Spam-Schleuder: Wie finde ich heraus was los ist?

mardi 29 septembre 2015

Hallo zusammen,

ich brauche etwas Hilfe um herauszufinden wo es auf meinem Server ein mögliches Sicherheitsleck gibt.

System: Ubuntu 14.04
Mail-Server: Postfix

Was ist passiert? Nun, ich hab heute morgen eine Reihe von Mails vom Mail-Daemon als unzustellbar zurück bekommen, die ich jedoch nicht versendet habe.
postqueue -p gibt folgendes aus:
Code:

D028611601B59    2496 Sat Sep 26 13:26:24  simbabamhamire@domain.de
        (connect to mxla3.fanbox.com[208.69.101.102]:25: Connection timed out)
                                        Kiss14@fanboxnotes.com

DB27E11601970    2629 Tue Sep 29 10:08:12  ms@domain.de
(host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip10nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
                                        brianandshan@talktalk.net
                                        bs.baker@talktalk.net

D2E34116014AE    2665 Sat Sep 26 08:28:58  SabrinaFinchNowell@domain.de
(host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip19nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
                                        karen.rcdfc@talktalk.net
(host mx2.eclipse.kcom.com[213.249.242.206] refused to talk to me: 554-gula.eclipse.kcom.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
                                        kim.smith@torbay.gov.uk
                                        liz.cooper@torbay.gov.uk

ich habe meine eigene Domain oben durch "domain.de" ersetzt.

In der mail.log steht dann sowas drin:
Code:

Sep 29 11:09:59 h1825122 postfix/smtp[17815]: D2CE011601464: to=<helen.caines@torbay.gov.uk>, relay=mx2.eclipse.kcom.com[213.249.242.206]:25, delay=268864, delays=268863/0.2/1.1/0, dsn=4.0.0, status=deferred (host mx2.eclipse.kcom.com[213.249.242.206] refused to talk to me: 554-gula.eclipse.kcom.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Dann habe ich das Passwort zur Mail-Adresse die missbraucht wird geändert und seitdem steht folgendes in der mail.log
Code:

Sep 29 11:05:46 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<hNNzHt8glQB/AAAB>
Sep 29 11:06:42 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Tt/PId8g0QB/AAAB>
Sep 29 11:07:40 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<lE9KJd8gtgB/AAAB>

hat jemand eine Idee, wie ich nun rausfinden kann wo genau das Leck in meinem System ist?

Danke und Grüße


0 commentaires:

Enregistrer un commentaire

 

Lorem

Ipsum

Dolor