Hallo, bei mir sind gestern wieder über rund 45 Minuten mails eingegangen und teilweise wegen Spam abgelehnt worden. Als das das erste mal passiert ist, hab ich den Rat von Uwe befolgt und meine main.cf so geändert:
smtpd_sasl_auth_enable = yes smtpd_helo_required = yes smtpd_use_pw_server = yes #mit Greylisting #smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit #ohne Greylisting smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks permit_tls_clientcerts check_sender_access hash:/etc/postfix/whitelist reject_non_fqdn_hostname reject_unknown_reverse_client_hostname reject_unauth_destination reject_rbl_client cbl.abuseat.org reject_rbl_client zen.spamhaus.org smtpd_pw_server_security_options = login,gssapi,cram-md5 data_directory = /var/lib/postfix smtpd_client_restrictions = smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re permit_mynetworks permit_sasl_authenticated permit_tls_clientcerts check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_data_restrictions = reject_unauth_pipelining mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain virtual_transport = virtual
Die Mails kommen mit sasl_username=ftp hier an. Beim (Sytem-Benutzer) ftp ist Mail nicht aktiviert.
Das Mail sieht so aus: Content type: Spam Internal reference code for the message is 20536-07/3+yiMXOQhcE5
First upstream SMTP client IP address: [65.200.13.203] According to a 'Received:' trace, the message apparently originated at: [17.45.146.70], nico-lae.qr.32.de [17.45.146.70]
Return-Path: dagata@ma-pu.plm.com From: Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk Message-ID: <E1T94zk-2493-Bo@Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> X-Mailer: Stylatule-decouvrez 6.4 Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ] Not quarantined.
The message WAS NOT relayed to: mod9966@hotmail.com: 250 2.7.0 Ok, discarded, id=20536-07 - SPAM
SpamAssassin report: Spam detection software, running on the system "mcgregor.admilon.net", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see websensei@admilon.net for details.
Content preview: ACCESS TO YOUR ACCOUNT HAS BEEN TEMPORARILY SUSPENDED. The reason for this issue: - UNUSUAL NUMBER OF INVALID LOGIN ATTEMPTS ON YOUR ACCOUNT To restore your account, please click below: [...]
Content analysis details: (13.0 points, 25.0 required)
pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS 2.4 TVD_PH_BODY_ACCOUNTS_PRE BODY: TVD_PH_BODY_ACCOUNTS_PRE -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40% [score: 0.3950] 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.3 HTML_MESSAGE BODY: HTML included in message 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 4.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only 0.0 TO_NO_BRKTS_NORDNS_HTML TO_NO_BRKTS_NORDNS_HTML Return-Path: dagata@ma-pu.plm.com Received: from [128.2.1.64] (unknown [65.200.13.203]) by mcgregor.admilon.net (Postfix) with ESMTPA id 25AF01DBA536 for mod9966@hotmail.com; Mon, 17 Sep 2012 22:22:07 +0900 (JST) X-TM-AS-Result: No--7.291-5.0-31-1 X-Recommended-Action: accept X-IronPort-AV: E=Sophos;i="4.80,368,1344186000"; X-Envelope-From: hsbc-uk-mintea-nji-iasti-ebay-de.fr-dultzii@nico-lae.qr.32.de Content-type: text/html X-Proofpoint-Spam-Details: rule=notspam policy=default score=11 spamscore=11 suspectscore=3 X-SpamExpertAristo-Outgoing-Evidence: Combined (0.24) X-SpamExpertAristo-Username: 61.8.92.97 X-Mailer: Stylatule-decouvrez 6.4 To: mod9966@hotmail.com Date: Mon, 17 Sep 2012 13:22:08 GMT X-Barracuda-Start-Time: 135755806806600 Subject: IMPORTANT SECURITY ISSUES [INCIDENT 462376-xz-46 ] X-Copfilter-Virus-Scanned: ClamAV 0.684.2 Received: from nico-lae.qr.32.de ([17.45.146.70]) by ghs-fw (Copfilter 0.84beta4) X-IronPort-Anti-Spam-Filtered: true From: Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk X-Filter-ID: XtLePq6GTMn8G68F0comdleehesxkccwnpq66380849601991cmBIW/8OODKS1A/6t51a7Dur X-Filtered-With: Copfilter Version 0.84beta4 (ProxSMTP 1.8) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855,1.0.431,0.0.000 X-OriginalArrivalTime: 04 Sep 2012 16:53:23.0515 (UTC) FILETIME=[CBBBD8B0:01CD8ABD] X-SpamExpertAristo-Domain: joomlabouwer.nl Message-ID: <E1T94zk-2493-Bo@Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> X-Originating-IP: 61.8.92.97 X-imss-scan-details: No--7.291-5.0-31-1 X-Copfilter-Originating-IP: 89.105.199.76 X-SpamExpertAristo-Outgoing-Class: ham X-TM-IMSS-Message-ID: 2c625bfa00003402@bodyshape.co.th X-IronPort-Anti-Spam-Result: tc597710475692009648zbf1847zhfdijebku$ X-TM-AS-Product-Ver: IMSS-7.0.0.6126-6.8.0.1017-19162.000 Authentication-Results: aristo-internet.nl;auth=pass () smtp.auth=61.8.92.97 Content-Transfer-Encoding: 7bit
Im Protokoll sieht das so aus:
Sep 17 22:22:05 mcgregor postfix/smtpd[20603]: connect from unknown[65.200.13.203] Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: NOQUEUE: filter: RCPT from unknown[65.200.13.203]: dagata@ma-pu.plm.com: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=dagata@ma-pu.plm.com to=mod9966@hotmail.com proto=ESMTP helo=<[128.2.1.64]> Sep 17 22:22:08 mcgregor postfix/smtpd[20603]: 25AF01DBA536: client=unknown[65.200.13.203], sasl_method=CRAM-MD5, sasl_username=ftp Sep 17 22:22:17 mcgregor postfix/cleanup[20650]: 25AF01DBA536: message-id=<E1T94zk-2493-Bo@Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk.aristo-internet.nl> Sep 17 22:22:17 mcgregor postfix/qmgr[505]: 25AF01DBA536: from=dagata@ma-pu.plm.com, size=3817, nrcpt=1 (queue active) Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) loaded policy bank "ORIGINATING" Sep 17 22:22:17 mcgregor amavis[20536]: (20536-06) process_request: fileno sock=12, STDIN=0, STDOUT=1 Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ESMTP::10026 /var/amavis/tmp/amavis-20120917T221431-20536: dagata@ma-pu.plm.com -> mod9966@hotmail.com Received: from mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for mod9966@hotmail.com; Mon, 17 Sep 2012 22:22:17 +0900 (JST) Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) smtp connection cache, dt: 85.1, state: 0 Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) body hash: b55bb74e4d5c950db7ed42aa282aa202 Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking: 3+yiMXOQhcE5 ORIGINATING [65.200.13.203] dagata@ma-pu.plm.com -> mod9966@hotmail.com Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) 2822.From: Co-operative-Bank-p.l.c.UK.363@e-mail-alert-id.9656.review-24-hrs-cooperative-online.co.uk, 2821.Mail_From: dagata@ma-pu.plm.com Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p001 1 Content-Type: text/html, size: 1755 B, name: Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) Checking for banned types and filenames Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) INFO: unknown banned table name ALT-RULES, recip=mod9966@hotmail.com Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) collect banned table[0]: mod9966@hotmail.com, tables: Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) p.path mod9966@hotmail.com: "P=p001,L=1,M=text/html,T=html" Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Connecting to socket /var/amavis/clamd Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20120917T221431-20536/parts\n to UNIX socket /var/amavis/clamd Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd): CLEAN Sep 17 22:22:17 mcgregor amavis[20536]: (20536-07) run_av (ClamAV-clamd) result: clean Sep 17 22:22:18 mcgregor postfix/smtpd[20603]: disconnect from unknown[65.200.13.203] Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) spam_scan: score=13.043 autolearn=no tests=[BAYES_40=-0.001,DKIM_ADSP_NXDOMAIN=0.9,HTML_IMAGE_ONLY_20=1.546,HTML_MESSAGE=0.3,MIME_HTML_ONLY=0.723,MSGID_MULTIPLE_AT=0.001,RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=4,RDNS_NONE=0.793,TO_EQ_FM_HTML_ONLY=0.001,TO_NO_BRKTS_NORDNS_HTML=0.001,TVD_PH_BODY_ACCOUNTS_PRE=2.393] Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) blocking contents category is (6) for mod9966@hotmail.com Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) do_notify_and_quar: ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean, "0":CatchAll) ccat_block=(6), qar_mth= Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) skip local delivery(3): <> -> <spam-quarantine> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) SPAM, dagata@ma-pu.plm.com -> mod9966@hotmail.com, Yes, score=13.043 tag=-999 tag2=7 kill=12 tests=[BAYES_40=-0.001, DKIM_ADSP_NXDOMAIN=0.9, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.3, MIME_HTML_ONLY=0.723, MSGID_MULTIPLE_AT=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=4, RDNS_NONE=0.793, TO_EQ_FM_HTML_ONLY=0.001, TO_NO_BRKTS_NORDNS_HTML=0.001, TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no, quarantine 3+yiMXOQhcE5 (spam-quarantine) Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: candidate originators: 2822.From:websensei@admilon.net, 2821.mail_from:websensei@admilon.net Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) dkim: signing (author), From: websensei@admilon.net, KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>admilon.net, s=>default, ttl=>1814400, x=>1349702537.86839 Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp session: setting up a new session Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp creating socket by IO::Socket::INET to [127.0.0.1]:10027 Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: connect from localhost[127.0.0.1] Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to greeting: 220 mcgregor.admilon.net ESMTP Postfix Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> EHLO localhost Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to EHLO: 250 mcgregor.admilon.net\nPIPELINING\nSIZE 41943040\nVRFY\nETRN\nAUTH LOGIN CRAM-MD5 GSSAPI\nSTARTTLS\nENHANCEDSTATUSCODES\n8BITMIME\nDSN Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) AUTH not needed, user='', MTA offers 'LOGIN CRAM-MD5 GSSAPI' Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> MAIL FROM:websensei@admilon.net ENVID=AM..20120917T132223Z@mcgregor.admilon.net Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> RCPT TO:websensei@admilon.net Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> DATA Sep 17 22:22:23 mcgregor postfix/smtpd[20578]: E8B861DBA541: client=localhost[127.0.0.1] Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to MAIL (pip): 250 2.1.0 Ok Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to RCPT (pip) (websensei@admilon.net): 250 2.1.5 Ok Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp resp to DATA: 354 End data with <CR><LF>.<CR><LF> Sep 17 22:22:23 mcgregor amavis[20536]: (20536-07) smtp cmd> QUIT
irgendwo ist da also noch ein Loch, an welche Schraube muss ich denn drehen um dem einen Riegel vorzuschieben? Danke und Gruss Matthias