Bienvenido(a) a Alcance Libre 05/02/2023, 23:25

Alcance Libre Foros

 Índice del foro > Todo acerca de Linux > Redes y Servidores New Topic Post Reply
 Victima de Spam
Tópico anterior Tópico siguiente
   
Danielynx
 02/11/09 02:06PM (Leído 7,945 veces)  

Miembro regular

Estado: desconectado
Forum User

Identificado: 03/06/07
Mensajes: 72
Saludos, hoy al revisar la bitacora del mail
PHP Formatted Code
/var/log/maillog
veo que nuevamente me bloquearon en hotmail y mi dominio aparece nuevamente en las listas negras.

Lo extraño que veo es lo siguiente (utilizo CentOS5.2 + sendmail + todos los servicios que se detallan en los manuales del sitio):

PHP Formatted Code

Feb 11 08:19:27 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 35450
Feb 11 08:19:27 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 08:19:27 mail spamd[20020]: spamd: processing message <01c98c5c$49372380$6c300553@telg> for sa-milt:102
Feb 11 08:19:28 mail spamd[20020]: spamd: identified spam (11.8/5.0) for sa-milt:102 in 0.8 seconds, 3337 bytes.
Feb 11 08:19:28 mail spamd[20020]: spamd: result: Y 11 - BAYES_99,HS_INDEX_PARAM,HTML_MESSAGE,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SURBL scantime=0.8,size=3337,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=35450,mid=<01c98c5c$49372380$6c300553@telg>,bayes=1.000000,autolearn=spam
Feb 11 08:19:41 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53614
Feb 11 08:19:41 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 08:19:41 mail spamd[20020]: spamd: processing message <200902111420.n1BEKmUf008295@miserver.com.mx> for sa-milt:102
Feb 11 08:19:41 mail spamd[20020]: spamd: clean message (-2.6/5.0) for sa-milt:102 in 0.2 seconds, 1546 bytes.
Feb 11 08:19:41 mail spamd[20020]: spamd: result: . -2 - ALL_TRUSTED,AWL,BAYES_00,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY scantime=0.2,size=1546,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53614,mid=<200902111420.n1BEKmUf008295@apolo.arlex.com.mx>,bayes=0.000000,autolearn=no
Feb 11 08:19:41 mail spamd[4574]: prefork: child states: II
Feb 11 08:20:20 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53617
Feb 11 08:20:20 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 08:20:20 mail spamd[20020]: spamd: processing message <002c01c98c54$32d919c0$8500000a@metodos2> for sa-milt:102
Feb 11 08:20:21 mail spamd[20020]: spamd: clean message (-3.7/5.0) for sa-milt:102 in 0.2 seconds, 1724 bytes.
Feb 11 08:20:21 mail spamd[20020]: spamd: result: . -3 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.2,size=1724,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53617,mid=<002c01c98c54$32d919c0$8500000a@metodos2>,bayes=0.000000,autolearn=ham
Feb 11 08:20:21 mail spamd[4574]: prefork: child states: II

Feb 11 08:24:18 mail spamd[20020]: spamd: connection from localhost.localdomain [127.0.0.1] at port 53637
Feb 11 08:24:18 mail spamd[20020]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 08:24:18 mail spamd[20020]: spamd: processing message <000c01c98c54$8a7bf210$7d6ffea9@conta1> for sa-milt:102
Feb 11 08:24:19 mail spamd[20020]: spamd: clean message (-4.1/5.0) for sa-milt:102 in 0.3 seconds, 2295 bytes.
Feb 11 08:24:19 mail spamd[20020]: spamd: result: . -4 - ALL_TRUSTED,AWL,BAYES_00 scantime=0.3,size=2295,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=53637,mid=<000c01c98c54$8a7bf210$7d6ffea9@conta1>,bayes=0.000000,autolearn=ham
 


Lo que no entiendo es de donde puede venir el ataque ya que conta1 y metodos2 son máquinas en la red, el mensaje que recibo de muchos proveedores es el siguiente:

PHP Formatted Code

 The following addresses had permanent fatal errors -----
<XXXXXXX@XXXXX.com.mx>
    (reason: 554-mailb.correonegocios.com)
 
   ----- Transcript of session follows -----
... while talking to maila.correonegocios.com.:
<<< 554-maila.correonegocios.com
<<< 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
... while talking to mailb.correonegocios.com.:
<<< 554-mailb.correonegocios.com
<<< 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
554
5.0.0 Service unavailable


The following addresses had permanent fatal errors -----
> <XXXXX@hotmail.com>
>    (reason: 550 OU-002 Mail rejected by Windows Live Hotmail for policy
> reasons. Reasons for rejection may be re...l/network admins, please visit
> http://postmaster.live.com for email delivery information and support)
> <XXXXXXX@hotmail.com>
>    (reason: 550 OU-002 Mail rejected by Windows Live Hotmail for policy
> reasons. Reasons for rejection may be re...l/network admins, please visit
> http://postmaster.live.com for email delivery information and support)
>
>   ----- Transcript of session follows -----
> ... while talking to mx4.hotmail.com.:
>>>> MAIL From:<XXXXXX@XXXXX.com.mx> SIZE=3703
> <<< 550 OU-002 Mail rejected by Windows Live Hotmail for policy reasons.
> Reasons for rejection may be related to content with spam-like
> characteristics or IP/domain reputation problems. If you are not an
> email/network admin please contact your E-mail/Internet Service Provider
> for help. Email/network admins, please visit http://postmaster.live.com
> for email delivery information and support
> 554 5.0.0 Service unavailable

 


Alguna sugerencia??

SAlu2
 
Profile Email
 Quote
Joel Barrios Dueñas
 02/11/09 03:50PM  

Admin

Estado: desconectado
Site Admin

Identificado: 02/17/07
Mensajes: 1761
Localización:Mexico
1) Consigue resolución inversa para la IP de tu servidor de correo.

2) Añade registro SPF en tu zona de DNS.
@ IN TXT "v=spf1 a mx -all"

3) Verifica en http://openrbl.org si estás en alguna lista negra y gestiona con los administradores de dichas listas como salir de éstas, si aplicase el caso.
 
Profile Email Website
 Quote
Danielynx
 02/11/09 04:50PM  

Miembro regular

Estado: desconectado
Forum User

Identificado: 03/06/07
Mensajes: 72
Ok Gracias Joel, ya agregue el registro a mi DNS, me puedes explicar que es lo que hace esa linea.

Gracias por el apoyo.
 
Profile Email
 Quote
Danielynx
 02/11/09 04:58PM  

Miembro regular

Estado: desconectado
Forum User

Identificado: 03/06/07
Mensajes: 72
MMMMM parece caido o fuera de linea openrbl.org

openrbl.org
Server gone.

Algun otra opción, en este momento estoy gestionando la salida de spamcop.net ya que ahí mi dominio aparece en lista, en spamhaus ya no aparece mi dominio.

Gracias nuevamente.
 
Profile Email
 Quote
Joel Barrios Dueñas
 02/11/09 10:42PM  

Admin

Estado: desconectado
Site Admin

Identificado: 02/17/07
Mensajes: 1761
Localización:Mexico
Quote by: Daniel+Medina

Ok Gracias Joel, ya agregue el registro a mi DNS, me puedes explicar que es lo que hace esa linea.

Gracias por el apoyo.



SPF (Convenio de Remitentes, del inglés Sender Policy Framework) es una protección contra la falsificación de direcciones en el envío de correo electrónico.

Identifica, a través de los registros de nombres de dominio (DNS), a los servidores de correo SMTP autorizados para el transporte de los mensajes.
 
Profile Email Website
 Quote
Danielynx
 02/12/09 08:18AM  

Miembro regular

Estado: desconectado
Forum User

Identificado: 03/06/07
Mensajes: 72
Ok, acabo de recibir un aviso por parte de spamcop donde me envían un encabezado de uno de los correos que esta enviando mi dominio.



Received: from dedint-XXX-XXX-XXX-X.mexdf.axtel.net ([XXX.XXX.XXX.X])
by [trap servername] with SMTP; 10 Feb 2009 19AngryxAngryx -0800
date: Wed, 11 Feb 2009 03AngryxAngryx GMT
from: Marie Winter <x@x>
subject: Check this



Como decirle al sendmail que solamente envie correos solamente desde las ips que dí de alta en /etc/mail/access, el archivo que esta en /var/log/maillog es el único camino para revisar los envios y recepciones de correo.

GRacias.
 
Profile Email
 Quote
Danielynx
 02/12/09 01:04PM  

Miembro regular

Estado: desconectado
Forum User

Identificado: 03/06/07
Mensajes: 72
Joel:

Seguí tu sugerencia

1) Consigue resolución inversa para la IP de tu servidor de correo.

2) Añade registro SPF en tu zona de DNS.
@ IN TXT "v=spf1 a mx -all"


Investigando un poco encontré el significado de la linea que hay que agregar al DNS
PHP Formatted Code

Where,

    * v=spf1 : Define an SPF recored.
    * a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in.
    * mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in.
    * ~all : SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
      For example, following recored the "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
 


Pero aun tengo estos registros en /var/log/maillog

PHP Formatted Code

Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BB
Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20110
Feb 11 21:56:57 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43357
Feb 11 21:56:57 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 21:56:57 mail spamd[19181]: spamd: processing message (unknown) for sa-milt:102
Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBB
Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20111
Feb 11 21:56:57 mail spamd[20110]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43358
Feb 11 21:56:57 mail spamd[20110]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBBI
Feb 11 21:56:57 mail spamd[20110]: spamd: processing message (unknown) for sa-milt:102
Feb 11 21:56:58 mail spamd[20110]: spamd: identified spam (19.5/5.0) for sa-milt:102 in 0.8 seconds, 3500 bytes.
Feb 11 21:56:58 mail spamd[20110]: spamd: result: Y 19 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL scantime=0.8,size=3500,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43358,mid=(unknown),bayes=1.000000,autolearn=spam
Feb 12 00:34:18 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 39386
Feb 12 00:34:18 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 12 00:34:18 mail spamd[19181]: spamd: processing message <BLU129-W28D58CD458D29F36EFCC7CD8BB0@phx.gbl> for sa-milt:102
Feb 12 00:34:22 mail spamd[14080]: spamd: clean message (-0.2/5.0) for sa-milt:102 in 4.2 seconds, 41114 bytes.
Feb 12 00:34:22 mail spamd[14080]: spamd: result: . 0 - AWL,BAYES_00,HTML_MESSAGE,SUBJ_ALL_CAPS scantime=4.2,size=41114,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39385,mid=<CBB91DD17C1B45DCA83DCDE7FC555953@Rosy>,bayes=0.002366,autolearn=no
Feb 12 00:34:22 mail sendmail[21036]: n1C6YDFC021036: Milter add: header: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,\n\tSUBJ_ALL_CAPS autolearn=no version=3.2.4
 


Como puedo detener o denegar esos registros y envios??


Gracias.
 
Profile Email
 Quote
Rodolfo Lameda Diaz Tejeda
 02/12/09 03:57PM  

Nuevo

Estado: desconectado
Forum User

Identificado: 02/18/07
Mensajes: 11
Localización:Nápoles, México.
El día de hoy me parece que también estoy siendo victima del spam, empezaron a rechazar los correos de mi dominio y dice lo siguiente:

----- The following addresses had permanent fatal errors -----
<xxxx@telcel.com>
(reason: 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx )

----- Transcript of session follows -----
... while talking to mailex.telcel.com.:
<<< 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx
554 5.0.0 Service unavailable



Reporting-MTA: dns; mail.xxxxxx.com.mx
Received-From-MTA: DNS; pc146.xxxx.corp
Arrival-Date: Thu, 12 Feb 2009 11:45:59 -0600

Final-Recipient: RFC822; xxxxx@telcel.com
Action: failed
Status: 5.5.0
Diagnostic-Code: SMTP; 550 Service unavailable; Client host [xxx.xxx.xx.xxx] blocked using Trend Micro RBL+.Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=xxx.xxx.xx.xxx
Last-Attempt-Date: Thu, 12 Feb 2009 11:45:59 -0600

-----------------------------------------------------------

Estoy revisando lo comentado hasta el momento...

Aprendiendo a ser root... www.increm.net
 
Profile Email Website
 Quote
Joel Barrios Dueñas
 02/12/09 04:28PM  

Admin

Estado: desconectado
Site Admin

Identificado: 02/17/07
Mensajes: 1761
Localización:Mexico
En esta bitácora que me muestras, todo está normal. Es el funcionamiento normal de spamassassin y spamass-milter. Ambos están haciendo su trabajo detneiendo Spam. Si quieres modificar políticas, edita /etc/mail/spamassassin/local.cf y /etc/sysconfig/spass-milter y define los límites de calificación mínima para considerar spam y calificación suficiente para rebotar mensajes, respectivamente


Quote by: Daniel+Medina

Joel:

Seguí tu sugerencia


1) Consigue resolución inversa para la IP de tu servidor de correo.

2) Añade registro SPF en tu zona de DNS.
@ IN TXT "v=spf1 a mx -all"


Investigando un poco encontré el significado de la linea que hay que agregar al DNS
PHP Formatted Code

Where,

    * v=spf1 : Define an SPF recored.
    * a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in.
    * mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in.
    * ~all : SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
      For example, following recored the "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
 


Pero aun tengo estos registros en /var/log/maillog

PHP Formatted Code

Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BB
Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20110
Feb 11 21:56:57 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43357
Feb 11 21:56:57 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 21:56:57 mail spamd[19181]: spamd: processing message (unknown) for sa-milt:102
Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBB
Feb 11 21:56:57 mail spamd[4574]: spamd: server successfully spawned child process, pid 20111
Feb 11 21:56:57 mail spamd[20110]: spamd: connection from localhost.localdomain [127.0.0.1] at port 43358
Feb 11 21:56:57 mail spamd[20110]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 11 21:56:57 mail spamd[4574]: prefork: child states: BBBI
Feb 11 21:56:57 mail spamd[20110]: spamd: processing message (unknown) for sa-milt:102
Feb 11 21:56:58 mail spamd[20110]: spamd: identified spam (19.5/5.0) for sa-milt:102 in 0.8 seconds, 3500 bytes.
Feb 11 21:56:58 mail spamd[20110]: spamd: result: Y 19 - BAYES_99,HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_NONE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL scantime=0.8,size=3500,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=43358,mid=(unknown),bayes=1.000000,autolearn=spam
Feb 12 00:34:18 mail spamd[19181]: spamd: connection from localhost.localdomain [127.0.0.1] at port 39386
Feb 12 00:34:18 mail spamd[19181]: spamd: using default config for sa-milt: /var/lib/spamassassin/user_prefs
Feb 12 00:34:18 mail spamd[19181]: spamd: processing message <BLU129-W28D58CD458D29F36EFCC7CD8BB0@phx.gbl> for sa-milt:102
Feb 12 00:34:22 mail spamd[14080]: spamd: clean message (-0.2/5.0) for sa-milt:102 in 4.2 seconds, 41114 bytes.
Feb 12 00:34:22 mail spamd[14080]: spamd: result: . 0 - AWL,BAYES_00,HTML_MESSAGE,SUBJ_ALL_CAPS scantime=4.2,size=41114,user=sa-milt,uid=102,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39385,mid=<CBB91DD17C1B45DCA83DCDE7FC555953@Rosy>,bayes=0.002366,autolearn=no
Feb 12 00:34:22 mail sendmail[21036]: n1C6YDFC021036: Milter add: header: X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,ntSUBJ_ALL_CAPS autolearn=no version=3.2.4
 


Como puedo detener o denegar esos registros y envios??


Gracias.

 
Profile Email Website
 Quote
Contenido generado en: 0.42 segundos New Topic Post Reply
 Todas las horas son CST. Hora actual 11:25 PM.
Tópico normal Tópico normal
Tópico Pegado Tópico Pegado
Tópico bloqueado Tópico bloqueado
Mensaje Nuevo Mensaje Nuevo
Tópico pegado con nuevo mensaje Tópico pegado con nuevo mensaje
Tópico bloqueado con nuevo mensaje Tópico bloqueado con nuevo mensaje
Ver mensajes anónimos 
Los usuarios anónimos pueden enviar 
Se permite HTML Filtrado 
Contenido censurado