Je reçois des messages de mon propre serveur de messagerie, d'un utilisateur appartenant à mon domaine mais ne figurant pas dans ma base de données d'utilisateurs de messagerie. Voici les journaux:
4679 Mar 28 15:54:13 Bumblebee postfix/smtpd[29350]: connect from unknown[45.127.40.218]
4680 Mar 28 15:54:13 Bumblebee postfix/smtpd[29350]: C7B8A3FCB1EC: client=unknown[45.127.40.218]
4681 Mar 28 15:54:14 Bumblebee postfix/cleanup[29353]: C7B8A3FCB1EC: message-id=<[email protected]>
4682 Mar 28 15:54:14 Bumblebee postfix/qmgr[14800]: C7B8A3FCB1EC: from=<[email protected]>, size=5170, nrcpt=1 (queue active)
4683 Mar 28 15:54:14 Bumblebee postfix/smtpd[29350]: disconnect from unknown[45.127.40.218]
4684 Mar 28 15:54:15 Bumblebee postfix/smtp[29349]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Connection timed out
4685 Mar 28 15:54:15 Bumblebee postfix/smtpd[29363]: connect from localhost[127.0.0.1]
4686 Mar 28 15:54:15 Bumblebee postfix/smtpd[29363]: 875153FCB201: client=localhost[127.0.0.1]
4687 Mar 28 15:54:15 Bumblebee postfix/cleanup[29353]: 875153FCB201: message-id=<[email protected]>
4688 Mar 28 15:54:15 Bumblebee postfix/smtpd[29363]: disconnect from localhost[127.0.0.1]
4689 Mar 28 15:54:15 Bumblebee postfix/qmgr[14800]: 875153FCB201: from=<[email protected]>, size=5957, nrcpt=1 (queue active)
4690 Mar 28 15:54:15 Bumblebee amavis[28484]: (28484-11) Passed CLEAN {RelayedInbound}, [45.127.40.218]:54919 [45.127.40.218] <[email protected]> -> <[email protected]>, Queue-ID: C7B8A3FCB1EC, Message-ID: <[email protected]>, mail_id: 0r59-HfxT3Vu, Hits : 5.282, size: 5170, queued_as: 875153FCB201, 1437 ms
4691 Mar 28 15:54:15 Bumblebee postfix/smtp[29355]: C7B8A3FCB1EC: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.36/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 875153FCB201)
4692 Mar 28 15:54:15 Bumblebee postfix/qmgr[14800]: C7B8A3FCB1EC: removed
4693 Mar 28 15:54:15 Bumblebee postfix/lmtp[29364]: 875153FCB201: to=<[email protected]>, relay=mydomain.com[private/dovecot-lmtp], delay=0.17, delays=0.06/0/0/0.1, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 2Hz6JIc3+Va1cgAA4FbCCg Saved)
4694 Mar 28 15:54:15 Bumblebee postfix/qmgr[14800]: 875153FCB201: removed
Il n'y a pas d'utilisateur "nadiam1pa", j'ai vérifié à plusieurs reprises, mais ce mec utilise en quelque sorte mon serveur de messagerie pour remettre des courriers contenant des pièces jointes suspectes à d'autres utilisateurs de messagerie sur mon serveur. Je ne sais pas par où commencer, pour résoudre ce problème de sécurité. Est-ce que quelqu'un peut m'aider avec ça?
// edit: Voici l'en-tête du mail:
X-Spam-Level: *****
Return-Path: <[email protected]>
Mime-Version: 1.0
Thread-Index: AdCh6FNHn/LWax1JSTSc7XL2c2t2TQ==
X-Virus-Scanned: Debian amavisd-new at mydomain.com
Message-Id: <[email protected]>
X-Mailer: Microsoft Outlook 14.0
X-Spam-Score: 5.282
X-Spam-Flag: NO
X-Spam-Status: No, score=5.282 tagged_above=2 required=6.31 tests=[BAYES_20=-0.001, DOS_Outlook_TO_MX=2.845, HELO_MISC_IP=0.25, PYZOR_CHECK=1.392, RDNS_NONE=0.793, SPF_FAIL=0.001, TO_EQ_FM_DOM_SPF_FAIL=0.001, TVD_SPACE_RATIO=0.001] autolearn=no autolearn_force=no
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0042_01D0A1F9.171F24B0"
Delivered-To: <[email protected]>
Content-Language: en-US
Received: from mydomain.com by Ubuntu-1310-saucy-64-minimal (Dovecot) with LMTP id 2Hz6JIc3+Va1cgAA4FbCCg for <[email protected]>; Mon, 28 Mar 2016 15:54:15 +0200
Received: from localhost (localhost [127.0.0.1]) by mydomain.com (Postfix) with ESMTP id 875153FCB201 for <[email protected]>; Mon, 28 Mar 2016 15:54:15 +0200 (CEST)
Received: from mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0r59-HfxT3Vu for <[email protected]>; Mon, 28 Mar 2016 15:54:14 +0200 (CEST)
Received: from [45.127.40.218] (unknown [45.127.40.218]) by mydomain.com (Postfix) with ESMTP id C7B8A3FCB1EC for <[email protected]>; Mon, 28 Mar 2016 15:54:13 +0200 (CEST)
Document (1).pdf
Votre serveur de messagerie n'envoie rien. Cette adresse est usurpée. Si vous vérifiez les en-têtes de l'un des messages suspects, vous verrez l'adresse IP de l'expéditeur. Il est toutefois probable que chaque message que vous recevez aura une adresse IP différente.