La libertad del conocimiento al alcance de quien la busca.
Bienvenido(a) a Alcance Libre 05/02/2023, 23:25
Alcance Libre Foros
|
||||||||
 |
Índice del foro > Todo acerca de Linux > Redes y Servidores |
New Topic
Post Reply
|
 Victima de Spam
|
||
| Danielynx |
|
|||||||
Miembro regular  Estado: desconectado  Identificado: 03/06/07 Mensajes: 72 |
Saludos, hoy al revisar la bitacora del mail veo que nuevamente me bloquearon en hotmail y mi dominio aparece nuevamente en las listas negras.
Lo extraño que veo es lo siguiente (utilizo CentOS5.2 + sendmail + todos los servicios que se detallan en los manuales del sitio): PHP Formatted Code Feb 11 08:19:27 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 35450 Feb 11 08:19:27 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 08:19:27 mail spamd[20020]: spamd: processing message <01c98c5c$49372380$6c300553@telg> for sa-milt:102 Feb 11 08:19:28 mail spamd[20020]: spamd: identified spam (11.8/5.0) for sa-milt:102 in 0.8 seconds, 3337 bytes. Feb 11 08:19:28 mail spamd[20020]: spamd: result: Y 11 - BAYES_99,HS_INDEX_PARAM,HTML_MESSAGE,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SURBL scantime=0.8,size=3337,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35450,mid=<01c98c5c$49372380$6c300553@telg>,bayes=1.000000,autolearn=spam Feb 11 08:19:41 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53614 Feb 11 08:19:41 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 08:19:41 mail spamd[20020]: spamd: processing message <200902111420.n1BEKmUf008295@miserver.com.mx> for sa-milt:102 Feb 11 08:19:41 mail spamd[20020]: spamd: clean message (-2.6/5.0) for sa-milt:102 in 0.2 seconds, 1546 bytes. Feb 11 08:19:41 mail spamd[20020]: spamd: result: . -2 - ALL_TRUSTED,AWL,BAYES_00,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY scantime=0.2,size=1546,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53614,mid=<200902111420.n1BEKmUf008295@apolo.arlex.com.mx>,bayes=0.000000,autolearn=no Feb 11 08:19:41 mail spamd[4574]: prefork: child states: II Feb 11 08:20:20 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53617 Feb 11 08:20:20 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 08:20:20 mail spamd[20020]: spamd: processing message <002c01c98c54$32d919c0$8500000a@metodos2> for sa-milt:102 Feb 11 08:20:21 mail spamd[20020]: spamd: clean message (-3.7/5.0) for sa-milt:102 in 0.2 seconds, 1724 bytes. Feb 11 08:20:21 mail spamd[20020]: spamd: result: . -3 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.2,size=1724,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53617,mid=<002c01c98c54$32d919c0$8500000a@metodos2>,bayes=0.000000,autolearn=ham Feb 11 08:20:21 mail spamd[4574]: prefork: child states: II Feb 11 08:24:18 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53637 Feb 11 08:24:18 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 08:24:18 mail spamd[20020]: spamd: processing message <000c01c98c54$8a7bf210$7d6ffea9@conta1> for sa-milt:102 Feb 11 08:24:19 mail spamd[20020]: spamd: clean message (-4.1/5.0) for sa-milt:102 in 0.3 seconds, 2295 bytes. Feb 11 08:24:19 mail spamd[20020]: spamd: result: . -4 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.3,size=2295,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53637,mid=<000c01c98c54$8a7bf210$7d6ffea9@conta1>,bayes=0.000000,autolearn=ham Lo que no entiendo es de donde puede venir el ataque ya que conta1 y metodos2 son máquinas en la red, el mensaje que recibo de muchos proveedores es el siguiente: PHP Formatted Code The following addresses had permanent fatal errors ----- <XXXXXXX@XXXXX.com.mx> (reason: 554-mailb.correonegocios.com) ----- Transcript of session follows ----- ... while talking to maila.correonegocios.com.: <<< 554-maila.correonegocios.com <<< 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. ... while talking to mailb.correonegocios.com.: <<< 554-mailb.correonegocios.com <<< 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. 554 5.0.0 Service unavailable The following addresses had permanent fatal errors ----- > <XXXXX@hotmail.com> > (reason: 550 OU-002 Mail rejected by Windows Live Hotmail for policy > reasons. Reasons for rejection may be re...l/network admins, please visit > http://postmaster.live.com for email delivery information and support) > <XXXXXXX@hotmail.com> > (reason: 550 OU-002 Mail rejected by Windows Live Hotmail for policy > reasons. Reasons for rejection may be re...l/network admins, please visit > http://postmaster.live.com for email delivery information and support) > > ----- Transcript of session follows ----- > ... while talking to mx4.hotmail.com.: >>>> MAIL From:<XXXXXX@XXXXX.com.mx> SIZE=3703 > <<< 550 OU-002 Mail rejected by Windows Live Hotmail for policy reasons. > Reasons for rejection may be related to content with spam-like > characteristics or IP/domain reputation problems. If you are not an > email/network admin please contact your E-mail/Internet Service Provider > for help. Email/network admins, please visit http://postmaster.live.com > for email delivery information and support > 554 5.0.0 Service unavailable Alguna sugerencia?? SAlu2 |
|||||||
|
||||||||
| Joel Barrios Dueñas |
|
|||||||
Admin  Estado: desconectado  Identificado: 02/17/07 Mensajes: 1761 Localización:Mexico |
1) Consigue resolución inversa para la IP de tu servidor de correo.
2) Añade registro SPF en tu zona de DNS. @ IN TXT "v=spf1 a mx -all" 3) Verifica en http://openrbl.org si estás en alguna lista negra y gestiona con los administradores de dichas listas como salir de éstas, si aplicase el caso. |
|||||||
|
||||||||
| Danielynx |
|
|||||||
|
Miembro regular Estado: desconectado Identificado: 03/06/07 Mensajes: 72 |
Ok Gracias Joel, ya agregue el registro a mi DNS, me puedes explicar que es lo que hace esa linea.
Gracias por el apoyo. |
|||||||
|
||||||||
| Danielynx |
|
|||||||
|
Miembro regular Estado: desconectado Identificado: 03/06/07 Mensajes: 72 |
MMMMM parece caido o fuera de linea openrbl.org
openrbl.org Server gone. Algun otra opción, en este momento estoy gestionando la salida de spamcop.net ya que ahí mi dominio aparece en lista, en spamhaus ya no aparece mi dominio. Gracias nuevamente. |
|||||||
|
||||||||
| Joel Barrios Dueñas |
|
|||||||
|
Admin Estado: desconectado Identificado: 02/17/07 Mensajes: 1761 Localización:Mexico |
Quote by: Daniel+Medina Ok Gracias Joel, ya agregue el registro a mi DNS, me puedes explicar que es lo que hace esa linea. SPF (Convenio de Remitentes, del inglés Sender Policy Framework) es una protección contra la falsificación de direcciones en el envío de correo electrónico. Identifica, a través de los registros de nombres de dominio (DNS), a los servidores de correo SMTP autorizados para el transporte de los mensajes. |
|||||||
|
||||||||
| Danielynx |
|
|||||||
|
Miembro regular Estado: desconectado Identificado: 03/06/07 Mensajes: 72 |
Ok, acabo de recibir un aviso por parte de spamcop donde me envían un encabezado de uno de los correos que esta enviando mi dominio.
Received: from dedint-XXX-XXX-XXX-X.mexdf.axtel.net ([XXX.XXX.XXX.X]) by [trap servername] with SMTP; 10 Feb 2009 19  xx -0800date: Wed, 11 Feb 2009 03 xx GMTfrom: Marie Winter <x@x> subject: Check this Como decirle al sendmail que solamente envie correos solamente desde las ips que dí de alta en /etc/mail/access, el archivo que esta en /var/log/maillog es el único camino para revisar los envios y recepciones de correo. GRacias. |
|||||||
|
||||||||
| Danielynx |
|
|||||||
|
Miembro regular Estado: desconectado Identificado: 03/06/07 Mensajes: 72 |
Joel:
Seguí tu sugerencia 1) Consigue resolución inversa para la IP de tu servidor de correo. 2) Añade registro SPF en tu zona de DNS. @ IN TXT "v=spf1 a mx -all" Investigando un poco encontré el significado de la linea que hay que agregar al DNS PHP Formatted Code Where, * v=spf1 : Define an SPF recored. * a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in. * mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in. * ~all : SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail). For example, following recored the "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected. Pero aun tengo estos registros en /var/log/maillog PHP Formatted Code Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BB Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20110 Feb 11 21:56:57 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43357 Feb 11 21:56:57 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 21:56:57 mail spamd[19181]: spamd: processing message (unknown) for sa-milt:102 Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBB Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20111 Feb 11 21:56:57 mail spamd[20110]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43358 Feb 11 21:56:57 mail spamd[20110]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBBI Feb 11 21:56:57 mail spamd[20110]: spamd: processing message (unknown) for sa-milt:102 Feb 11 21:56:58 mail spamd[20110]: spamd: identified spam (19.5/5.0) for sa-milt:102 in 0.8 seconds, 3500 bytes. Feb 11 21:56:58 mail spamd[20110]: spamd: result: Y 19 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL scantime=0.8,size=3500,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43358,mid=(unknown),bayes=1.000000,autolearn=spam Feb 12 00:34:18 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 39386 Feb 12 00:34:18 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 12 00:34:18 mail spamd[19181]: spamd: processing message <BLU129-W28D58CD458D29F36EFCC7CD8BB0@phx.gbl> for sa-milt:102 Feb 12 00:34:22 mail spamd[14080]: spamd: clean message (-0.2/5.0) for sa-milt:102 in 4.2 seconds, 41114 bytes. Feb 12 00:34:22 mail spamd[14080]: spamd: result: . 0 - AWL,BAYES_00,HTML_MESSAGE,SUBJ_ALL_CAPS scantime=4.2,size=41114,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39385,mid=<CBB91DD17C1B45DCA83DCDE7FC555953@Rosy>,bayes=0.002366,autolearn=no Feb 12 00:34:22 mail sendmail[21036]: n1C6YDFC021036: Milter add: header: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,\n\tSUBJ_ALL_CAPS autolearn=no version=3.2.4 Como puedo detener o denegar esos registros y envios?? Gracias. |
|||||||
|
||||||||
| Rodolfo Lameda Diaz Tejeda |
|
|||||||
|
Nuevo  Estado: desconectado Identificado: 02/18/07 Mensajes: 11 Localización:Nápoles, México. |
El día de hoy me parece que también estoy siendo victima del spam, empezaron a rechazar los correos de mi dominio y dice lo siguiente:
----- The following addresses had permanent fatal errors ----- <xxxx@telcel.com> (reason: 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx ) ----- Transcript of session follows ----- ... while talking to mailex.telcel.com.: <<< 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx 554 5.0.0 Service unavailable Reporting-MTA: dns; mail.xxxxxx.com.mx Received-From-MTA: DNS; pc146.xxxx.corp Arrival-Date: Thu, 12 Feb 2009 11:45:59 -0600 Final-Recipient: RFC822; xxxxx@telcel.com Action: failed Status: 5.5.0 Diagnostic-Code: SMTP; 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx Last-Attempt-Date: Thu, 12 Feb 2009 11:45:59 -0600 ----------------------------------------------------------- Estoy revisando lo comentado hasta el momento... Aprendiendo a ser root... www.increm.net |
|||||||
|
||||||||
| Joel Barrios Dueñas |
|
|||||||
|
Admin Estado: desconectado Identificado: 02/17/07 Mensajes: 1761 Localización:Mexico |
En esta bitácora que me muestras, todo está normal. Es el funcionamiento normal de spamassassin y spamass-milter. Ambos están haciendo su trabajo detneiendo Spam. Si quieres modificar políticas, edita /etc/mail/spamassassin/local.cf y /etc/sysconfig/spass-milter y define los límites de calificación mínima para considerar spam y calificación suficiente para rebotar mensajes, respectivamente
Quote by: Daniel+Medina Joel: 1) Consigue resolución inversa para la IP de tu servidor de correo. 2) Añade registro SPF en tu zona de DNS. @ IN TXT "v=spf1 a mx -all" Investigando un poco encontré el significado de la linea que hay que agregar al DNS PHP Formatted Code Where, * v=spf1 : Define an SPF recored. * a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in. * mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in. * ~all : SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail). For example, following recored the "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected. Pero aun tengo estos registros en /var/log/maillog PHP Formatted Code Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BB Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20110 Feb 11 21:56:57 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43357 Feb 11 21:56:57 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 21:56:57 mail spamd[19181]: spamd: processing message (unknown) for sa-milt:102 Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBB Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20111 Feb 11 21:56:57 mail spamd[20110]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43358 Feb 11 21:56:57 mail spamd[20110]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBBI Feb 11 21:56:57 mail spamd[20110]: spamd: processing message (unknown) for sa-milt:102 Feb 11 21:56:58 mail spamd[20110]: spamd: identified spam (19.5/5.0) for sa-milt:102 in 0.8 seconds, 3500 bytes. Feb 11 21:56:58 mail spamd[20110]: spamd: result: Y 19 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL scantime=0.8,size=3500,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43358,mid=(unknown),bayes=1.000000,autolearn=spam Feb 12 00:34:18 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 39386 Feb 12 00:34:18 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs Feb 12 00:34:18 mail spamd[19181]: spamd: processing message <BLU129-W28D58CD458D29F36EFCC7CD8BB0@phx.gbl> for sa-milt:102 Feb 12 00:34:22 mail spamd[14080]: spamd: clean message (-0.2/5.0) for sa-milt:102 in 4.2 seconds, 41114 bytes. Feb 12 00:34:22 mail spamd[14080]: spamd: result: . 0 - AWL,BAYES_00,HTML_MESSAGE,SUBJ_ALL_CAPS scantime=4.2,size=41114,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39385,mid=<CBB91DD17C1B45DCA83DCDE7FC555953@Rosy>,bayes=0.002366,autolearn=no Feb 12 00:34:22 mail sendmail[21036]: n1C6YDFC021036: Milter add: header: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,ntSUBJ_ALL_CAPS autolearn=no version=3.2.4 Como puedo detener o denegar esos registros y envios?? Gracias. |
|||||||
|
||||||||
02/11/09 02:06PM (Leído 7,945 veces) 
Quote| Contenido generado en: 0.42 segundos |
New Topic
Post Reply
|
| Todas las horas son CST. Hora actual 11:25 PM. |
|
|
