Wurde ich Opfer von Mass Mailing/Spamming?

Gogosjon · 4. Mai 2012

Ich habe mir mal die Log Datein von Postfix angeschaut. Eigentlich benutze ich es garnicht. Habe nur mal einen Testaccount erstellt.
Nun entdecke ich vielleicht schreckliches ...
In /var/log/mail.warn steht ungefähr 20000 Zeile genau das hier:

Code

7:51:14 v2201203117917627 postfix/smtpd[31606]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32211]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32238]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32239]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32246]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32248]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32252]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32253]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32254]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32260]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32263]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32266]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32268]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32269]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32270]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32277]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32280]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32282]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:14 v2201203117917627 postfix/smtpd[32284]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32288]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32291]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32295]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32299]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32301]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32310]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32313]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32323]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32326]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32330]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32333]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32337]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:15 v2201203117917627 postfix/smtpd[32339]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:16 v2201203117917627 postfix/smtpd[32344]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:16 v2201203117917627 postfix/smtpd[32352]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:16 v2201203117917627 postfix/smtpd[32355]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:16 v2201203117917627 postfix/smtpd[32364]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:16 v2201203117917627 postfix/smtpd[32370]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32373]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32378]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32396]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32397]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32399]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32401]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32405]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32408]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32409]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.net verification failed: Name or service not known
Mar 20 17:51:17 v2201203117917627 postfix/smtpd[32412]: warning: 208.115.196.103: hostname 103-196-115-208.static.reverse.lstn.ne

Alles anzeigen

Sind das Fehlermeldungen, aufgrund von Fehlerhafter Konfiguration, oder wird mein Server schon missbraucht?
Habe keinerlei Einstellungen an Postfix verändert! Kann man Postfix vielleicht deaktivieren?

Danke für eure Hilfe ...

Dragon · 4. Mai 2012

Was ist daran schrecklich? Diese Logs sagen ja nichts darüber aus, ob Mails versendet werden oder nicht. Dazu muss man in die mail.log schauen.

Gogosjon · 4. Mai 2012

AHHHHH OGOTTTT!!!!
Was ist das in der mail.log?!?!
Nun habe ich ANGST! Habe Postfix GESTOPP!

Code

4 11:02:20 v2201203117917627 postfix/smtp[13916]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=231536, delays=231506/0.04/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 12:11:50 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 12:12:20 v2201203117917627 postfix/smtp[27389]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 12:12:20 v2201203117917627 postfix/smtp[27389]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=235737, delays=235706/0.36/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 13:21:16 v2201203117917627 imapd: Connection, ip=[::ffff:88.67.88.54]
May 4 13:21:16 v2201203117917627 imapd: LOGIN, user=nassim96@mindmc.de, ip=[::ffff:88.67.88.54], port=[49185], protocol=IMAP
May 4 13:21:16 v2201203117917627 imapd: LOGOUT, user=nassim96@mindmc.de, ip=[::ffff:88.67.88.54], headers=0, body=0, rcvd=238, sent=628, time=0
May 4 13:21:31 v2201203117917627 imapd: Connection, ip=[::ffff:88.67.88.54]
May 4 13:21:31 v2201203117917627 imapd: LOGIN, user=nassim96@mindmc.de, ip=[::ffff:88.67.88.54], port=[49211], protocol=IMAP
May 4 13:21:31 v2201203117917627 imapd: LOGOUT, user=nassim96@mindmc.de, ip=[::ffff:88.67.88.54], headers=0, body=0, rcvd=238, sent=628, time=0
May 4 13:21:50 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 13:22:20 v2201203117917627 postfix/smtp[15250]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 13:22:20 v2201203117917627 postfix/smtp[15250]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=239936, delays=239906/0.02/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 14:11:48 v2201203117917627 postfix/pickup[22276]: 63D4F2B60024: uid=33 from=<www-data>
May 4 14:11:48 v2201203117917627 postfix/cleanup[6058]: 63D4F2B60024: message-id=<4ffa321cf4fd76dd06363f1bf1979e70@mindmc.de>
May 4 14:11:48 v2201203117917627 postfix/qmgr[22763]: 63D4F2B60024: from=<www-data@v2201203117917627.yourvserver.net>, size=3864, nrcpt=1 (queue active)
May 4 14:11:48 v2201203117917627 postfix/virtual[6064]: 63D4F2B60024: to=<admin@mindmc.de>, relay=virtual, delay=0.41, delays=0.14/0.24/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
May 4 14:11:48 v2201203117917627 postfix/qmgr[22763]: 63D4F2B60024: removed
May 4 14:31:51 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 14:32:21 v2201203117917627 postfix/smtp[10048]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 14:32:21 v2201203117917627 postfix/smtp[10048]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=244137, delays=244107/0.14/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 15:41:51 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 15:42:21 v2201203117917627 postfix/smtp[32156]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 15:42:22 v2201203117917627 postfix/smtp[32156]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=248338, delays=248308/0.25/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 16:51:51 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 16:52:21 v2201203117917627 postfix/smtp[19856]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 16:52:21 v2201203117917627 postfix/smtp[19856]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=252538, delays=252507/0.31/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 18:01:51 v2201203117917627 postfix/qmgr[22763]: 1865D2B6000E: from=<www-data@v2201203117917627.yourvserver.net>, size=1620, nrcpt=1 (queue active)
May 4 18:02:21 v2201203117917627 postfix/smtp[22517]: connect to cmail.org[82.98.86.177]:25: Connection timed out
May 4 18:02:21 v2201203117917627 postfix/smtp[22517]: 1865D2B6000E: to=<patrickmswity@cmail.org>, relay=none, delay=256737, delays=256707/0.08/30/0, dsn=4.4.1, status=deferred (connect to cmail.org[82.98.86.177]:25: Connection timed out)
May 4 18:03:24 v2201203117917627 postfix/master[22753]: terminating on

Alles anzeigen

Die Log Datei ist übertrieben lang! Kann mir irgendjemand helfen?

Dragon · 4. Mai 2012

Da werden offensichtlich über ein PHP-Script (www-data) Mails versendet.

Gogosjon · 4. Mai 2012

AHHHH! JE weiter ich im Log schaue, desto mehr Angst bekomme ich!

Code

Apr 26 18:16:18 v2201203117917627 imapd: LOGIN FAILED, user=www, ip=[::ffff:216.144.251.118]
Apr 26 18:16:18 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:18 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:18 v2201203117917627 imapd: LOGIN FAILED, user=pwrchute, ip=[::ffff:216.144.251.118]
Apr 26 18:16:19 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:19 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:19 v2201203117917627 imapd: LOGIN FAILED, user=backup, ip=[::ffff:216.144.251.118]
Apr 26 18:16:19 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:19 v2201203117917627 imapd: LOGIN FAILED, user=data, ip=[::ffff:216.144.251.118]
Apr 26 18:16:19 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:20 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=6
Apr 26 18:16:20 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:20 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:20 v2201203117917627 imapd: LOGIN FAILED, user=sybase, ip=[::ffff:216.144.251.118]
Apr 26 18:16:20 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:20 v2201203117917627 imapd: LOGIN FAILED, user=access, ip=[::ffff:216.144.251.118]
Apr 26 18:16:20 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:20 v2201203117917627 imapd: LOGIN FAILED, user=account, ip=[::ffff:216.144.251.118]
Apr 26 18:16:21 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=6
Apr 26 18:16:21 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:21 v2201203117917627 imapd: LOGIN FAILED, user=administrator, ip=[::ffff:216.144.251.118]
Apr 26 18:16:21 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:21 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:21 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:21 v2201203117917627 imapd: LOGIN FAILED, user=lizdy, ip=[::ffff:216.144.251.118]
Apr 26 18:16:22 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=6
Apr 26 18:16:22 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:22 v2201203117917627 imapd: LOGIN FAILED, user=oracle8, ip=[::ffff:216.144.251.118]
Apr 26 18:16:22 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:22 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=5
Apr 26 18:16:23 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:23 v2201203117917627 imapd: Disconnected, ip=[::ffff:216.144.251.118], time=6
Apr 26 18:16:23 v2201203117917627 imapd: LOGIN FAILED, user=server, ip=[::ffff:216.144.251.118]
Apr 26 18:16:23 v2201203117917627 imapd: Connection, ip=[::ffff:216.144.251.118]
Apr 26 18:16:23 v2201203117917627 imapd: Disconnected, ip=

Alles anzeigen

Wie kann ich diese IP Bannen und warum wird das nicht durch Fail2ban geblockt? Sind diese Angriffe normal? Was kann man dagegen machen?

TPIT-Service · 4. Mai 2012

Hier kannst Du das testen: Mail relay testing

Gogosjon · 4. Mai 2012

Aha. All tested completed! No relays accepted by remote host!

Ok. das sieht schon besser aus. Was könnten die enormen Zugriffe denn dann sein?

Dragon · 4. Mai 2012

Wie schon gesagt, ich vermute ein PHP-Script, mit dem die Mails versendet werden.

Gogosjon · 4. Mai 2012

Kann das auch durch PHPBB oder andere Forensoftware ausgelöst werden?

TPIT-Service · 5. Mai 2012

Da versucht einer mit vielen Anfragen, Zugangsdaten auf Deinen IMAPD-Server zu bekommen.
Ob das nun ein PHP-Script ist oder aber eine andere Methode kann man daraus nicht erkennen.

Du kannst die IP über die Firewall im VCP blocken, indem Du

Richtung: input - Quelle IP: 216.144.251.118 - Protikoll: any - Ziel IP: any - Aktion: DROP

definierst.

Danach sollte zumindest über diese IP Ruhe sein, ändert sich natürlich, sobald der Angreifer seine IP ändert.
Für fail2ban musst Du mal schauen. Hier im Forum gibt es einige Scripte die bei solchen Dingen dafür sorgen, dass solche Attacken automatisch in der Firewall landen. Warum das bei Dir nicht funktioniert, kommt einer Glaskugel gleich.