Postfix sigue enviando SPAM a pesar de cerrar el famoso "Open Relay"

tag-icon tag-icon postfix centos7 spam php.ini
Postfix sigue enviando SPAM a pesar de cerrar el famoso "Open Relay"

Finjamos por un segundo que el sitio web de mi cliente es thatshowithappened.com Hace un par de semanas, nuestro servidor era un relé abierto, lo arreglamos.

Y ahora después de poner

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
#       check_policy_service inet:127.0.0.1:10101,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client psbl.surriel.com,
#       reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client b.barracudacentral.org

Funcionó y accidentalmente vacié la cola de mensajes. Ahora no puedo saber qué script fue responsable de enviar SPAM, ya que ya verifiqué que no es un CRON Job, así que esto es lo que entra en mis registros de correo.

Mar 20 06:39:53 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:39:57 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:00 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:03 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:07 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:10 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:13 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:16 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:19 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:22 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:31 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:35 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:38 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:41 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:44 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:48 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:50 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:54 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:40:57 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:00 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:03 thatshowithappened postfix/smtpd[1411]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/104.168.142.169; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<hwsrv-234497.hostwindsdns.com>
Mar 20 06:41:07 thatshowithappened postfix/smtpd[1413]: NOQUEUE: reject: RCPT from hwsrv-234497.hostwindsdns.com[104.168.142.169]: 554 5.7.1 Service unavailable; Client host [104.168.142.169] blocked

parece que hay undiccionario de palabrasel spammer está usando nuestro propio dominio thatshowithappened.com, no sé dónde buscar o al menos cómo saber elencabezados de mensajesdespués de que el mensaje seaya esta enviadoorechazadocomo anteriormente.

Lo intenté mailqy postqueue -p pero siempre está vacío, y es cierto ya que los mensajes no están en cola ni aplazados, ¿verdad?

# postcat -q 4DEC51723309
postcat: fatal: open queue file 4DEC51723309: No such file or directory

La CPU está entre 90% y 100%, por lo que, aunque no envía SPAM, mata mi máquina (Centos7 ejecuta Postfix 2.x).

¿Qué sugieres que hagamos? ¿Alguna otra forma de depurar esto?

PD: he habilitado elencabezados PHPpara rastrear qué script envía SPAM mail.add_x_header = On mail.log = /var/log/phpmail.log

Por cierto, espero que la pregunta no sea como "Mi PC no funciona. ¿Qué hacer?" :D

He intentado comprobarotras preguntascomoesteque son similares al mío, pero no hubo suerte.

Ayudar amablemente.

Respuesta1

Las entradas de registro que publicó muestran que otra máquina está intentando transmitir spam a través de su servidor de correo, pero su servidor de correo las rechaza.

Si esto está causando una alta carga de CPU, considere bloquear temporalmente la dirección IP remota para que ya no pueda conectarse. Esto debería traer un alivio inmediato.

iptables -I INPUT -s 104.168.142.169 -j DROP

También puedes usar fail2ban para hacer esto, ya que ya tiene cárceles preconfiguradas que procesan los registros de postfix; simplemente necesitan estar habilitados. Por ejemplo, ponga su jail.local:

[postfix]
enabled = true

información relacionada