SPAM und Virenmails

Postfix, QMail, Sendmail, Dovecot, Cyrus, Courier, Anti-Spam
thomas.km
Posts: 364
Joined: 2003-09-14 11:35
Location: Schleswig-Holstein

SPAM und Virenmails

Post by thomas.km » 2004-06-14 15:47

Guten Tag,

ich suche nun schon seit Tagen nach einer Lösung für mein Problem. Ich habe hier schon die Forenbeiträge wegen RBL Domains durchgelesen und die von einigen erfahrenen usern genommen.

maps_rbl_domains = sbl-xbl.spamhaus.org list.dsbl.org relays.ordb.org relays.visi.com blacklist.spambag.org


Desweiteren habe ich auch die
#header_checks = pcre:/etc/postfix/header_checks
#body_checks = pcre:/etc/postfix/body_checks
#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regex

in der main.cf, und die files die hier im Forum in einem 3 seitigen Thread besprochen wurden.

Ergebnis?
in 2 Stunden laufen knapp 120 Mails auf, die in nobody rumhängen und zum Glüc niemanden schaden (SA)

Aber noch mal die Hälfte geht and die user und das nicht zu knapp.

Ich stehe auf keiner Relay liste, weis mir aber weiter keine Hilfe.
Irgend jemand noch eine Idee?
Ich meine wenn sie alle in nobody landen, ok, hab ich ja kein Prob mit, aber ein großteil wird ja zugestellt.

Grüssle
Thomas

adjustman
Posts: 1132
Joined: 2003-03-26 23:29
Location: SA

Re: SPAM und Virenmails

Post by adjustman » 2004-06-14 17:26

mit diesen Angaben kann niemand was anfangen. WIE ist SA eingebunden/aufgerufen? Zeig die main.cf. Logs?

thomas.km
Posts: 364
Joined: 2003-09-14 11:35
Location: Schleswig-Holstein

Re: SPAM und Virenmails

Post by thomas.km » 2004-06-14 17:42

hier die main.cf ohne kommentare


queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = p12345678.pureserver.info
mydomain = domain.tld
mydomain = xxxx.de
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain, smtp.$mydomain
mynetworks_style = host
local_recipient_maps = $alias_maps unix:passwd.byname
in_flow_delay = 0
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regex
fast_flush_domains = $relay_domains
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 2
debugger_command =
PATH=/usr/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
setgid_group = maildrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
readme_directory = /usr/share/doc/packages/postfix/README_FILES
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual, hash:/etc/postfix/confixx_virtualUsers, hash:/etc/postfix/confixx_localDomains
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
inet_interfaces = all
masquerade_domains = webnbasics.de
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
maps_rbl_domains = sbl-xbl.spamhaus.org list.dsbl.org relays.ordb.org relays.visi.com blacklist.spambag.org


hier ein ausschnitt aus mail log

postfix/smtpd[8841]: disconnect from riggs.ce-line.net[212.62.87.10]
postfix/smtp[8921]: 8DF832040CA: to=<frankjessberger@virtual-skyways.de>, relay=mail.virtual-skyways.de[81.209.148.136], delay=2, status=sent (250 Ok: queued as 24E20663CC)
postfix/smtp[8906]: 8DF832040CA: to=<de-dir@ivao.org>, relay=mail.ivao.org[195.207.29.197], delay=3, status=bounced (host mail.ivao.org[195.207.29.197] said: 500 Mail appears infected with 'Worm.Bagle.Gen-zippwd-2' -- disinfect and resend.)
postfix/smtp[8906]: 8DF832040CA: to=<de-eac@ivao.org>, relay=mail.ivao.org[195.207.29.197], delay=3, status=bounced (host mail.ivao.org[195.207.29.197] said: 500 Mail appears infected with 'Worm.Bagle.Gen-zippwd-2' -- disinfect and resend.)
postfix/smtp[8906]: 8DF832040CA: to=<de-ec@ivao.org>, relay=mail.ivao.org[195.207.29.197], delay=3, status=bounced (host mail.ivao.org[195.207.29.197] said: 500 Mail appears infected with 'Worm.Bagle.Gen-zippwd-2' -- disinfect and resend.)
postfix/smtp[8906]: 8DF832040CA: to=<de-foc@ivao.org>, relay=mail.ivao.org[195.207.29.197], delay=3, status=bounced (host mail.ivao.org[195.207.29.197] said: 500 Mail appears infected with 'Worm.Bagle.Gen-zippwd-2' -- disinfect and resend.)
postfix/smtp[8911]: 8DF832040CA: to=<info@mail.worldxpression.net>, relay=mail.worldxpression.net[80.190.204.24], delay=3, status=bounced (host mail.worldxpression.net[80.190.204.24] said: 554 <info@mail.worldxpression.net>: Recipient address rejected: Relay access denied)
postfix/smtp[8901]: 8DF832040CA: to=<ceo@jamaica-express.com>, relay=mx00.schlund.de[212.227.126.147], delay=3, status=sent (250 OK id=1BZrb5-0005Kq-00)
postfix/smtp[8889]: 8DF832040CA: to=<puludwig@aol.com>, relay=mailin-04.mx.aol.com[64.12.137.184], delay=3, status=sent (250 OK)
postfix/smtp[8912]: 8DF832040CA: to=<flugleitung@virtual-brothers.de>, relay=mail.virtual-brothers.de[192.220.110.225], delay=3, status=bounced (host mail.virtual-brothers.de[192.220.110.225] said: 550 5.7.1 <flugleitung@virtual-brothers.de>... SMTP relay denied, authenticate via POP/IMAP first)
postfix/smtp[8900]: 8DF832040CA: to=<webmaster@flywings.de>, relay=mailin.webmailer.de[192.67.198.48], delay=3, status=sent (250 2.0.0 i5EDXww6007958 Message accepted for delivery)
postfix/smtp[8915]: 8DF832040CA: to=<RickVodafone@netscape.net>, relay=mailin-02.mx.netscape.net[205.188.158.57], delay=3, status=sent (250 OK)
postfix/smtp[8918]: 8DF832040CA: to=<steffen.digel@swabianva.de>, relay=mail.swabianva.de[195.69.240.23], delay=3, status=bounced (host mail.swabianva.de[195.69.240.23] said: 554 <steffen.digel@swabianva.de>: Relay access denied)
postfix/smtp[8893]: 8DF832040CA: to=<georg@german-airways.de>, relay=mailin.webmailer.de[192.67.198.32], delay=3, status=sent (250 2.0.0 i5EDXv1e014136 Message accepted for delivery)
postfix/smtp[8916]: 8DF832040CA: to=<nga-crew@northgerman.de>, relay=mailin.webmailer.de[192.67.198.32], delay=4, status=sent (250 2.0.0 i5EDXwrG022732 Message accepted for delivery)
postfix/smtp[8894]: 8DF832040CA: to=<markus@koller-wings.de>, relay=mailin.webmailer.de[192.67.198.32], delay=4, status=sent (250 2.0.0 i5EDXvdl012321 Message accepted for delivery)
postfix/smtp[8920]: 8DF832040CA: to=<info@traxun.de>, relay=mailin.webmailer.de[192.67.198.32], delay=4, status=sent (250 2.0.0 i5EDXvJj004206 Message accepted for delivery)
postfix/smtp[8886]: 8DF832040CA: to=<berlincityair@arcor.de>, relay=mx.arcor.de[151.189.21.118], delay=4, status=sent (250 Ok: queued as 60D48C049C4)
postfix/smtp[8891]: 8DF832040CA: to=<j-wiese@europa-airways.de>, relay=mx01.schlund.de[212.227.126.164], delay=4, status=sent (250 OK id=1BZrb6-0004ur-00)
postfix/smtp[8910]: connect to mail.littlesunva.de[62.67.235.159]: server dropped connection (port 25)
postfix/smtp[8910]: 8DF832040CA: to=<webmaster@littlesunva.de>, relay=none, delay=5, status=deferred (connect to mail.littlesunva.de[62.67.235.159]: server dropped connection)
postfix/smtp[8888]: 8DF832040CA: to=<info@leipzigair.de>, relay=mail.leipzigair.de[195.68.247.74], delay=5, status=sent (250 ok 1087220041 qp 13750)
postfix/smtp[8892]: 8DF832040CA: to=<webmaster@cea-va.de>, relay=mx00.schlund.de[212.227.126.147], delay=5, status=sent (250 OK id=1BZrb7-0005MF-00)
postfix/smtp[8922]: 8DF832040CA: to=<Hamaland@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=5, status=bounced (host mx-ha01.web.de[217.72.192.149] said: 550 Unknown local part Hamaland in <Hamaland@web.de>)
postfix/smtp[8922]: 8DF832040CA: to=<aersalue_dispatcher@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<bennybusch@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<niceguy24@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<raver_meister@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<riflactor@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<sdm-airways-info@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8922]: 8DF832040CA: to=<toby-karcher@web.de>, relay=mx-ha01.web.de[217.72.192.149], delay=6, status=sent (250 OK id=1BZrb7-00036O-00)
postfix/smtp[8903]: 8DF832040CA: to=<webmaster@va-condor.de>, relay=mx00.schlund.de[212.227.126.147], delay=6, status=sent (250 OK id=1BZrb8-0005Nw-00)
postfix/smtp[8904]: 8DF832040CA: to=<juergen.midwer@hanse.net>, relay=webmail.hansenet.de[213.191.73.2], delay=7, status=sent (250 <40CD66EE0000CFD0> Mail accepted)
postfix/smtp[8771]: connect to mx1.hotmail.com[64.4.50.50]: Connection timed out (port 25)
postfix/smtp[8771]: AA7272040E4: to=<eckart_kerschbaum@hotmail.com>, relay=mx2.hotmail.com[65.54.166.230], delay=192, status=sent (250 <venrmpufdhryhpvwmmm@ivao.de> Queued mail for delivery)
postfix/smtp[8771]: AA7272040E4: to=<xaviermmt@hotmail.com>, relay=mx2.hotmail.com[65.54.166.230], delay=192, status=sent (250 <venrmpufdhryhpvwmmm@ivao.de> Queued mail for delivery)
postfix/cleanup[8842]: 8BB4D2040CB: message-id=<20040614133408.8BB4D2040CB@p12345678.pureserver.info>
postfix/qmgr[25129]: 8BB4D2040CB: from=<>, size=40327, nrcpt=1 (queue active)
procmail[8929]: Error while writing to "/var/log/procmail"
postfix/local[8883]: 8BB4D2040CB: to=<web1p1@p12345678.pureserver.info>, relay=local, delay=0, status=sent ("|/usr/bin/procmail")
postfix/smtp[8896]: 8DF832040CA: to=<florian.brunner@fly-woh.com>, relay=mail.fly-woh.com[212.48.124.20], delay=14, status=sent (250 ok 1087220050 qp 4455)
postfix/smtp[8899]: 8DF832040CA: to=<leitung@flyva.de>, relay=mail.flyva.de[62.67.235.24], delay=34, status=sent (250 2.0.0 i5EDYNF17007 Message accepted for delivery)
popper[8941]: Stats: web1p20 0 0 0 0 pD9E62DF4.dip.t-dialin.net 217.230.45.244 [pop_updt.c:296]
postfix/smtpd[8841]: connect from moutng.kundenserver.de[212.227.126.173]
postfix/smtpd[8841]: 51B902040CB: client=moutng.kundenserver.de[212.227.126.173]
postfix/cleanup[8842]: 51B902040CB: message-id=<001501c45214$80acac40$88b5fea9@frank>
postfix/qmgr[25129]: 51B902040CB: from=<post@frankchrist.de>, size=2129, nrcpt=1 (queue active)
postfix/smtpd[8841]: disconnect from moutng.kundenserver.de[212.227.126.173]
procmail[8947]: Error while writing to "/var/log/procmail"
postfix/local[8843]: 51B902040CB: to=<web1p1@p12345678.pureserver.info>, relay=local, delay=0, status=sent ("|/usr/bin/procmail")
postfix/smtpd[8841]: connect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/smtpd[8841]: B01262040CB: client=pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/cleanup[8842]: B01262040CB: message-id=<iatuqwgfplwfbcxefgl@ivao.de>
postfix/qmgr[25129]: B01262040CB: from=<va-63@p12345678.pureserver.info>, size=34519, nrcpt=1 (queue active)
procmail[8955]: Error while writing to "/var/log/procmail"
postfix/local[8883]: B01262040CB: to=<web1p1@p12345678.pureserver.info>, relay=local, delay=4, status=sent ("|/usr/bin/procmail")
postfix/smtpd[8841]: disconnect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/smtpd[8841]: connect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/smtpd[8841]: DC0D72040CB: client=pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/cleanup[8842]: DC0D72040CB: message-id=<sgqnertexemgkkpsryf@ivao.de>
postfix/qmgr[25129]: DC0D72040CB: from=<20040531113123.C5871199B@post.pearl-online.net>, size=34058, nrcpt=1 (queue active)
procmail[8959]: Error while writing to "/var/log/procmail"
postfix/smtpd[8841]: disconnect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/local[8843]: DC0D72040CB: to=<web1p1@p12345678.pureserver.info>, relay=local, delay=3, status=sent ("|/usr/bin/procmail")
postfix/smtpd[8841]: connect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/smtpd[8841]: 30B632040CB: client=pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/cleanup[8842]: 30B632040CB: message-id=<cmcuqjcwmkhemamaskt@ivao.de>
postfix/qmgr[25129]: 30B632040CB: from=<E1BUcJA-0001wP-00@mrvdomng.kundenserver.de>, size=34119, nrcpt=1 (queue active)
procmail[8974]: Error while writing to "/var/log/procmail"
postfix/smtpd[8841]: disconnect from pD95FBD6A.dip.t-dialin.net[217.95.189.106]
postfix/local[8883]: 30B632040CB: to=<root@p12345678.pureserver.info>, relay=local, delay=2, status=sent ("|/usr/bin/procmail")
popper[8977]: Stats: web1p20 0 0 0 0 pD9E62DF4.dip.t-dialin.net 217.230.45.244 [pop_updt.c:296]
popper[8984]: Stats: web1p20 0 0 0 0 pD9E62DF4.dip.t-dialin.net 217.230.45.244 [pop_updt.c:296]
popper[8983]: Stats: web1p15 1 12912 0 0 pD9E72178.dip.t-dialin.net 217.231.33.120 [pop_updt.c:296]
postfix/smtp[8859]: connect to mx3.hotmail.com[65.54.253.99]: Connection timed out (port 25)
postfix/smtp[8902]: connect to mail.intersim-va.de[212.48.124.20]: Connection timed out (port 25)
postfix/smtp[8902]: 8DF832040CA: to=<webmaster@intersim-va.de>, relay=none, delay=190, status=deferred (connect to mail.intersim-va.de[212.48.124.20]: Connection timed out)
postfix/smtp[8859]: 8DF832040CA: to=<eckart_kerschbaum@hotmail.com>, relay=mx2.hotmail.com[65.54.190.7], delay=192, status=sent (250 <rclckaevrnqhwqehsqb@p12345678.pureserver.info> Queued mail for delivery)
postfix/smtp[8859]: 8DF832040CA: to=<xaviermmt@hotmail.com>, relay=mx2.hotmail.com[65.54.190.7], delay=192, status=sent (250 <rclckaevrnqhwqehsqb@p12345678.pureserver.info> Queued mail for delivery)
popper[8991]: Stats: web1p1 5 124421 0 0 p5086B87E.dip.t-dialin.net 80.134.184.126 [pop_updt.c:296]


SA habe ich nach diesem HowTo installiert und eingebunden:

http://faq.webmasterhilfe.de/index.php? ... 20&lang=de

adjustman
Posts: 1132
Joined: 2003-03-26 23:29
Location: SA

Re: SPAM und Virenmails

Post by adjustman » 2004-06-14 17:53

thomas.km wrote: SA habe ich nach diesem HowTo installiert und eingebunden:
Das sagt gar nix (Sehr merkwürdiges HowTo). Dein Log zeigt etliche Fehler. Zeig mal Deine procmailrc

thomas.km
Posts: 364
Joined: 2003-09-14 11:35
Location: Schleswig-Holstein

Re: SPAM und Virenmails

Post by thomas.km » 2004-06-14 18:06

stimmt das HowTo ist nicht mehr da (soll das was heissen ;-))) )

procmailrc

DROPPRIVS=yes
LOGFILE=/var/log/procmail
#VERBOSE=ON
SHELL=/bin/sh

:0fw
* < 256000
| /usr/local/bin/spamc -f

# Mails with a score of 15 or higher are almost certainly spam (with 0.05%
# false positives according to rules/STATISTICS.txt). Let's put them in a
# different mbox. (This one is optional.)
#:0:
#* ^X-Spam-Level: ***************
#/var/spool/mail/almost-certainly-spam

# All mail tagged as spam (eg. with a score higher than the set threshold)
# is moved to "probably-spam".
#:0:
#* ^X-Spam-Status: Yes
#/var/spool/mail/probably-spam

# Work around procmail bug: any output on stderr will cause the "F" in "From"
# to be dropped. This will re-add it.
:0 H
* ! ^From[ ]
* ^rom[ ]
{
LOG="*** Dropped F off From_ header! Fixing up. "

:0 fhw
| sed -e 's/^rom /From /'
}

thomas.km
Posts: 364
Joined: 2003-09-14 11:35
Location: Schleswig-Holstein

Re: SPAM und Virenmails

Post by thomas.km » 2004-06-14 19:49

btw:
jetzt kann keine mail mehr an meinen server gesendet werden, kommt immer relay access denied 554
hab von t-online aus versucht, gmx, firemail, web.de arcor.
immer die gleiche meldung in meinen logs

Jun 14 19:06:27 p12345678 postfix/smtpd[14401]: reject: RCPT from imap.gmx.net[213.165.64.20]: 554 <de-dir@xxxx.de>: Relay access denied; from=<TND600@gmx.de> to=<de-dir@xxxx.de>

abuse und ORDB sind gecheckt, aber server ist nicht als offenes relay gelistet


EDIT ich bekommen dann immer mail zurück da steht dann drin:

(meine_ip)_does_not_like_recipient.