Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - djfininho

Pages: [1]
1
SSL / All sites have stopped ERR_SSL_PROTOCOL_ERROR
« on: September 26, 2023, 02:26:20 AM »
Help please!

All sites have stopped running and all are giving the error ERR_SSL_PROTOCOL_ERROR

Rebuild apache web service
I disabled the firewall
I restarted server
I recreated certificate
I executed command
/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt

Nothing resolved, port 443 is open, does anyone have any ideas to help resolve this?

2
E-Mail / Re: I received email from my own email account
« on: June 05, 2023, 01:23:21 PM »
Hello overseer!

About generic contact, I think it is difficult to hide any e-mail, because in some sites you need to print the independent contact e-mail as it is.

We do not do business with Thailand Our e-mail server already has all the standard CWP RBLs in place, including the reject option.

Although I noticed that spamassassin is not working properly, because it rejects some things and lets pass others that are blacklisted and without spf and dkim.

I'll look into the ASSP.


Thank you for the contact.

3
E-Mail / I received email from my own email account
« on: June 02, 2023, 07:10:08 PM »
Hello, I have another problem.

Friends would like to understand how this is possible and how to prevent this from happening.
It's as if I had sent an email to myself, when looking at the headers I noticed that the ip is not from my server.

Ip: 210.86.179.238 (unknown)
Domain: travelyamu.com (unknown)

My host has:
rDns Ok
dkim: ok
spf: ok
Dmarc: Ok
Ip: Ok (not blacklisted)

I just think that Spamassassin is not working well, because this email ended up in the inbox, ignoring the spam box

I don't understand how this still happens...
I would like to understand these headers, and solve this problem.


Code: [Select]
Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - Return-Path: <sales@travelyamu.com>
Delivered-To: contact@xxxxxxxxxx.xxx
Received: from server.xxxxxxxxxx.xxx
    by server.xxxxxxxxxx.xxx with LMTP
    id +P6fLMGEd2Q8oRcARjsZHA
    (envelope-from <sales@travelyamu.com>)
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:49 -0400
Received: by server.xxxxxxxxxx.xxx (Postfix, from userid 65534)
    id A19EE4121FC7; Wed, 31 May 2023 13:32:49 -0400 (-04)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxxxxxxxxx.xxx;
    s=default; t=1685554369;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=;
    h=Reply-To:From:To:Subject:Date;
    b=YqZX2Zlv2rGPe2HU34fu7/ZmDLObGWHWYhEjHyWIArJREPnZvWX1NxvdUVZTYzpIH
    KicVt9VTvMv5EJ4uKKmAgtmpZwaT1pCRWME0xywTiYKb7dXgcfpOfv9SKWv4aWRGLq
    P7IdfMG77Lrclgs5Y25mqeGVB5x7hTIqy6ArXlWg=
Received: from 6069247.yamu.asia (6069247.yamu.asia [162.240.65.200])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by server.xxxxxxxxxx.xxx (Postfix) with ESMTPS id B0935412187D
    for <contact@xxxxxxxxxx.xxx>; Wed, 31 May 2023 13:32:46 -0400 (-04)
Authentication-Results: server.xxxxxxxxxx.xxx;
    dkim=pass (2048-bit key, unprotected) header.d=travelyamu.com header.i=@travelyamu.com header.a=rsa-sha256 header.s=default header.b=ohs+C4Z0
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    d=travelyamu.com; s=default; h=Content-Transfer-Encoding:Content-Type:
    MIME-Version:Message-ID:Date:Subject:To:From:Reply-To:Sender:Cc:Content-ID:
    Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
    :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
    List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=RCwBhXFv13WAYkTWI9Cnim8HL4OwdIpgQ/eUQEz3aPw=; b=ohs+C4Z0e4GReFCsnrKN4XBj4A
    LIhIifxaik9UkuwcaFmEqIaKeam6piWSpsGdfzF+Bdm6lsfBpoUWw9JZykX8IXVr5LrLY7tJEHKWU
    ASpKyTF/6as0+lxe2LCOCxGCeHMvmJqB9Iqox/Vi3jD5DTA3FdE+cVRYPn1YXDI4LS4Y/CZWfbqB0
    +DOGKEu+sEuCJNSReNdNr8lXAsNj2M2EW6fIJbZ/fOvguAzovhExjoN+lpCnotHp9w86BK4vU/rfG
    HS++vnkPApJxSgCJauofBEgpKiie6A4aTXrZs5CdHqAdT/DmPCVKjx5FSdChSRfNIE9vn8mXmLO//
    EGxNCaAQ==;
Received: from ppp-210-86-179-238.revip.asianet.co.th ([210.86.179.238]:60062 helo=travelyamu.com)
    by 6069247.yamu.asia with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96)
    (envelope-from <sales@travelyamu.com>)
    id 1q4Pgh-0002aT-0M
    for contact@xxxxxxxxxx.xxx;
    Wed, 31 May 2023 12:32:42 -0500
Reply-To: contact@xxxxxxxxxx.xxx
From: contact@xxxxxxxxxx.xxx
To: contact@xxxxxxxxxx.xxx
Subject: Your personal data has leaked due to suspected harmful activities. #927654
Date: 1 Jun 2023 00:32:40 +0700
Message-ID: <20230601003240.B847EDDBCF98D765@xxxxxxxxxx.xxx>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - 6069247.yamu.asia
X-AntiAbuse: Original Domain - xxxxxxxxxx.xxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - travelyamu.com
X-Get-Message-Sender-Via: 6069247.yamu.asia: authenticated_id: sales@travelyamu.com
X-Authenticated-Sender: 6069247.yamu.asia: sales@travelyamu.com
X-Source:
X-Source-Args:
X-Source-Dir:

4
E-Mail / Re: zombie attack target email account
« on: May 29, 2023, 07:37:17 PM »
And have you hardened your postfix installation to prevent relaying? Pay particular attention to the $mynetworks and $relay_domains directives. Do you have UCE controls properly implemented in Postfix? Don't trust the defaults -- they are just a starting point. You should be much more restrictive than what CWP provides as an initial basis.


Hello overseer.

Yes yes, and I am also monitoring more often.

Thank you for your attention.

5
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 07:31:56 PM »
Yes, cyberspace mentioned the most common vector for spam sending on servers -- an insecure php script that gets exploited/abused to send bulk UCE (unsolicited commercial e-mail). I'm sorry I neglected to mention the possibility in my response, because that's the most common vector these days. In fact, that's the only mail abuse I've seen on my servers is via a malicous php script implanted via a WordPress vulnerability. You may want to consider closing off the php mailer vector altogether and require ONLY authenticated SMTP on the server for mail sending. It depends on your situation, but really I would say generally that using the php mailer functionality is "lazy coding" and you should only use SMTP AUTH for accounting purposes -- it's clear who is sending what and everything is logged.


hello overseer

I disabled the sending of direct email through php, now for sending only smtp auth.

After these suggestions I was able to stop those submissions.

Thank you all for your help.

6
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 01:12:05 PM »
Check HTTP/HTTPS access logs of the websites associated with the user "agendada". I assume some website hosted in the account of the user "agendada" could contain some unprotected mail form or vulnerable mail script. It could be bombarded by spam bots. That is why you could get a lot of mail delivery failures. To solve the problem with the form, protect the form using Google reCaptcha or similar method. In case the bounces are caused by the vulnerable mail script then to avoid the spam submission the script must check the referrer, verify some hidden data from the form, etc.

hello cyberspace

I hadn't thought of that possibility, I'll check the logs

Thanks

7
E-Mail / Re: postfix sending email every minute
« on: May 29, 2023, 01:10:07 PM »
By your log, it looks to be agendada, UID 1010
Try running:
Code: [Select]
id 1010to find the associated account. Then go into your admin panel and rate limit the amount of mail messages the account can send in an hour, to contain collateral damage while you investigate.

I would seriously consider enacting some Postfix rate limiting restrictions as well in /etc/postfix/main.cf:
Code: [Select]
##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30

Hello, overseer

In fact there is the scheduled user, there just aren't those email accounts agendada@server.xxxxxxx.xxx.xx
I'll make the settings you gave me.

Thanks



8
E-Mail / postfix sending email every minute
« on: May 27, 2023, 12:25:27 PM »
More this problem now.
I recently noticed that postfix issues this log every minute, but I can't find these emails sent or the email account used for sending and receiving.

Code: [Select]
May 27 08:11:02 server postfix/pickup[575682]: F2E74412187D: uid=1010 from=<agendada>
May 27 08:11:02 server postfix/cleanup[571398]: F2E74412187D: message-id=<20230527121102.F2E74412187D@server.xxxxxxx.xxx.xx>
May 27 08:11:03 server opendkim[1093]: F2E74412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:11:03 server postfix/local[548309]: F2E74412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.55, delays=0.37/0.03/0/0.15, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:11:03 server postfix/qmgr[371490]: F2E74412187D: removed
May 27 08:12:02 server postfix/pickup[575682]: 6FDB5412187D: uid=1010 from=<agendada>
May 27 08:12:02 server postfix/cleanup[571398]: 6FDB5412187D: message-id=<20230527121202.6FDB5412187D@server.xxxxxxx.xxx.xx>
May 27 08:12:02 server opendkim[1093]: 6FDB5412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:12:02 server postfix/qmgr[371490]: 6FDB5412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:12:03 server postfix/local[548309]: 6FDB5412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.68, delays=0.49/0.05/0/0.14, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:12:03 server postfix/qmgr[371490]: 6FDB5412187D: removed
May 27 08:13:03 server postfix/pickup[575682]: 097FC412187D: uid=1010 from=<agendada>
May 27 08:13:03 server postfix/cleanup[571398]: 097FC412187D: message-id=<20230527121303.097FC412187D@server.xxxxxxx.xxx.xx>
May 27 08:13:03 server opendkim[1093]: 097FC412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:13:03 server postfix/local[548309]: 097FC412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.76, delays=0.62/0.07/0/0.07, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:13:03 server postfix/qmgr[371490]: 097FC412187D: removed
May 27 08:13:09 server clamd[923]: SelfCheck: Database status OK.
May 27 08:14:02 server postfix/pickup[575682]: 74670412187D: uid=1010 from=<agendada>
May 27 08:14:02 server postfix/cleanup[571398]: 74670412187D: message-id=<20230527121402.74670412187D@server.xxxxxxx.xxx.xx>
May 27 08:14:02 server opendkim[1093]: 74670412187D: DKIM-Signature field added (s=default, d=server.xxxxxxx.xxx.xx)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: from=<agendada@server.xxxxxxx.xxx.xx>, size=1475, nrcpt=1 (queue active)
May 27 08:14:02 server postfix/local[548309]: 74670412187D: to=<agendada@server.xxxxxxx.xxx.xx>, orig_to=<agendada>, relay=local, delay=0.52, delays=0.43/0/0/0.09, dsn=2.0.0, status=sent (delivered to mailbox)
May 27 08:14:02 server postfix/qmgr[371490]: 74670412187D: removed

9
E-Mail / Re: zombie attack target email account
« on: May 27, 2023, 11:55:56 AM »
Are your SPF and DMARC DNS records set up properly to restrict sending to your own domain and server IP address?

hello overseer

Yes they are configured and validated

10
E-Mail / zombie attack target email account
« on: May 25, 2023, 06:48:30 PM »
Help please

a single email account is receiving around 30 to 50 emails from Undelivered Mail Returned to Sender
FROM: <MAILER-DAEMON@server.xxxxxxxxxxxx.xxx.xxx> TO: <xxxxxxxxx@xxxxxxxxxxxxxxx.xxxx.xxxx>
from different recipients.
but the email is not being used for sending, I believe it is a zombie attack, how to prevent sending emails using your email outside the server?

https://suporte.hostgator.com.br/hc/pt-br/articles/360015544414-O-que-é-um-ataque-de-e-mail-spoofing-

11
SSL / Solução simples para proxy SSL shoutcast
« on: March 07, 2023, 05:44:03 PM »
Solução simples que encontrei para proxy SSL shoutcast

1 - criar subdominio.seusite.com.br
2 - domínio servidores web
3 - Informar porta shoutcast
4 - Informar Ip publico do servidor.

Não sei se é certo, mas resolveu para mim.

12
Postfix / Re: error on postfix rebuild
« on: June 12, 2022, 11:19:11 PM »
I have the same problem, I found this when doing rebuild

Running transaction
  Preparing        :                                                        1/1
  Installing       : perl-NetAddr-IP-4.079-7.el8.x86_64                    1/29
  Installing       : perl-Mail-SPF-2.9.0-15.el8.noarch                     2/29
  Running scriptlet: perl-Mail-SPF-2.9.0-15.el8.noarch                     2/29
failed to link /usr/bin/spfquery -> /etc/alternatives/spf: /usr/bin/spfquery exists and it is either not a symlink or --keep-foreign was set and link points outside /etc/alternatives

Pages: [1]