Zero day exploit?
Issue #463
closed
I recently set up a mail server that would eventually be a production system. It was a pretty typical configuration, nothing special. However, today I've got some kind of spammer that seems to be sending spam through my mail server.
Delivery logs show something like the following,
2018-10-16T01:39:18.033Z [A973F0AE-42F8-4C02-805B-E2EAF2441228.1] 127.0.0.1:43652%Unknown () <july-84@cryptpool.eu> -> <info@roofural.ru> - [1.9][<a28533606b406a62fefb4de104a08eaa040d6c@cryptpool.eu>] 250 Message Queued (A973F0AE-42F8-4C02-805B-E2EAF2441228.1)
2018-10-16T01:39:18.180Z [36D41AE9-05EE-432D-A9CD-8845883F115E.1] 127.0.0.1:43658%Unknown () <vflot@fux0r.eu> -> <ssp-vrn@1-ssp.com> - [1.9][<2277c19299b29891ddd86ec22783ad8ad34c98@fux0r.eu>] 250 Message Queued (36D41AE9-05EE-432D-A9CD-8845883F115E.1)
2018-10-16T01:39:18.194Z [E8327B09-FD45-4793-931F-8C5119A7479B.1] 127.0.0.1:43660%Unknown () <deka-nati@pbgolv.se> -> <info@bukh-consultant.ru> - [1.9][<86e2efc7cce732c1e21d1b484397ae2205dfc0cb11@pbgolv.se>] 250 Message Queued (E8327B09-FD45-4793-931F-8C5119A7479B.1)
Any ideas?
Comments (5)
-
repo owner -
reporter So, I made the following change to my docker-compose.yml,
ports: - target: 25 published: 25 protocol: tcp mode: host - target: 110 published: 110 protocol: tcp mode: host - target: 143 published: 143 protocol: tcp mode: host - target: 465 published: 465 protocol: tcp mode: host - target: 587 published: 587 protocol: tcp mode: host - target: 993 published: 993 protocol: tcp mode: host - target: 995 published: 995 protocol: tcp mode: host
As soon as I bring up the container, I start seeing statistics explode. Now with the port change, I seem to be seeing actual IPs in the logs. See attachment.
-
reporter - attached problem3.png
Screenshot after docker-compose.yml change.
-
reporter I guess I need to clear the queue. How would I do that?
-
repo owner - changed status to closed
Ok I am closing now.
For cleaning queue you can stop container and delete all files at queue/smtp/*
- Log in to comment
Connections are from "127.0.0.1" which is implicitly relayed - are you doing some form of DNAT or manipulation with IPs? Are you using stock poste image?
Also please inspect container if there is some strange process running. I can do inspection for you if you send me login info to info@poste.io