Block sending mails / how to handle spam from a specific website

Discussion in 'Installation/Configuration' started by Gjorret, Jun 23, 2016.

  1. Gjorret

    Gjorret New Member

    Does anyone know if it is possible to block mails sent from a specific website in ISPConfig? Is it possible through ISPConfig or does i have to do some magic directly in apache/postfix/spamassasain/whatever?

    This is the second time where we have a WordPress site which has been compromised and it is sending out alot of spam (Files/scripts getting uploaded to the site and then called from external sources).
    First time we just disabled the website but i would like if we could just say "This website cant sent any emails" and then the customer can fix the problem.

    The webserver is relaying to our mailserver so our mailserver gets bad reputation which affects our "real mailbox users".
    We're currently running ISPConfig with "default" multiserver setup. It's running on Debian 6.0.10 (squeeze) (Old, i know, we're in the process of migrating to newer version :))

    Or is there any other way to handle this issue? Really looking forward to hearing from you guys! :)


    Edit: Maybe it should have been on the "General" board instead? Sorry :)
    Last edited: Jun 23, 2016
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    My first thought was to invalidate sendmail_path for that site's settings, but it seems ispconfig specifies that, at least in some php modes, so that may not be an option.

    Next idea is to find something in the message that you can match and block on, eg. in a test message from a website which runs as user web5, I see this header:
    Received: by (Postfix, from userid 10005) id ADCBC24D51;
    Tue, 21 Jun 2016 12:07:57 -0600 (MDT)
    So you add a header check rule matching that '(Postfix, from userid 10005)' in a received header (and maybe include the hostname before it for safety in a multi-server environment), and you should be pretty safe to reject that. That of course matches the website owner, not the specific website, but might work for your purposes
  3. Gjorret

    Gjorret New Member

    I have thought about blocking it somehow as well. What about in the custom php.ini option for the site? I have tried with:
    disabled_functions = mail
    But that dosnt seem to have any effect. Any other way there? Would be preferable.

    I agree about the UID method - it could work (and honestly i dont care that its for all websites for the user). I couldt even due this on the postfix on the webserver - then the mail wont leave that server.
    But how do you recommend that i do that? In postfix it self or does it need to be in spamassasin?
    Jun 30 21:22:23 evovsispweb01 postfix/pickup[8366]: 4F667877A47: uid=1086 from=<[email protected]>
    Edit: ok, i can see that in ispconfig under email its possible to add "Mail Content Filter". I then just need to figure out to make the Regexp. Pattern?

    Editedit: Ok, so, also under the mail menu in ispconfig there is "Postfix blacklist". Here i added the email from which is sending out spam and added it as a "sender".
    That seems to work pretty sweet!
    Jun 30 22:01:57 mailsrv postfix/smtpd[31854]: NOQUEUE: reject: RCPT from mailsrv []: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<domain.tld>
    Last edited: Jun 30, 2016
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That should work fine. As you said, you could block it on the webserver first, but that does have to be done manually - blocking on the mail server lets you use ispconfig gui, if that matters. One thing to check is bounced messages from all the rejects - either your mail queue on the web server could be filling up with those, or maybe they're getting forwarded on to [email protected] (which maybe you want, to apply some pressure to them to fix the problem :).

Share This Page