ # postcat -q 5F544360F7F
*** ENVELOPE RECORDS deferred/5/5F544360F7F ***
message_size: 1704 657 1 0 1704
message_arrival_time: Tue Jul 19 15:58:08 2016
create_time: Tue Jul 19 15:58:08 2016
named_attribute: log_ident=5F544360F7F
named_attribute: rewrite_context=local
sender: nl.krivosheeva@gb2bel.ru
named_attribute: log_client_name=mail.gb2bel.ru
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=50978
named_attribute: log_message_origin=mail.gb2bel.ru[127.0.0.1]
named_attribute: log_helo_name=mx0.gb2bel.ru
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=mail.gb2bel.ru
named_attribute: reverse_client_name=mail.gb2bel.ru
named_attribute: client_address=127.0.0.1
named_attribute: client_port=50978
named_attribute: helo_name=mx0.gb2bel.ru
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;vlulsyteew@willbear.com
original_recipient: vlulsyteew@willbear.com
recipient: vlulsyteew@willbear.com
*** MESSAGE CONTENTS deferred/5/5F544360F7F ***
Received: from mx0.gb2bel.ru (mail.gb2bel.ru [127.0.0.1])
by mx0.gb2bel.ru (Postfix) with ESMTP id 5F544360F7F
for <vlulsyteew@willbear.com>; Tue, 19 Jul 2016 15:58:08 +0300 (MSK)
Received: by mx0.gb2bel.ru (Postfix, from userid 10696)
id 516C9360F80; Tue, 19 Jul 2016 15:58:08 +0300 (MSK)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.gb2bel.ru
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=99.8 required=3.0 tests=ALL_TRUSTED,UPPERCASE_50_75,
USER_IN_BLACKLIST autolearn=no autolearn_force=no version=3.4.0
X-Spam-Report:
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 100 USER_IN_BLACKLIST From: address is in the user's black-list
* 0.8 UPPERCASE_50_75 message body is 50-75% uppercase
Received: from [127.0.0.1] (unknown [81.9.26.103])
by mx0.gb2bel.ru (Postfix) with ESMTPA id 41EBC360F23;
Tue, 19 Jul 2016 15:58:07 +0300 (MSK)
Message-ID: <578DA54A.C1B49E99@gb2bel.ru>
Date: Tue, 19 Jul 2016 03:58:02 -0700
From: nl.krivosheeva@gb2bel.ru
Subject: [***** SPAM 99.8 *****] armpits ARMPITS CANADIENNE CHEP PILLIES, CIUILIS ETC
To: wookard@yahoo.com
Cc: dkfrank314@gmail.com, sascia4@interfree.it, vlulsyteew@willbear.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
X-Spam-Prev-Subject: armpits ARMPITS CANADIENNE CHEP PILLIES, CIUILIS ETC
X-Virus-Scanned: ClamAV using ClamSMTP
Probably you are in search for good solution?
Check out ours http://biologicalcircadian.tumblr.com/?4Tzl
HARROLD WHATEVER - ASS OR PUSSY - YOUR DICK WILL STAND LIKE MOUNTAIN H=
arrold
PRAYED YER BEST FRIEND- VIUGRA! prayed
reddit
*** HEADER EXTRACTED deferred/5/5F544360F7F ***
*** MESSAGE FILE END deferred/5/5F544360F7F ***
Конфиги сервера
[spoiler]
mail ~ # cat /etc/postfix/main.cf
#размер письма
message_size_limit = 41943040
queue_directory = /var/spool/postfix
config_directory = /etc/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
#myhostname = mail.gb2bel.ru
myhostname = mx0.gb2bel.ru
mydomain = gb2bel.ru
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination =
relay_domains =
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks_style = host
###########
mynetworks = 127.0.0.0/8 172.16.5.5/32
############
#mynetworks=
###########
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
smtpd_banner = MHI Belgorod City Hospital 2 ESMTP server
debug_peer_level = 2
sendmail_path = /usr/sbin/sendmail
newaliases_path = /bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = mail
html_directory = no
manpage_directory = /usr/share/man
readme_directory = no
virtual_mailbox_base = /var/spool/mail/
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql_virtual_mailbox_maps.cf
virtual_minimum_uid = 65534
virtual_uid_maps = static:65534
virtual_gid_maps = static:65534
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
#Размер почтового ящика
mailbox_size_limit = 524288000
smtp_always_send_ehlo = yes
smtpd_reject_unlisted_sender = yes
smtpd_reject_unlisted_recipient = yes
disable_vrfy_command = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 2
smtpd_recipient_limit = 40
bounce_queue_lifetime = 1d
maximal_queue_lifetime = 3d
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
########## DOBAVIL #########
smtpd_client_restrictions=
# Разрешить клиентов из доверенных сетей
permit_mynetworks,
# Разрешить клиентов, прошедших аутентификацию
permit_sasl_authenticated,
# Отклонять клиентов, у которых доменное имя из PTR-записи
# не решается в тот же IP по A-записи
reject_unknown_client_hostname
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
permit
smtpd_helo_restrictions=
permit_mynetworks,
permit_sasl_authenticated,
# Отклонять клиентов, использующих неправильный синтаксис доменного имени в HELO
reject_invalid_helo_hostname,
# Отклонять клиентов, указывающих в HELO не полное доменное имя
reject_non_fqdn_helo_hostname,
# Отклонять клиентов, DNS-имя из HELO которых не имеет A- или MX-записи
reject_unknown_helo_hostname
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/conf/access_sender,
permit_mynetworks,
permit_sasl_authenticated,
permit_tls_clientcerts,
reject_unknown_sender_domain,
reject_non_fqdn_sender
##############################################
#smtpd_sender_restrictions=
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:10030,
# check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_pipelining,
check_client_access hash:$config_directory/access_client,
check_sender_access hash:$config_directory/access_sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
#reject_unverified_sender,
reject_non_fqdn_recipient,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unverified_recipient,
reject_rbl_client cbl.abuseat.org,
# reject_rbl_client dnsbl.sorbs.net,
# reject_rbl_client ubl.unsubscore.com,
reject_unauth_destination,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_non_fqdn_recipient,
permit
smtpd_data_restrictions =
reject_unauth_pipelining
smtpd_restriction_classes = OnlyFromMyUsers
OnlyFromMyUsers = permit_mynetworks,
permit_sasl_authenticated,
reject
################ DKIM ################
#smtpd_milters = inet:127.0.0.1:8891
#non_smtpd_milters = $smtpd_milters
#milter_default_action = accept
#milter_protocol = 2
####################################
sample_directory = /etc/postfix
#smtp_pix_workaround_delay_time = 10s
#smtp_pix_workaround_maps = hash:$config_directory/pix_workarounds
#smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
#smtp_pix_workaround_maps =
# TLS/SSL options
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/201211-mail.gb2bel.ru/mail.gb2bel.ru.key
smtpd_tls_cert_file = /etc/postfix/ssl/201211-mail.gb2bel.ru/mail.gb2bel.ru.crt
smtpd_tls_CAfile = /etc/postfix/ssl/201211-mail.gb2bel.ru/ca.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
##content_filter = scan:127.0.0.1:8025
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
#smtpd_milters = local:/var/run/milter/spamass-milter.sock inet:127.0.0.1:3001
#smtpd_milters = inet:127.0.0.1:3001
#milter_content_timeout = 300s
#milter_default_action = tempfail
#milter_protocol = 6
#milter_mail_macros = _
#milter_mail_macros = {client_addr}
#milter_mail_macros = {client_name}
#milter_end_of_data_macros = i auth_type
######################################
### ADDED BY MAILD-POSTFIX INSTALL ###
######################################
#content_filter = spamassassin
#receive_override_options = no_address_mappings
mail ~ # cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#SMTP
smtp inet n - n - - smtpd
##spamassasin
-o content_filter=spamassassin
#######
dovecot unix - n n - - pipe
flags=DRhu user=nobody:nobody argv=/usr/libexec/dovecot/deliver -c /etc/dovecot/dovecot.conf -f $(sender) -d ${recipient}
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
######################################
### ADDED BY MAILD-POSTFIX INSTALL ###
######################################
##scan unix - - n - - smtp
## -o smtp_send_xforward_command=yes
##127.0.0.1:8026 inet n - n - - smtpd
## -o content_filter=
## -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
## -o smtpd_helo_restrictions=
## -o smtpd_client_restrictions=
## -o smtpd_sender_restrictions=
## -o smtpd_recipient_restrictions=permit_mynetworks,reject
## -o mynetworks=127.0.0.0/8
## -o smtpd_authorized_xforward_hosts=127.0.0.0/8
#spamassassin unix - n n - - pipe
# user=mail argv=/usr/bin/spamc -f -e
# /usr/sbin/sendmail -oi -f ${sender} ${recipient}
###############POSLEDNEE#############
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=reject_unknown_sender_domain
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
#-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
spamassassin unix - n n - - pipe
user=spam argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
[/spoiler]
Логи почтовика. Портянка не останавливается. http://pastebin.com/NNm62Fd0
Что еще нужно, говорите. Как это безобразие исправить? Помогите пожалуйста.
З.Ы. Прогонял maldet по всем файлам. Было 41 запись найдена как вирусная и перенесена в карантин. Все было найдено у пользователей в письмах.
Надо избавиться от этой атаки и только тогда смогу пересесть на чистый IP. Т.к. сразу менять страшно. И его забанят.
Вот я пытаюсь очистить очередь и она сразу же заполняется новыми письмами
mail ~ # postsuper -r ALL
postsuper: Requeued: 1438 messages
mail ~ # postsuper -r ALL
postsuper: Requeued: 54 messages
mail ~ # postsuper -r ALL
postsuper: Requeued: 76 messages
mail ~ # postsuper -r ALL
postsuper: Requeued: 337 messages
mail ~ # postsuper -r ALL
postsuper: Requeued: 149 messages