Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:
Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?
When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=..., lip=...
…
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0…
When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
This is receiving mail. POP3 is a mail retrieval protocol. Dovecot is a POP3/IMAP server. This is not sending mail.
Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
This is mail being directed into procmail via Postfix. It is what any mail sent to your server looks like. It is not indicative of a problem, and it is not "spoofing".
What is the actual problem? The logs you’ve given us give no indication of spoofing. They look like normal delivery via procmail.
ı attach my maillog to understand that what i want to say. Most of the mail users sends spam mails themselves that is shown in attachment.
Most of listed queue like below. Apr 30 11:00:22 ns1 postfix/local[6357]: 7D0383584F0: to=<destek-domain.net@ns1.mydomain.com>, orig_to=<destek@domain.net>, relay=local, delay=1043, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Apr 30 11:00:22 ns1 postfix/qmgr[30193]: 7D0383584F0: removed
and all this mail sending all user as spam. But i can not find the trigger of this spam. This is the only local part problem. Ä° think this spam attact doing to Internet from our server, because http://www.backscatterer.org/index.php list server IP in blacklist.
The attact history given below that is listed in http://www.backscatterer.org/index.php.
A total of 103 Impacts were seen during this listing. Last was 2009/04/30 05:32
Earliest date this IP can expire is 2009/05/28.