hi guys, i am using ubuntu 20.04 and ispconfig 3 i still have problems with email spam. i refer to this post: https://www.howtoforge.com/community/threads/email-spam.87020/#post-423887 i checked the box reject sender and login mismatch today but i still get spam. here is some of the logfile: Code: Nov 1 16:26:26 server4 postfix/qmgr[668271]: 5EF2B8232EB: from=<[email protected]>, size=845, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 501B8823333: from=<[email protected]>, size=897, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 43300820EA0: from=<[email protected]>, size=908, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 41B928232AD: from=<[email protected]>, size=892, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 2B6AD8232CD: from=<[email protected]>, size=874, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 72571821333: from=<[email protected]>, size=908, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 7F6E0823353: from=<[email protected]>, size=1010, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: E031C8232FC: from=<[email protected]>, size=890, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: E5AAD823363: from=<[email protected]>, size=913, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: E49DD823345: from=<[email protected]>, size=969, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: E35AF823324: from=<[email protected]>, size=1046, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: F2DAE823348: from=<[email protected]>, size=897, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: D875E82331D: from=<[email protected]>, size=902, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 3D8848202FB: from=<[email protected]>, size=808, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 65160820E86: from=<[email protected]>, size=921, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: B604882333F: from=<[email protected]>, size=1048, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: B8B56823305: from=<[email protected]>, size=1020, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: BEC2D82135F: from=<[email protected]>, size=894, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/qmgr[668271]: 1A22682331C: from=<[email protected]>, size=889, nrcpt=1 (queue active) Nov 1 16:26:26 server4 postfix/smtp[670911]: 41B928232AD: host mx00.t-online.de[194.25.134.8] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670911]: 41B928232AD: host mx01.t-online.de[194.25.134.72] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670911]: 41B928232AD: host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670911]: 41B928232AD: to=<[email protected]>, relay=mx03.t-online.de[194.25.134.73]:25, delay=281791, delays=281791/0.09/0.08/0, dsn=4.0.0, status=deferred (host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.)) Nov 1 16:26:26 server4 postfix/smtp[670923]: BEC2D82135F: host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670923]: BEC2D82135F: host mx00.t-online.de[194.25.134.8] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670923]: BEC2D82135F: host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.) Nov 1 16:26:26 server4 postfix/smtp[670923]: BEC2D82135F: to=<[email protected]>, relay=mx01.t-online.de[194.25.134.72]:25, delay=294506, delays=294506/0.2/0.09/0, dsn=4.0.0, status=deferred (host mx01.t-online.de[194.25.134.72] refused to talk to me: 554 IP=167.86.78.111 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.)) i get every 2-3 minutes the following email as a spam: Code: Delivered-To: [email protected] Received: by 2002:a05:6520:1804:b0:14d:1302:5488 with SMTP id s4csp868154lkz; Mon, 1 Nov 2021 08:17:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFzlRNlpMIYA3Rq3FTMnjPLb5yLupQjsJ/lFHBX3uUv+uvhYNXd3lixtaCirBi0/TWazKi X-Received: by 2002:adf:ea51:: with SMTP id j17mr8143391wrn.421.1635779846203; Mon, 01 Nov 2021 08:17:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635779846; cv=none; d=google.com; s=arc-20160816; b=L5si/NAXf8U5J7dGZP22gHUzUG4IbCSHId5/QxiGFxyyMoQsfCGP1ff2GBGL1Cju/t RGsfNYzf2H6W4WoDYbDPy3ONx2gmL4toKoYexfwYN41MUM6uty2QLdTlFXKuBc+EYNCE FbAyS89eteCdmNkpphuN+YPUF/o95dU9IYvj7vQnH5jFe+MzlLcwmRsC1BCrqA+HiGT5 OJrmAjAeROqK/I3k88viEVG8nT9PHT+5hwYvxMegCeLV218+Eb4XdZvfU4dhcKYducW4 rXOpNcwYvoCXkDDtUgJqOblh/LiFzziHycv3ZkG2qajc5m3rgGchlnuR6ButPH4bOoZU jHbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:message-id:reply-to:from:date:subject:to; bh=ygoORtUqFCaBSuF3Qa1RJxzT1P63HSMfaTkEIdtmAf4=; b=gtUK6nJJvYQS2Ky6ynBm3py7heHP5eWExBTee9UZ8C0rUeV55VlL34K1PuW0U0eZKk vN3L3Q4f/aHEKPQXrJArKEAJSnjC6ZK9QCBjYC9YpKz6e3anIcvJnEg7BCsoVgq5yt5U tmrq9774+uTT+lINFg8Kn1eGvjE4ejloqJV3WDawd9lLsqYjcuVHDa0Bw4AlK2SmZcwU 13EKQPNtiHyzlELVLEh0pTGllFk9pL56cDUdlkCce5LB8OPwsXkK7NrGbFsX9YWMG4PF 1+Dx6xwzrxUnkDFsHZ/aQw0Yo7lS9QMUldnKYCWUj0APfpClVzor4QnUH2kTIDraVCyZ I+bA== ARC-Authentication-Results: i=1; mx.google.com; spf=neutral (google.com: 167.86.78.111 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] Return-Path: <[email protected]> Received: from server4.cl-i.net (server4.cl-i.net. [167.86.78.111]) by mx.google.com with ESMTPS id m15si15398665wru.531.2021.11.01.08.17.26 for <[email protected]> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Nov 2021 08:17:26 -0700 (PDT) Received-SPF: neutral (google.com: 167.86.78.111 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=167.86.78.111; Authentication-Results: mx.google.com; spf=neutral (google.com: 167.86.78.111 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected] Received: by server4.cl-i.net (Postfix, from userid 5005) id 5C31F823345; Mon, 1 Nov 2021 16:17:25 +0100 (CET) To: [email protected] Subject: =?us-ascii?Q?wp-fit_"Confessions_of_a_Bitcoin_billionaire_or?= =?us-ascii?Q?_passive_income_from_$_9889_per_day"?= Date: Mon, 1 Nov 2021 15:17:25 +0000 From: wp-fit <[email protected]> Reply-To: [email protected] Message-ID: <[email protected]> X-Mailer: PHPMailer 6.5.0 (https://github.com/PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 From: Thomasinife <[email protected]> Subject: Confessions of a Bitcoin billionaire or passive income from $ 9889 per day Nachricht: REGISTER NOW and get more $ 8997 in a day >>>>>>>>>>>>>> https://www.google.com/url?q=https%3A%2F%2Fvk.cc%2Fc7wIWi&sa=D&68=80&usg=AFQjCNH6SY7LGALGvztkeI5TeYoMdA1BxA <<<<<<<<<<<<< -- This e-mail was sent from a contact form on wp-fit (https://wp-fit.com) the domain [email protected] does not exist in ispconfig. i add the maildomain in ispconfig. for this domain i use cloudflare as dns can this be a problem? it would be great if you have some idea how i can resolve the problem. thanks a lot
That's a contact form on the website doing it's job, ie. sending you the messages - try adding google recaptcha v3 to the form and it should help tremendously. Trying to block that at the mail server level is the wrong approach for this, as there's no way to distinguish a valid contact form submission from a spam submission based solely on the sender address ([email protected]) or other headers; setting your mail server up to send through the correct mail server and blocking mail from non-existent addrs is a good practice for other reasons/cases, though.
Hi Jesse, thanks for your answer. google recaptcha does not work on my form and i dont know why so i did try : really simple captcha plugin honeypot for contact form 7 With both plugins i dont get more spam email to my email account but in the logfiles there is still the spam on webmaster@ Code: Nov 3 19:41:26 server4 postfix/qmgr[668271]: 692888220EE: from=<[email protected]>, size=891, nrcpt=1 (queue active) Nov 3 19:41:26 server4 postfix/qmgr[668271]: 1A20D8232F8: from=<[email protected]>, size=850, nrcpt=1 (queue active) Do you have another idea how to get rid of the spam?
There are many things you can do, and you generally need to do multiple of them, eg. there are spam filtering services (akismet, cleantalk, etc.), there are security related plugins and config (eg. .htaccess) that can block some "junk" requests based on behavior, blacklist lookups of client addr, you could redo your form in some other system and try using recaptcha v3, you could utilize a cdn that blocks much of that, etc. Try web searches for "stop contact form spam wordpress" or similar.
Thanks a lot for your answer so there is a lot to do, thanks for take care of my problem, you gave me some good ideas how to proceed
Hi again, may i ask another question which is not clear for me. After installing different plugins like antispam bee honeypot and so on i decided to delete the form and clear the cache after that on the website. after deleting the form i get the same entry in the logfiles: Code: root@server4:~# tail -f /var/log/mail.log | grep "webmaster" Nov 4 19:26:26 server4 postfix/qmgr[668271]: 90730823303: from=<[email protected]>, size=922, nrcpt=1 (queue active) Nov 4 19:26:27 server4 postfix/qmgr[668271]: A12B68201C0: from=<[email protected]>, size=897, nrcpt=1 (queue active) Nov 4 19:26:27 server4 postfix/qmgr[668271]: 009DE82330B: from=<[email protected]>, size=919, nrcpt=1 (queue active) If i understand it right, if the form would cause this entry in the logfile after deleting the form there should not be another entry like that. Maybe i dont understand exactly what this entry says and if this spam comes from the contact form or if the reason for this log entry is something else. It would be great if you could help me with my doubts. thanks a lot in advance and sorry for answering again
If you deleted the form, those messages are of course not coming from that. Check your mail log to see what happens to the messages; if they are still in queue, examine them to see if you can tell how the messages were sent. If it's not obvious (eg. like the previous one which said, "This e-mail was sent from a contact form") you might need to check the site's access log and correlate incoming requests with outgoing spam/messages (and if you have a high volume of those, it should be pretty obvious).
Hi there, thanks for your help. i installed pflogsumm and with iptables i block 2 ips. at least now there is no more entry about the webmaster email i cleaned the mailqueue so lets see how it is going on. Thanks guys for a great help always
