Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - djfininho

Pages: [1] 2
1
E-Mail / Re: Email server counting more sent than received
« on: January 24, 2025, 11:36:53 AM »
Hello cyberspace.

Sorry for the delay in responding.

My concern is not that the server registers two entries, but rather that it registers two exits without anyone having sent an email from our server.

It turns out that when receiving an email from Gmail, for example, our server registers the entry and exit as if Postfix were responding to the sender, but nothing reaches the sender, where it went or to whom I don't know...

Before you ask, the server is not configured to respond to emails automatically.

2
E-Mail / Re: Email server counting more sent than received
« on: January 15, 2025, 02:36:08 AM »
Hi,

It looks fine for me. According to the logs your email comes through the antispam system (amavis/spamd). If the message isn't blocked by the antispam system then it is accepted by the mail system again and it sends the email to the destination mail host.

Hello cyberspace,

So it seems good, but why does the email statistics show the following result when an email is received?

When I send an email from Gmail to an email from the CWP server, it shows the following:
2 Received
2 Delivered
So I go to Gmail to check if anything has been returned and it doesn't show anything.

Wouldn't it be correct, when receiving an email, to have it like this?
1 Received
0 Delivered

The CWP server always has more outgoing emails than incoming ones.

I installed Email_Delivery to try to understand the result, which shows 2 emails received from the same sender, but none of them were sent to the sender.

But in the server's email box, there is only 1 received email.

See the result from a few weeks ago, I've already run all of the CWP security features looking for any malware, virus or something like that, but it doesn't find anything. I don't know where all of these emails sent or received went.
4071 Received
4260 Delivered

I don't know if you understood, I don't speak English, I'm using a translator.

3
E-Mail / Email server counting more sent than received
« on: January 12, 2025, 03:23:51 AM »
Hello, has anyone else experienced this?

I have the impression that CWP or Postfix is ​​duplicating the email sending count.
Another thing I noticed is that when I receive 1 (one) email, it is automatically marked as if I had sent another.

With this wave of duplicating the count, my server is as if it were sending more emails than it is receiving.

In the log below, I sent an email to 1 (one) destination, and 2 (two) emails were counted as outgoing.

Destination email
destination@gmail.com

Can someone help me?

email outgoing
Quote
Jan 11 22:58:32 srv postfix/smtpd[2161646]: connect from xxxxx.net[xxx.xxx.xxx.xxx]
Jan 11 22:58:32 srv postfix/smtpd[2161646]: Anonymous TLS connection established from xxxxx.net[xxx.xxx.xxx.xxx] to mail.xxxxx.net: TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)
Jan 11 22:58:32 srv cbpolicyd[2142234]: module=Quotas, mode=update, host=xxx.xxx.xxx.xxx, helo=localhost, from=mymail@xxxxx.net, to=djfininho@gmail.com, reason=quota_update, policy=11, quota=8, limit=9, track=Sender:@xxxxx.net, counter=MessageCount, quota=2.72/50 (5.4%)
Jan 11 22:58:32 srv postfix/smtpd[2161646]: EB2EBC10F339: client=xxxxx.net[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=mymail@xxxxx.net
Jan 11 22:58:33 srv postfix/cleanup[2161651]: EB2EBC10F339: message-id=<6375de5c02a44c5a97a9e5dbce2572e7@xxxxx.net>
Jan 11 22:58:33 srv opendkim[1545]: EB2EBC10F339: DKIM-Signature field added (s=default, d=xxxxx.net)
Jan 11 22:58:33 srv postfix/qmgr[2158094]: EB2EBC10F339: from=<mymail@xxxxx.net>, size=1285, nrcpt=1 (queue active)
Jan 11 22:58:33 srv postfix/smtpd[2161646]: disconnect from xxxxx.net[xxx.xxx.xxx.xxx] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jan 11 22:58:34 srv postfix/smtpd[2161660]: connect from unknown[127.0.0.1]
Jan 11 22:58:34 srv postfix/smtpd[2161660]: 1DA4FC10F33E: client=unknown[127.0.0.1]
Jan 11 22:58:34 srv postfix/cleanup[2161651]: 1DA4FC10F33E: message-id=<6375de5c02a44c5a97a9e5dbce2572e7@xxxxx.net>
Jan 11 22:58:34 srv opendkim[1545]: 1DA4FC10F33E: DKIM-Signature field added (s=default, d=xxxxx.net)
Jan 11 22:58:34 srv postfix/qmgr[2158094]: 1DA4FC10F33E: from=<mymail@xxxxx.net>, size=2079, nrcpt=1 (queue active)
Jan 11 22:58:34 srv postfix/smtpd[2161660]: disconnect from unknown[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 11 22:58:34 srv amavis[2139902]: (2139902-18) Passed CLEAN {RelayedOpenRelay}, [xxx.xxx.xxx.xxx]:40660 [xxx.xxx.xxx.xxx] <mymail@xxxxx.net> -> <destination@gmail.com>, Queue-ID: EB2EBC10F339, Message-ID: <6375de5c02a44c5a97a9e5dbce2572e7@xxxxx.net>, mail_id: QEfO4D2z0ZOt, Hits: -1.197, size: 1609, queued_as: 1DA4FC10F33E, dkim_sd=default:xxxxx.net, 1093 ms
Jan 11 22:58:34 srv postfix/smtp[2161652]: EB2EBC10F339: to=<destination@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.25/0.02/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1DA4FC10F33E)
Jan 11 22:58:34 srv postfix/qmgr[2158094]: EB2EBC10F339: removed
Jan 11 22:58:37 srv postfix/smtp[2161663]: 1DA4FC10F33E: to=<destination@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.0.27]:25, delay=3, delays=0.08/0.03/2.2/0.76, dsn=2.0.0, status=sent (250 2.0.0 OK  1736650717 586e51a60fabf-2ad80accbe5si4416200fac.250 - gsmtp)
Jan 11 22:58:37 srv postfix/qmgr[2158094]: 1DA4FC10F33E: removed


incoming email
Quote
Jan 11 23:08:08 srv postfix/smtpd[2162800]: connect from mail-qv1-f47.google.com[209.85.219.47]
Jan 11 23:08:08 srv postfix/smtpd[2162800]: TLS SNI server.qosinfo.net.br from mail-qv1-f47.google.com[209.85.219.47] not matched, using default chain
Jan 11 23:08:08 srv postfix/smtpd[2162800]: Anonymous TLS connection established from mail-qv1-f47.google.com[209.85.219.47]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 11 23:08:09 srv cbpolicyd[2160463]: module=Quotas, mode=update, host=209.85.219.47, helo=mail-qv1-f47.google.com, from=xxxxxx@gmail.com, to=mymail@xxxxxx.net, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:@gmail.com, counter=MessageCount, quota=1.00/2 (50.0%)
Jan 11 23:08:09 srv postfix/smtpd[2162800]: 742FBC10F339: client=mail-qv1-f47.google.com[209.85.219.47]
Jan 11 23:08:09 srv postfix/cleanup[2162859]: 742FBC10F339: message-id=<CAOd3ZwV-U9fb_79oavowc=nQjDyuhfnXX=S78a-gnPjw5MdVvA@mail.gmail.com>
Jan 11 23:08:09 srv opendkim[1545]: 742FBC10F339: mail-qv1-f47.google.com [209.85.219.47] not internal
Jan 11 23:08:09 srv opendkim[1545]: 742FBC10F339: not authenticated
Jan 11 23:08:09 srv opendkim[1545]: 742FBC10F339: DKIM verification successful
Jan 11 23:08:09 srv postfix/qmgr[2158094]: 742FBC10F339: from=<xxxxxx@gmail.com>, size=3576, nrcpt=1 (queue active)
Jan 11 23:08:09 srv spamc[2162861]: connect to spamd on ::1 failed, retrying (#1 of 3): Connection refused
Jan 11 23:08:09 srv spamd[1872083]: spamd: connection from 127.0.0.1 [127.0.0.1]:47508 to port 783, fd 5
Jan 11 23:08:09 srv spamd[1872083]: spamd: processing message <CAOd3ZwV-U9fb_79oavowc=nQjDyuhfnXX=S78a-gnPjw5MdVvA@mail.gmail.com> for nobody:65534
Jan 11 23:08:09 srv postfix/smtpd[2162800]: disconnect from mail-qv1-f47.google.com[209.85.219.47] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Jan 11 23:08:09 srv spamd[1872083]: spamd: clean message (-0.1/2.0) for nobody:65534 in 0.3 seconds, 3656 bytes.
Jan 11 23:08:09 srv spamd[1872083]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,SPF_HELO_NONE,TVD_SPACE_RATIO scantime=0.3,size=3656,user=nobody,uid=65534,required_score=2.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=47508,mid=<CAOd3ZwV-U9fb_79oavowc=nQjDyuhfnXX=S78a-gnPjw5MdVvA@mail.gmail.com>,autolearn=unavailable autolearn_force=no
Jan 11 23:08:09 srv postfix/pickup[2158093]: E5334C10F33E: uid=65534 from=<xxxxxx@gmail.com>
Jan 11 23:08:09 srv postfix/pipe[2162860]: 742FBC10F339: to=<mymail@xxxxxx.net>, relay=spamassassin, delay=0.86, delays=0.54/0.01/0/0.31, dsn=2.0.0, status=sent (delivered via spamassassin service)
Jan 11 23:08:09 srv postfix/qmgr[2158094]: 742FBC10F339: removed
Jan 11 23:08:09 srv postfix/cleanup[2162859]: E5334C10F33E: message-id=<CAOd3ZwV-U9fb_79oavowc=nQjDyuhfnXX=S78a-gnPjw5MdVvA@mail.gmail.com>
Jan 11 23:08:09 srv opendkim[1545]: E5334C10F33E: no signing table match for 'xxxxxx@gmail.com'
Jan 11 23:08:09 srv opendkim[1545]: E5334C10F33E: DKIM verification successful
Jan 11 23:08:10 srv postfix/qmgr[2158094]: E5334C10F33E: from=<xxxxxx@gmail.com>, size=4295, nrcpt=1 (queue active)
Jan 11 23:08:10 srv postfix/lmtp[2162866]: E5334C10F33E: to=<mymail@xxxxxx.net>, relay=srv.qosinfo.net.br[private/dovecot-lmtp], delay=0.26, delays=0.11/0.02/0.01/0.11, dsn=2.0.0, status=sent (250 2.0.0 <mymail@xxxxxx.net> IPLtAxoyg2ezACEAPOYtsw Saved)
Jan 11 23:08:10 srv postfix/qmgr[2158094]: E5334C10F33E: removed

4
Information / Re: Changelogs
« on: July 16, 2024, 08:58:10 PM »
Would be great if some one could take a few mins on every update to post here https://control-webpanel.com/changelog some of us like to know what's new and what's fixed.


My friend, to be honest, they don't care anymore... as if I didn't owe obligations to anyone... I, for example, had a problem with them regarding payment in which the payment was debited twice from my card... I only got a response months after opening the ticket...

Now imagine their attention to a simple changelog

This is regrettable, it does not convey professionalism.

5
SSL / All sites have stopped ERR_SSL_PROTOCOL_ERROR
« on: September 26, 2023, 02:26:20 AM »
Help please!

All sites have stopped running and all are giving the error ERR_SSL_PROTOCOL_ERROR

Rebuild apache web service
I disabled the firewall
I restarted server
I recreated certificate
I executed command
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt

Nothing resolved, port 443 is open, does anyone have any ideas to help resolve this?

6
E-Mail / Re: I received email from my own email account
« on: June 05, 2023, 01:23:21 PM »
Hello overseer!

About generic contact, I think it is difficult to hide any e-mail, because in some sites you need to print the independent contact e-mail as it is.

We do not do business with Thailand Our e-mail server already has all the standard CWP RBLs in place, including the reject option.

Although I noticed that spamassassin is not working properly, because it rejects some things and lets pass others that are blacklisted and without spf and dkim.

I'll look into the ASSP.


Thank you for the contact.

7
E-Mail / I received email from my own email account
« on: June 02, 2023, 07:10:08 PM »
Hello, I have another problem.

Friends would like to understand how this is possible and how to prevent this from happening.
It's as if I had sent an email to myself, when looking at the headers I noticed that the ip is not from my server.

Ip: 210.86.179.238 (unknown)
Domain: travelyamu.com (unknown)

My host has:
rDns Ok
dkim: ok
spf: ok
Dmarc: Ok
Ip: Ok (not blacklisted)

I just think that Spamassassin is not working well, because this email ended up in the inbox, ignoring the spam box

I don't understand how this still happens...
I would like to understand these headers, and solve this problem.


Code: [Select]
Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - xxxxxxxxxx.xxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:

8
E-Mail / Re: zombie attack target email account
« on: May 29, 2023, 07:37:17 PM »
And have you hardened your postfix installation to prevent relaying? Pay particular attention to the $mynetworks and $relay_domains directives. Do you have UCE controls properly implemented in Postfix? Don't trust the defaults -- they are just a starting point. You should be much more restrictive than what CWP provides as an initial basis.


Hello overseer.

Yes yes, and I am also monitoring more often.

Thank you for your attention.

9
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 07:31:56 PM »
Yes, cyberspace mentioned the most common vector for spam sending on servers -- an insecure php script that gets exploited/abused to send bulk UCE (unsolicited commercial e-mail). I'm sorry I neglected to mention the possibility in my response, because that's the most common vector these days. In fact, that's the only mail abuse I've seen on my servers is via a malicous php script implanted via a WordPress vulnerability. You may want to consider closing off the php mailer vector altogether and require ONLY authenticated SMTP on the server for mail sending. It depends on your situation, but really I would say generally that using the php mailer functionality is "lazy coding" and you should only use SMTP AUTH for accounting purposes -- it's clear who is sending what and everything is logged.


hello overseer

I disabled the sending of direct email through php, now for sending only smtp auth.

After these suggestions I was able to stop those submissions.

Thank you all for your help.

10
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 01:12:05 PM »
Check HTTP/HTTPS access logs of the websites associated with the user "agendada". I assume some website hosted in the account of the user "agendada" could contain some unprotected mail form or vulnerable mail script. It could be bombarded by spam bots. That is why you could get a lot of mail delivery failures. To solve the problem with the form, protect the form using Google reCaptcha or similar method. In case the bounces are caused by the vulnerable mail script then to avoid the spam submission the script must check the referrer, verify some hidden data from the form, etc.

hello cyberspace

I hadn't thought of that possibility, I'll check the logs

Thanks

11
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 01:10:07 PM »
By your log, it looks to be agendada, UID 1010
Try running:
Code: [Select]
id 1010to find the associated account. Then go into your admin panel and rate limit the amount of mail messages the account can send in an hour, to contain collateral damage while you investigate.

I would seriously consider enacting some Postfix rate limiting restrictions as well in /etc/postfix/main.cf:
Code: [Select]
##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30

Hello, overseer

In fact there is the scheduled user, there just aren't those email accounts agendada@server.xxxxxxx.xxx.xx
I'll make the settings you gave me.

Thanks



12
E-Mail / postfix sending email every minute
« on: May 27, 2023, 12:25:27 PM »
More this problem now.
I recently noticed that postfix issues this log every minute, but I can't find these emails sent or the email account used for sending and receiving.

Code: [Select]
May 27 08:11:02 server postfix/pickup[575682]: F2E74412187D: uid=1010 from=<agendada>
May 27 08:11:02 server postfix/cleanup[571398]: F2E74412187D: message-id=<20230527121102.F2E74412187D@server.xxxxxxx.xxx.xx>
May 27 08:11:03 server opendkim[1093]: F2E74412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:11:03 server postfix/local[548309]: F2E74412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.55, delays=0.37/0.03/0/0.15, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: removed
May 27 08:12:02 server postfix/pickup[575682]: 6FDB5412187D: uid=1010 from=<agendada>
May 27 08:12:02 server postfix/cleanup[571398]: 6FDB5412187D: message-id=<20230527121202.6FDB5412187D@server.xxxxxxx.xxx.xx>
May 27 08:12:02 server opendkim[1093]: 6FDB5412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:12:02 server postfix/qmgr[371490]: 6FDB5412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:12:03 server postfix/local[548309]: 6FDB5412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.68, delays=0.49/0.05/0/0.14, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:12:03 server postfix/qmgr[371490]: 6FDB5412187D: removed
May 27 08:13:03 server postfix/pickup[575682]: 097FC412187D: uid=1010 from=<agendada>
May 27 08:13:03 server postfix/cleanup[571398]: 097FC412187D: message-id=<20230527121303.097FC412187D@server.xxxxxxx.xxx.xx>
May 27 08:13:03 server opendkim[1093]: 097FC412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:13:03 server postfix/local[548309]: 097FC412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.76, delays=0.62/0.07/0/0.07, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: removed
May 27 08:13:09 server clamd[923]: SelfCheck: Database status OK.
May 27 08:14:02 server postfix/pickup[575682]: 74670412187D: uid=1010 from=<agendada>
May 27 08:14:02 server postfix/cleanup[571398]: 74670412187D: message-id=<20230527121402.74670412187D@server.xxxxxxx.xxx.xx>
May 27 08:14:02 server opendkim[1093]: 74670412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:14:02 server postfix/local[548309]: 74670412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.52, delays=0.43/0/0/0.09, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: removed

13
E-Mail / Re: zombie attack target email account
« on: May 27, 2023, 11:55:56 AM »
Are your SPF and DMARC DNS records set up properly to restrict sending to your own domain and server IP address?

hello overseer

Yes they are configured and validated

14
E-Mail / zombie attack target email account
« on: May 25, 2023, 06:48:30 PM »
Help please

a single email account is receiving around 30 to 50 emails from Undelivered Mail Returned to Sender
FROM: <MAILER-DAEMON@server.xxxxxxxxxxxx.xxx.xxx> TO: <xxxxxxxxx@xxxxxxxxxxxxxxx.xxxx.xxxx>
from different recipients.
but the email is not being used for sending, I believe it is a zombie attack, how to prevent sending emails using your email outside the server?

https://suporte.hostgator.com.br/hc/pt-br/articles/360015544414-O-que-é-um-ataque-de-e-mail-spoofing-

15
SSL / Solução simples para proxy SSL shoutcast
« on: March 07, 2023, 05:44:03 PM »
Solução simples que encontrei para proxy SSL shoutcast

1 - criar subdominio.seusite.com.br
2 - domínio servidores web
3 - Informar porta shoutcast
4 - Informar Ip publico do servidor.

Não sei se é certo, mas resolveu para mim.

Pages: [1] 2