Hello,
Since shortly (3 days) I have been the target of a cracker. The attack uses up to now 3 known IP addresses:
iptables -I INPUT -s 108.178.61.228 -j DROP #spam
iptables -I INPUT -s 108.178.61.229 -j DROP #spam
iptables -I INPUT -s 198.143.132.2 -J DROP #spam
iptables -I INPUT -s 179.236.124.245 -J DROP #spam
The attacker sends e-mails from his server, uses my server as relay for my own domain and sends it out.
I do not understand how the attacker can send e-mails without having to login over SMTP.
An extract from the mail log:
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD9BD58CB46F: from=<hbdbd5@MYDOMAIN.COM>, size=1220, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: 4B18E58DFCD4: removed
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: B733E58C411B: from=<yuehr@MYDOMAIN.COM>, size=1645, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BC3D858CEB1D: from=<ztjg1ilt@MYDOMAIN.COM>, size=1111, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/error[7917]: 3D29D58D0093: to=<aureliopereira22@hotmail.com>, relay=none, delay=181855, delays=181079/775/0/0.73, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7867]: 3A55158DC324: to=<luan.nextel@hotmail.com>, relay=none, delay=9889, delays=9113/775/0/0.93, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7369]: 36D2A58C839D: to=<eloina_f_silva@hotmail.com>, relay=none, delay=283587, delays=282811/774/0/1.5, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7360]: 3495958C8761: to=<mariasaraiva94@hotmail.com>, relay=none, delay=282674, delays=281898/775/0/0.55, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7392]: 3847E58D6CEB: to=<claysin_bts@hotmail.com>, relay=none, delay=106725, delays=105949/774/0/1.7, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7352]: 3C4DF59222C7: to=<marlon787@hotmail.com>, relay=none, delay=9625, delays=8849/775/0/1.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7868]: AACCA5940920: to=<elinewalc@hotmail.com>, relay=none, delay=777, delays=2.2/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/error[7916]: C33515940921: to=<cris_sa@hotmail.com>, relay=none, delay=777, delays=2.4/775/0/0.17, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[65.54.188.126] while sending RCPT TO)
Oct 30 21:44:29 exalt2 postfix/smtp[7616]: 368C6590406B: to=<mrmarina@uol.com.br>, relay=mx.uol.com.br[200.147.36.15]:25, conn_use=4, delay=33035, delays=32132/902/0.25/0.65, dsn=4.7.1, status=deferred (host mx.uol.com.br[200.147.36.15] said: 450 4.7.1 <mrmarina@uol.com.br>: Recipient address rejected: MX-UOL-04 - Too many messages, try again later. (in reply to RCPT TO command))
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BD30358CF5A5: from=<a7zbsltj@MYDOMAIN.COM>, size=1160, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/qmgr[9692]: BECAB5924EFE: from=<mxpny9yg@MYDOMAIN.COM>, size=1136, nrcpt=10 (queue active)
Oct 30 21:44:29 exalt2 postfix/smtpd[7903]: warning: restriction `permit_mynetworks' after `permit' is ignored
My server is already being blocked by several blocklists.
I have made several changes to the settings and it seems that the attacker is unable to send e-mails now. But on the other hand, I am unable to send e-mail also.
My current biggest concern is:
- what is impacted? Only postfix or might other systems be affected also?
- how can the attacker send without username and password?
- how can I counter this?
- any passwords I should change?
- Why can’t I send? The current logs are like this:
Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:43:59 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from unknown[179.236.124.245]: 450 4.7.1 Client host rejected: cannot find your hostname, [179.236.124.245]; from=<> to=<2ofdav@MYDOMAIN.COM> proto=SMTP helo=<MYDOMAIN.COM>
Oct 30 22:44:00 exalt2 postfix/smtpd[18981]: disconnect from unknown[179.236.124.245]
Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:44:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: connect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:09 exalt2 postfix/smtpd[18309]: disconnect from static.240.54.251.148.clients.your-server.de[148.251.54.240]
Oct 30 22:45:12 exalt2 postfix/smtpd[18981]: connect from MY.REVERSE.DOMAIN[my.home.ip]
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: NOQUEUE: reject: RCPT from MY.REVERSE.DOMAIN[my.home.ip]: 554 5.7.1 <XXXXXX@gmail.com>: Recipient address rejected: Relay access denied; from=<remi@MYDOMAIN.COM> to=<XXXXXX@gmail.com> proto=ESMTP helo=<[192.168.3.100]>
Oct 30 22:45:13 exalt2 postfix/smtpd[18981]: disconnect from MY.REVERSE.DOMAIN[my.home.ip]
Any help is greatly appreciated!