Over the last couple of days our customers started getting spam that bypassed the spam server and we started seeing thousands of these messages in the log file on one of our main production servers: ay 23 06:47:28 gto postfix/smtpd[4785]: warning: 189.12.177.10: hostname 18912177010.user.veloxzone.com.br verification failed: Name or service not known May 23 06:48:25 gto postfix/smtpd[6501]: warning: 187.67.230.219: hostname bb43e6db.virtua.com.br verification failed: Name or service not known May 23 06:48:25 gto postfix/smtpd[29013]: warning: 87.19.114.58: hostname host58-114-dynamic.19-87-r.retail.telecomitalia.it verification failed: Name or service not known May 23 06:48:51 gto postfix/smtpd[29013]: warning: 77.109.98.183: hostname 77.109.98.183.adsl.dyn.edpnet.net verification failed: Name or service not known May 23 06:52:04 gto postfix/smtpd[6501]: warning: 174.34.166.119: hostname 174.34.166.119.rdns.ubiquityservers.com verification failed: Name or service not known May 23 06:52:16 gto postfix/smtpd[6501]: warning: 118.68.30.181: hostname adsl-dynamic-pool-xxx.hcm.fpt.vn verification failed: Name or service not known May 23 06:53:02 gto postfix/smtpd[4785]: warning: 216.46.43.237: hostname 216-46-43-237.telebecinternet.net verification failed: Name or service not known
The change corresponded to the creation of a new mail server. The server, it turns out was too accessible to the outside world, so we shut it off and it appears a majority of the spam has subsided, however the above messages continue and we are still seeing a trickle of spam to the system. The spam appears to be coming from inside the network.
If you can, please give us some hints to track down the cause of these entries and the spam we are seeing.
Thanks, Jeff
Comments
Submitted by andreychek on Sun, 05/23/2010 - 19:53 Comment #1
Howdy -- those log messages are just saying that Postfix wasn't able to resolve those particular server names it's receiving email from.
Can you take one of the spam messages you've received, and attach it (in it's entirety) to this request? It may be possible to see what's going on based on the headers of the email.
Submitted by methownet on Sun, 05/23/2010 - 22:02 Pro Licensee Comment #2
I think that's true. We had an open relay for about a day on another box in the same subnet. Before this we got maybe 20 or 30 of those messages a day. Now we are getting close to 8000. I guess having that open relay got someone or something's attention. It looks like the spam still trickling in has somehow figured out how to get through our barracuda filter. Here is one of the headings:
Received: from veloxzone.com.br (unknown [187.89.22.79])by gto.methowdata.net (Postfix) with ESMTP id 12FC138818Efor swifter@methownet.com; Sat, 22 May 2010 12:49:21 -0700 (PDT) Date: Sat, 22 May 2010 16:49:17 -0300 To: swifter@methownet.com From: BiggestViagraStore qupyqeku9194@veloxzone.com.br Subject: To user swifter don't miss 83% discounts. for MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <20100522194922.12FC138818E@gto.methowdata.net
Until we get into the office in the morning and pore over log files for awhile, we might be tilting at windmills (and wasting your time). As always, I appreciate your looking at this and your quick responses. I'll let you know if we find anything puzzling in all this.
Thanks, Jeff
Submitted by methownet on Sun, 05/23/2010 - 22:03 Pro Licensee Comment #3
Submitted by methownet on Mon, 05/24/2010 - 09:28 Pro Licensee Comment #4
The spam seems to be coming from inside, possibly from the same server but I am a bit puzzled on how to pin it down. Here is a header from one of them:
Microsoft Mail Internet Headers Version 2.0 Received: from mustang.mw.local ([192.168.0.249]) by mustang.mw.local with Microsoft SMTPSVC(5.0.2195.7381); Mon, 24 May 2010 05:15:37 -0700 Received: by mustang.mw.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Individual POP3 Download) id MSG05242010-051535-1876.MMD@mw.local for maria@methownet.com; Mon, 24 May 2010 05:15:35 -0700 Return-Path: ubarywabe8660@vodafone.de X-Original-To: maria@methownet.com Delivered-To: maria.methownet@gto.methowdata.net Received: from vodafone.de (ip-109-40-244-11.web.vodafone.de [109.40.244.11]) by gto.methowdata.net (Postfix) with ESMTP id 921323881DC for maria@methownet.com; Mon, 24 May 2010 05:08:49 -0700 (PDT) From: OriginalViagra E-Store ubarywabe8660@vodafone.de To: maria@methownet.com Subject: Today's discounts for maria. 79% discounted prices. of seasons ISBN area j Date: Mon, 24 May 2010 14:08:52 +0200 MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Message-Id: 20100524120849.921323881DC@gto.methowdata.net X-OriginalArrivalTime: 24 May 2010 12:15:37.0449 (UTC) FILETIME=[D1787D90:01CAFB3A]
Can you let me know how I might find out where this is coming from? It is not coming through our firewall, so it is most likely from some internal source.
Thanks, Jeff
Submitted by methownet on Mon, 05/24/2010 - 23:03 Pro Licensee Comment #5
Submitted by andreychek on Mon, 05/24/2010 - 23:53 Comment #6
It sounds like you may have this figured out now -- but to determine where the email came from, you could take a look at the received headers.
For example, do you have a system named "mustang.mw.local" on your LAN? There's a received header listing that (with IP "192.168.0.249") in the email you mentioned.
If you have any further questions though, just let us know.