Koozali.org: home of the SME Server
Other Languages => Italiano => Topic started by: mauro on March 06, 2015, 09:23:27 AM
-
Buondì
Questa mattina un utente lamenta di aver ricevuto messaggi di errore dal server; si tratta di messaggi apparentemente spediti da lui e non recapitati a causa di indirizzo destinatario errato. Effettivamente, nella notte scorsa vedo circa un centinaio di messaggi nel log /var/log/qmail/current che hanno come mittente <utente@server.dominio.com> (notare che il client di posta è configurato per usare <utente@dominio.com>; in ogni caso, il pc client era spento durante la notte) e come destinatario vari indirizzi esterni dubbi o sconosciuti. L'UID dei messaggi è 453, cioè qpsmtpd.
L'utente aveva cambiato password proprio ieri. Il server (SME 8.1 in gateway mode) è settato con autenticazione SMTP 'accesso SSMTP (sicuro)'.
Per complicare le cose, l'utente sta lavorando da casa via OpenVPN e io sono
Si accettano suggerimenti
-
hai un estratto del log da sottoporci?
-
/var/log/qmail/current:
2015-03-06 00:19:25.241340500 new msg 28344921
2015-03-06 00:19:25.241342500 info msg 28344921: bytes 2350 from <egrambow@wintermute.XXX.com> qp 9218 uid 453
2015-03-06 00:19:25.464009500 starting delivery 118968: msg 28344921 to local alias-localdelivery-maillog@XXX.com
2015-03-06 00:19:25.464012500 status: local 1/20 remote 0/20
2015-03-06 00:19:25.464013500 starting delivery 118969: msg 28344921 to remote friedrich-blase@YYY.de
2015-03-06 00:19:25.464015500 status: local 1/20 remote 1/20
2015-03-06 00:19:25.648957500 new msg 28345016
2015-03-06 00:19:25.648959500 info msg 28345016: bytes 2475 from <egrambow@wintermute.XXX.com> qp 9226 uid 400
2015-03-06 00:19:25.766755500 starting delivery 118970: msg 28345016 to local maillog@wintermute.XXX.com
2015-03-06 00:19:25.766757500 status: local 2/20 remote 1/20
2015-03-06 00:19:25.766759500 delivery 118968: success: forward:_qp_9226/did_0+0+1/
2015-03-06 00:19:25.766761500 status: local 1/20 remote 1/20
2015-03-06 00:19:25.778446500 delivery 118970: success: procmail:_Couldn't_create_"/var/mail/maillog"/did_0+0+2/
2015-03-06 00:19:25.778449500 status: local 0/20 remote 1/20
2015-03-06 00:19:25.778450500 end msg 28345016
2015-03-06 00:19:25.779421500 delivery 118969: failure: 194.25.134.9_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.0_Message_considered_as_spam_or_virus,_rejected/550-5.7.0_Your_IP:_80.152.140.223/550-5.7.0_Mailhost:_mailin53.aul.t-online.de/550-5.7.0_Timestamp:_2015-03-05T23:19:25Z/550-5.7.0_Expurgate-ID:_149288::1425597565-00001484-840A5F02/0-16018943334/0-10/550-5.7.0_Authenticator:_1F643F346C84648EFBC471676D248C7586342FBF75BFF24F5F03EAF21A31AD793F5B18D4/550-5.7.0_/550-5.7.0_Your_message_has_been_rejected_due_to_spam_or_virus_classification./550-5.7.0_If_you_feel_this_is_inapplicable,_please_report_the_above_error_codes/550-5.7.0_back_to_FPR@RX.T-ONLINE.DE_to_help_us_fix_possible_misclassification./550-5.7.0_We_apologize_for_any_inconvenience_and_thank_you_for_your_assistance!/550-5.7.0_/550-5.7.0_Die_Annahme_Ihrer_Nachricht_wurde_abgelehnt,_da_sie_als_Spam_oder/550-5.7.0_Virus_eingestuft_wurde._Sollten_Sie_dies_als_unzutreffend_ansehen,/550-5.7.0_senden_Sie_bitte_obige_Fehlercodes_an_FPR@RX.T-ONLINE.DE,_damit_wir/550-5.7.0_die_Klassifizierung_untersuchen_k__nnen._Wir_entschuldigen_uns_f__r/550_5.7.0_etwaige_Unannehmlichkeiten_und_bedanken_uns_f__r_Ihre_Unterst__tzung!/
2015-03-06 00:19:25.779565500 status: local 0/20 remote 0/20
2015-03-06 00:19:25.941008500 bounce msg 28344921 qp 9241
2015-03-06 00:19:25.941070500 end msg 28344921
2015-03-06 00:19:25.941243500 new msg 28345064
/var/log/qpsmtpd/current invece contiene righe tipo:
2015-03-06 09:14:51.344486500 2987 Accepted connection 0/40 from 195.135.130.51 / mail2.osite.de
2015-03-06 09:14:51.344488500 2987 Connection from mail2.osite.de [195.135.130.51]
2015-03-06 09:14:51.345921500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:51.348964500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:51.365589500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:52.372999500 2987 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-03-06 09:14:52.380260500 2987 220 wintermute.XXX.com ESMTP
2015-03-06 09:14:52.469703500 2987 dispatching EHLO mail2.osite.de
2015-03-06 09:14:52.471887500 2987 250-XXX.com Hi mail2.osite.de [195.135.130.51]
2015-03-06 09:14:52.471913500 2987 250-PIPELINING
2015-03-06 09:14:52.471942500 2987 250-8BITMIME
2015-03-06 09:14:52.471973500 2987 250-SIZE 15000000
2015-03-06 09:14:52.472007500 2987 250 STARTTLS
2015-03-06 09:14:52.492380500 2987 dispatching MAIL FROM:<> SIZE=4564 BODY=8BITMIME
2015-03-06 09:14:52.492612500 2987 full from_parameter: FROM:<> SIZE=4564 BODY=8BITMIME
2015-03-06 09:14:52.495453500 2987 getting mail from <>
2015-03-06 09:14:52.495517500 2987 250 <>, sender OK - how exciting to get mail from you!
2015-03-06 09:14:52.495664500 2987 dispatching RCPT TO:<egrambow@wintermute.XXX.com>
2015-03-06 09:14:52.646529500 2987 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-03-06 09:14:52.647707500 2987 check_goodrcptto plugin (rcpt): recipient egrambow@wintermute.XXX.com denied
2015-03-06 09:14:52.648014500 2987 logging::logterse plugin (deny): ` 195.135.130.51 mail2.osite.de mail2.osite.de <> check_goodrcptto 901 relaying denied egrambow@wintermute.XXX.com msg denied before queued
2015-03-06 09:14:52.648138500 2987 550 relaying denied egrambow@wintermute.XXX.com
2015-03-06 09:14:52.648286500 2987 dispatching DATA
2015-03-06 09:14:52.648649500 2987 503 RCPT first
2015-03-06 09:14:52.738018500 2987 dispatching RSET
2015-03-06 09:14:52.738207500 2987 250 OK
2015-03-06 09:14:52.738296500 2987 dispatching QUIT
2015-03-06 09:14:52.738431500 2987 221 XXX.com closing connection. Have a wonderful day.
2015-03-06 09:14:52.738468500 2987 click, disconnecting
(che a me sembrano normali, pero' guarda caso relative a un solo utente e sempre lo stesso)
Le email sospette sembrano essersi fermate verso le 7 di stamattina, nel frattempo ho chiesto all'utente di cambiare di nuovo password con una difficile da indovinare.
Possono servire altri log?
Grazie x l'attenzione
-
Questo e' uno dei messaggi di errore arrivati all'utente
-----Original Message-----
From: MAILER-DAEMON@XXX.com [mailto:MAILER-DAEMON@XXX.com]
Sent: Friday, March 06, 2015 7:42 AM
To: egrambow@wintermute.XXX.com
Subject: failure notice
Hi. This is the qmail-send program at XXX.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<pohl.g.u.k@online.de>:
217.72.192.66 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable Giving
up on 217.72.192.66.
--- Below this line is a copy of the message.
Return-Path: <egrambow@wintermute.XXX.com>
Received: (qmail 24368 invoked by uid 453); 6 Mar 2015 06:41:43 -0000
Received: from 46.220.39.130.wireless.dyn.drei.com (HELO localhost)
(46.220.39.130)
(smtp-auth username egrambow, mechanism login)
by XXX.com (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA;
Fri, 06 Mar 2015 07:41:43 +0100
Subject: Paket, Ihre Sendung 614944661176417661
From: "DHL Fachteam"<egrambow>
To: pohl.g.u.k@online.de
X-Mailer: Print Manager v1.10.157.18025
Content-type: multipart/mixed; boundary="jmKJ3bWksqczVskz"
MIME-Version: 1.0
X-TNEF2MIME-Plugin: UUENCODE -> MIME
X-Virus-Checked: Checked by ClamAV on XXX.com
--jmKJ3bWksqczVskz
Content-Type: text/html; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: base64
PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5ESEwgTG9naXN0aWstVGVhbTwvdGl0
bGU+DQo8TUVUQSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4
NTktMSIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8c3R5bGU+DQpib2R5
LCBwIHsNCiAgZm9udC1mYW1pbHk6IEFyaWFsOw0KICBmb250LXNpemU6IDEw
cHQ7DQogIGFsaWduOiBsZWZ0Ow0KfQ0KcCB7DQogIG1hcmdpbjogMHB4Ow0K
fQ0KYSB7DQoJRk9OVC1XRUlHSFQ6IG5vcm1hbDsNCglDT0xPUjogIzAwMDAw
MDsNCglURVhULURFQ09SQVRJT046IHVuZGVybGluZTsNCglmb250LXdlaWdo
dDogYm9sZDsNCn0NCjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxoMT48
ZW0+PHAgc3R5bGU9ImJhY2tncm91bmQ6ICNmYzA7Ij4mbmJzcDs8L3A+PHAg
c3R5bGU9InBhZGRpbmctbGVmdDozNXB4O2JhY2tncm91bmQ6ICNmYzA7IGhl
aWdodDogNDJweDtmb250LWZhbWlseTp0YWhvbWEsZ2VuZXZhLHNhbnMtc2Vy
aWY7Zm9udC1zaXplOiAzMHB4O2NvbG9yOiNkMDEwMTAiPiA8aW1nIHNyYz0i
aHR0cDovL3d3dy5kaGwuY29tL2ltZy9tZXRhL2RobF9sb2dvLmdpZiIgd2lk
dGg9IjEzNCIgaGVpZ2h0PSI0MiI+PC9wPjwvZW0+PC9oMT4NCjxwPiZuYnNw
OzwvcD4NCjxwPiZuYnNwOzwvcD4NCjxwPldlcnRlciBLdW5kZSw8L3A+DQo8
cD4mbmJzcDs8L3A+DQo8cD5JaHJlIHVudGVyIGRlciBOdW1tZXIgPGEgaHJl
Zj0iaHR0cDovL3ZpZXd2ZXQubmV0L2RobF9uZXh0dF9vbmxpbmVfcHVibGlj
Ij4xMzczMzM0NjUxNzY1MTEzMzMzNDwvYT4gZXJmYSYjMjIzO3RlIFNlbmR1
bmcgd3VyZGUgdm9uIERITCBpbiBFbXBmYW5nIGdlbm9tbWVuIHVuZCB2b3Jh
dXNzaWNodGxpY2ggZiYjMjUyO3IgZGVuIDxiPjA2LjAzLjIwMTU8L2I+IHp1
ciBBdXNsaWVmZXJ1bmcgdm9yZ2VzZWhlbi48L3A+DQo8cD4mbmJzcDs8L3A+
DQo8cD5IaWVyIGsmb3VtbDtubmVuIFNpZSB3ZWl0ZXJlIEluZm9ybWF0aW9u
ZW4gYmV0cmVmZmVuZCBJaHJlIFNlbmR1bmcgZWluc2VoZW46IDxhIGhyZWY9
Imh0dHA6Ly92aWV3dmV0Lm5ldC9kaGxfbmV4dHRfb25saW5lX3B1YmxpYyI+
MTM3MzMzNDY1MTc2NTExMzMzMzQ8L2E+LjwvcD4NCjxwPiZuYnNwOzwvcD4N
CjxwPk1pdCBmcmV1bmRsaWNoZW4gR3ImIzI1MjsmIzIyMztlbiw8YnI+SWhy
IERITCBGYWNodGVhbTwvcD4NCiANCjwvYm9keT4NCjwvaHRtbD4=
--jmKJ3bWksqczVskz--
A me pare mandato da qualcuno che ha accesso a username e password legittimi...
-
concordo..
cambio delle credenziali e verifica del pc incriminato (che non abbia qualche schifezza a bordo, tipo un keylogger...)
-
La cosa e' iniziata poche ore dopo che l'utente si era portato a casa il PC. Temo abbia qualche keylogger/sniffer nella rete locale di casa. Se e' cosi', aver cambiato la password non servira' a molto...
Grazie x l'aiuto
-
appunto per quello dicevo di verificare il pc.. non penso abbia qualcosa "in casa", ma che abbia fatto qualcosa "a casa"