How did this get through?

Troy Carpenter troy at carpenter.cx
Wed Mar 26 14:55:08 CET 2014 

Short of this person hacking my password (as may be indicated by the second
line in the log below and which has since been changed), how did the email
below get through my system?  I've searched my logs and only found this one
instance, so I know it's not happening regularly.

 

I saw a bounce notification from my ISP in my inbox that a message was
identified as spam (rightfully so).  Here's the whole exchange from my logs:

 

Mar 26 08:18:16 mail postfix/submission/smtpd[25019]: connect from
unknown[85.26.199.161]

Mar 26 08:18:19 mail postfix/submission/smtpd[25019]: 52AD338A1:
client=unknown[85.26.199.161], sasl_method=PLAIN,
sasl_username=troy at carpenter.cx

Mar 26 08:18:20 mail postfix/cleanup[25025]: 52AD338A1: message-id=<>

Mar 26 08:18:20 mail postfix/qmgr[1873]: 52AD338A1:
from=<troy at carpenter.cx>, size=1144, nrcpt=1 (queue active)

Mar 26 08:18:20 mail postfix/submission/smtpd[25019]: disconnect from
unknown[85.26.199.161]

Mar 26 08:18:26 mail postfix/smtpd[25029]: connect from
localhost.localdomain[127.0.0.1]

Mar 26 08:18:26 mail postfix/smtpd[25029]: 187D91264:
client=unknown[85.26.199.161]

Mar 26 08:18:26 mail postfix/cleanup[25031]: 187D91264: message-id=<>

Mar 26 08:18:26 mail postfix/smtpd[25029]: disconnect from
localhost.localdomain[127.0.0.1]

Mar 26 08:18:26 mail postfix/qmgr[1873]: 187D91264:
from=<troy at carpenter.cx>, size=1190, nrcpt=1 (queue active)

Mar 26 08:18:26 mail amavis[21033]: (21033-09) Passed CLEAN
{RelayedOpenRelay}, [85.26.199.161]:41996 <troy at carpenter.cx> ->
<sryqv at drdrb.com>, mail_id: i0nq-5nrG_n6, Hits: 2.221, size: 1144,
queued_as: 187D91264, 5814 ms

Mar 26 08:18:26 mail postfix/smtp[25026]: 52AD338A1: to=<sryqv at drdrb.com>,
relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=1.4/0.01/0/5.8,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 187D91264)

Mar 26 08:18:26 mail postfix/qmgr[1873]: 52AD338A1: removed

Mar 26 08:18:36 mail postfix/smtp[25032]: 187D91264: to=<sryqv at drdrb.com>,
relay=smtp.charter.net[209.225.8.224]:25, delay=11,
delays=0.03/0.01/0.16/11, dsn=5.2.0, status=bounced (host
smtp.charter.net[209.225.8.224] said: 550 5.2.0 iCJT1n00J2CZidC05CJTc4
Message identified as SPAM - Please visit http://www.charter.com/postmaster
E5110 (in reply to end of DATA command))

Mar 26 08:18:36 mail postfix/cleanup[25036]: E5D5838B3:
message-id=<20140326121836.E5D5838B3 at mail.carpenter.cx>

Mar 26 08:18:36 mail postfix/bounce[25035]: 187D91264: sender non-delivery
notification: E5D5838B3

Mar 26 08:18:36 mail postfix/qmgr[1873]: E5D5838B3: from=<>, size=3318,
nrcpt=1 (queue active)

Mar 26 08:18:36 mail postfix/qmgr[1873]: 187D91264: removed

Mar 26 08:18:37 mail lmtpunix[24907]: Delivered:
<20140326121836.E5D5838B3 at mail.carpenter.cx> to mailbox:
carpenter.cx!user.troy

Mar 26 08:18:37 mail postfix/lmtp[25038]: E5D5838B3: to=<troy at carpenter.cx>,
relay=mail.carpenter.cx[/var/lib/imap/socket/lmtp], delay=0.12,
delays=0.03/0.01/0/0.08, dsn=2.1.5, status=sent (250 2.1.5 Ok
SESSIONID=<mail.carpenter.cx-24907-1395836316-1>)

Mar 26 08:18:37 mail postfix/qmgr[1873]: E5D5838B3: removed

 

Here are some relevant lines from my postfix configs:

 

smtp                inet        n       -       n       -       -
smtpd

2525                inet        n       -       n       -       -
smtpd

submission          inet        n       -       n       -       -
smtpd

    -o cleanup_service_name=cleanup_submission

    -o syslog_name=postfix/submission

    -o smtpd_tls_security_level=encrypt

    -o smtpd_sasl_auth_enable=yes

    -o smtpd_sasl_authenticated_header=yes

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    -o smtpd_data_restrictions=$submission_data_restrictions

    -o smtpd_recipient_restrictions=$submission_recipient_restrictions

    -o smtpd_sender_restrictions=$submission_sender_restrictions

 

smtps               inet        n       -       n       -       -
smtpd

    -o syslog_name=postfix/smtps

    -o smtpd_tls_wrappermode=yes

    -o smtpd_sasl_auth_enable=yes

    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

    -o milter_macro_daemon_name=ORIGINATING

 

submission_sender_restrictions = reject_non_fqdn_sender,
check_policy_service unix:private/submission_policy, permit_sasl_authentica

ted, reject

submission_recipient_restrictions = check_policy_service
unix:private/submission_policy, permit_sasl_authenticated, reject

smtpd_recipient_restrictions = permit_mynetworks, 

                               permit_sasl_authenticated, 

                               reject_unauth_destination,

                               reject_invalid_hostname,

                               reject_unauth_pipelining, 

                               reject_non_fqdn_recipient, 

                               reject_unknown_recipient_domain, 

                               reject_invalid_helo_hostname, 

                               check_policy_service
unix:private/recipient_policy_incoming, 

                               reject_rbl_client zen.spamhaus.org,

                               reject_rbl_client dbsbl.sorbs.net,

                               reject_rbl_client bl.spamcop.net,

                               reject_rbl_client rhsbl.sorbs.net,

                               permit

smtpd_sender_restrictions = permit_mynetworks, check_policy_service
unix:private/sender_policy_incoming

 

I notice that smtpd_recipient_restrictions isn't mentioned in the master.cf
file, however I've seen in the logs the reject_rbl_client lines get hit and
reject all kinds of email, so I know they are getting used somehow.

 

Any advice?

 

Troy Carpenter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140326/6ae0e587/attachment.html>

More information about the users mailing list