SPAM, Postfix security

**TechnikOnkel** · Dec 29th 2013

I got a little question!!

I regionized that i got a lot of "Automatic Reply" Messages around the Christmas days! Some mails got me my original Message in the reply message! Okay it just says "merry Christmas" as text and ":-)" as subject nothing else.

It was send from a phantasy name, and phantasy mailbox name but with my original Domainname...!

Now i checked my Postfix configuration on the server and saw this information:

Quote

Dec 24 04:34:24 www postfix/smtpd[22883]: Anonymous TLS connection established from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Dec 24 04:34:24 www postfix/smtpd[22883]: warning: hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]: SASL LOGIN authentication failed: authentication failure
Dec 24 04:34:24 www postfix/smtpd[22883]: disconnect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:24 www postfix/smtpd[22884]: connect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:25 www postfix/smtpd[22884]: warning: hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]: SASL LOGIN authentication failed: authentication failure
Dec 24 04:34:25 www postfix/smtpd[22884]: disconnect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:25 www postfix/smtpd[22884]: connect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:25 www postfix/smtpd[22884]: warning: hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]: SASL LOGIN authentication failed: authentication failure
Dec 24 04:34:25 www postfix/smtpd[22884]: disconnect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:30 www postfix/smtpd[22881]: connect from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:30 www postfix/smtpd[22881]: setting up TLS connection from hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]
Dec 24 04:34:30 www postfix/smtpd[22881]: hostxx-xxx-static.xx-xx-b.business.telecomitalia.it[xx.xx.xxx.xx]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:before/accept initialization
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 read client hello A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 write server hello A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 write certificate A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 write server done A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 flush data
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 read client key exchange A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 read finished A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 write change cipher spec A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 write finished A
Dec 24 04:34:30 www postfix/smtpd[22881]: SSL_accept:SSLv3 flush data

Display More

**krok** · Jan 4th 2014

What's the question ?

crafter · Jan 5th 2014

It's quite possible that the emails and log entries are not related, but should both be issues for concern, so I would check them out in detail.

The 'SASL LOGIN authentication failed' might be a would-be attacker (or a sucessful one) trying to guess your password. If there are many of these such entries, it could be a 'dictionary attack', where the person tries your username with a password from a list (eg 'password', 'a', 'aa', 'aaa', or 'Adam', 'Bob', 'Carry' and so on).

Look into installing fail2ban on your server. This will help to trace this in real time and place a ban on the incoming IP address after a certain number of tries.

The 'setting up TLS connection' probably means there was a correct guess. Maybe reset your password to something a bit stronger.

However, if it appears you have been hacked, it might be a good idea to reset accounts and re-install items. I would suggest a proper end-to-end check of the system.

SPAM, Postfix security

Share

Daily visitors