Spam-Script erkennen, Server als Spam benutzt?
Posted: Fri 13. Sep 2019, 11:52
Bevor ich die Frage stelle hier die Gundinfos:
E-Mail Postfächer sind eingerichtet, allerdings nur als Weiterleitungen.
Folgender Sachverhalt: Im Weiterleitungspostfach hatte ich folgende Mail:
Nun dachte ich, mist mein Server ist ein Spam-Server.
Allerdings habe ich dann per SSH mit mailq und postqueue -p versucht zu schauen was versendet wird. Allerdings sind hier keine Einträge bzw es ist leer. Die Mail: let-us-all-follow-and-share@panel.meinedomain.de gibt es natürlich nicht im System.
Der Maillog sieht jetzt auch nicht so aus, als ob ständig was versendet werden würde. Allerdings habe ich diese Mail im Log gefunden mit folgedem Inhalt:
Ab 18:12:xx sollte es passen.
Habt Ihr noch eine andere wo ich schauen konnte ob doch im Hintergrund vom einem Script Spam versendet wird?
E-Mail Postfächer sind eingerichtet, allerdings nur als Weiterleitungen.
Folgender Sachverhalt: Im Weiterleitungspostfach hatte ich folgende Mail:
Code: Select all
This is the mail system at host panel.meinedomain.de.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<rm@cigroup.za.com>: host
cigroup-za-com.mail.protection.outlook.com[104.47.8.xx] said: 550 5.7.606
Access denied, banned sending IP [94.16.114.xxx]. To request removal from
this list please visit https://sender.office.com/ and follow the
directions. For more information please go to
http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) (in reply to
RCPT TO command)
---------- Forwarded message ----------
From: "Cigroup Mɵssagɵ Cɵntɵr" <let-us-all-follow-and-share@panel.meinedomain.de>
To: rm@cigroup.za.com
Cc:
Bcc:
Date: Thu, 12 Sep 2019 18:12:52 +0200 (CEST)
Subject: You have 3 new messɑges on hoId
MeCigroup CigroupssCigroup Cigroupage frCigroup Cigroupom TCigroup CigrouprusCigroup Cigroupted seCigroup CigrouprveCigroup Cigroupr.
OfCigroup CigroupfiCigroup Cigroupce3Cigroup Cigroup6Cigroup Cigroup5Allerdings habe ich dann per SSH mit mailq und postqueue -p versucht zu schauen was versendet wird. Allerdings sind hier keine Einträge bzw es ist leer. Die Mail: let-us-all-follow-and-share@panel.meinedomain.de gibt es natürlich nicht im System.
Der Maillog sieht jetzt auch nicht so aus, als ob ständig was versendet werden würde. Allerdings habe ich diese Mail im Log gefunden mit folgedem Inhalt:
Ab 18:12:xx sollte es passen.
Code: Select all
Sep 12 18:10:36 panel postfix/anvil[6850]: statistics: max connection rate 1/60s for (smtp:193.169.255.131) at Sep 12 18:07:15
Sep 12 18:10:36 panel postfix/anvil[6850]: statistics: max connection count 1 for (smtp:193.169.255.131) at Sep 12 18:07:15
Sep 12 18:10:36 panel postfix/anvil[6850]: statistics: max cache size 1 at Sep 12 18:07:15
Sep 12 18:11:15 panel postfix/smtpd[7065]: connect from unknown[193.169.255.137]
Sep 12 18:11:16 panel postfix/smtpd[7065]: lost connection after AUTH from unknown[193.169.255.137]
Sep 12 18:11:16 panel postfix/smtpd[7065]: disconnect from unknown[193.169.255.137] ehlo=1 auth=0/1 commands=1/2
[u]Sep 12 18:12:52 panel postfix/pickup[2189]: 74185A07D2: uid=5001 from=<info@meinedomain.de>
Sep 12 18:12:52 panel postfix/cleanup[7113]: 74185A07D2: message-id=<20190912161252.74185A07D2@panel.meinedomain.de>
Sep 12 18:12:52 panel postfix/qmgr[2190]: 74185A07D2: from=<info@meinedomain.de>, size=5824, nrcpt=1 (queue active)
Sep 12 18:12:54 panel postfix/smtpd[7121]: connect from localhost[127.0.0.1]
Sep 12 18:12:54 panel postfix/smtpd[7121]: 8ABC8A00C8: client=localhost[127.0.0.1]
Sep 12 18:12:54 panel postfix/cleanup[7113]: 8ABC8A00C8: message-id=<20190912161252.74185A07D2@panel.meinedomain.de>
Sep 12 18:12:54 panel postfix/qmgr[2190]: 8ABC8A00C8: from=<info@meinedomain.de>, size=6276, nrcpt=1 (queue active)
Sep 12 18:12:54 panel amavis[2207]: (02207-01) Passed CLEAN {RelayedOpenRelay}, [127.0.0.1] <info@meinedomain.de> -> <rm@cigroup.za.com>, Message-ID: <20190912161252.74185A07D2@panel.meinedomain.de>, mail_id: hJOGsp22nVur, Hits: 1.846, size: 5773, queued_as: 8ABC8A00C8, 2069 ms
Sep 12 18:12:54 panel postfix/smtp[7115]: 74185A07D2: to=<rm@cigroup.za.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.04/0.01/0.02/2.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8ABC8A00C8)
Sep 12 18:12:54 panel postfix/qmgr[2190]: 74185A07D2: removed
Sep 12 18:12:54 panel postfix/smtp[7124]: 8ABC8A00C8: to=<rm@cigroup.za.com>, relay=cigroup-za-com.mail.protection.outlook.com[104.47.8.36]:25, delay=0.2, delays=0.01/0.02/0.14/0.02, dsn=5.7.606, status=bounced (host cigroup-za-com.mail.protection.outlook.com[104.47.8.36] said: 550 5.7.606 Access denied, banned sending IP [94.16.114.xx]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 (AS16012609) (in reply to RCPT TO command))
Sep 12 18:12:54 panel postfix/cleanup[7113]: C72DFA07DB: message-id=<20190912161254.C72DFA07DB@panel.meinedomain.de>
Sep 12 18:12:54 panel postfix/qmgr[2190]: C72DFA07DB: from=<>, size=8820, nrcpt=1 (queue active)
Sep 12 18:12:54 panel postfix/bounce[7125]: 8ABC8A00C8: sender non-delivery notification: C72DFA07DB
Sep 12 18:12:54 panel postfix/qmgr[2190]: 8ABC8A00C8: removed
Sep 12 18:12:55 panel postfix/smtp[7124]: C72DFA07DB: to=<sebastianxxxxx@googlemail.com>, orig_to=<info@meinedomain.de>, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.5, delays=0.01/0.01/0.14/0.33, dsn=2.0.0, status=sent (250 2.0.0 OK 1568304775 c20si23860000wre.203 - gsmtp)[/u]
Sep 12 18:12:55 panel postfix/qmgr[2190]: C72DFA07DB: removed
Sep 12 18:12:59 panel postfix/smtpd[7126]: connect from unknown[193.32.160.145]
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<info@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<admin@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<noreply@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<contact@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<postmaster@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:02 panel postfix/smtpd[7126]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<uoqvikwj8wyiix2q@prague-hotel-ujezulatka.com> to=<reply@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
Sep 12 18:13:06 panel postfix/smtpd[7151]: connect from unknown[193.32.160.145]
Sep 12 18:13:09 panel postfix/smtpd[7151]: NOQUEUE: reject: RCPT from unknown[193.32.160.145]: 450 4.7.25 Client host rejected: cannot find your hostname, [193.32.160.145]; from=<7h9se71lxknw@havenservice.com> to=<info@meinedomain.de> proto=ESMTP helo=<[193.32.160.145]>
