Postfix - increase of deffered email

Discussion in 'Server Operation' started by Hans, Dec 10, 2006.

Thread Status:
Not open for further replies.
  1. tycho

    tycho New Member

    Hans and Falko,

    Maybe this is the end of it, but I would still like to see the complete route of such mail, just to satisfie my curiousity (and perhaps come up with a final solution to the problem).
    I'm intrigued. (That's mainly because Falko implied it cannot be solved, I think I found a bug in my character)
     
    Last edited: Dec 11, 2006
  2. Hans

    Hans Moderator ISPConfig Developer

    more reffered emails

    This morning i had a look at munin's graph, to see if there where no reffered mails anymore.

    But yes there where 31 reffered mails again! :mad:

    I removed them again, but hwat can i do else to prevent this as much as possible?
     

    Attached Files:

  3. tycho

    tycho New Member

    Did you trace them back to their origin?
     
  4. Hans

    Hans Moderator ISPConfig Developer

    I understand that it important to trace them back to their origin, but at this time i did not yet.
    The next time, that a lot of deffered mails occur, i will give it a try and i will report it here.

    Maybe it is an option to block their IPs
     
  5. tycho

    tycho New Member

    No need to wait till next time. Your mail log, starting yesterday at 22:15 end ending 02:00 this morning will most likely provide the wanted info.
     
    Last edited: Dec 12, 2006
  6. Hans

    Hans Moderator ISPConfig Developer

    How can i do this?

    :(
     
  7. tycho

    tycho New Member

    I would go with examining your maillog. If it contains too much privacy sensitive info you may want to drop me a private line.
    I take it you have some new spams ghosting around in your system. So Munin will tell you which part of the log is needed.
     
    Last edited: Dec 13, 2006
  8. Hans

    Hans Moderator ISPConfig Developer

    appache2 error.log file

    I have taken a look at my /var/log/apache2/error.log file because i think that the spam is caused via a webapplication.
    In this logile, i dicovered a lot of messages like the ones within the attachement.

    I think i am on the right track now, but what can i do now?

    @tycho:
    If necesarry i open that private line later.
    Thanks for your help!
     

    Attached Files:

  9. falko

    falko Super Moderator ISPConfig Developer

  10. Hans

    Hans Moderator ISPConfig Developer

    Falko,

    I can block IP-adresses with command route add -host <IP-address> reject

    Two more questions:

    - But how can i unblock an IP-address in case that i block wrong IP-addresses?
    I guess with the command:
    route del -host <IP-address> reject

    - Is there also a possibility to list the IP-addesses that i've blocked on the server?
     
    Last edited: Dec 13, 2006
  11. Hans

    Hans Moderator ISPConfig Developer

    One question about this line:

    mynetworks = 127.0.0.0/8, 192.168.1.0/24

    Is 192.168.1.0 the IP-address of my server or the IP-address of the Gateway ?
     
  12. tycho

    tycho New Member

    That would be the address (well, actually the network) of eth1
    The setting causes email clients from the inside of your firewall not having to authenticate themselves when sending email, thus providing a somewhat smoother operation.
    Also, never add any routable networks to this setting, as you will be an open relay.
    Applicable to postfix (which you use, don't you?).
     
    Last edited: Dec 14, 2006
  13. Hans

    Hans Moderator ISPConfig Developer

    Yes, i am using Postfix.
    I have added the line <eth0-address>/24 to my Postfix main.cf file.
    After that i restarted Postfix.

    Yesterday i have studied a lot of log files.
    My websites has been scanned, contact forms on the websites of my clients are used to send spam via systemuser www-data (Apache) to a lot of other emailaddresses outside my server.

    When the emailaddress/domainname/hostname of the receiver does not excists, email will me marked as "deffered".
    It is the reason that deffered mails are increasing.

    As Falko suggests i have blocked some IP-addresses, but this does not help a lot.
    (The IP's are different every time).

    It is very difficult to trace the IP-addresses of the spammers, and almost impossible to find the site, containing a possible vulnerable form/application.
    Their IP-addresses are not always available as the spammers are using scripts within the forms on websites.

    Right now, i am not able to solve this problem, so if anyone has suggestions, they are welcome.
     
  14. tycho

    tycho New Member

    You could add a pre-processor for www-data, like via procmail or MailScanner.
     
  15. Hans

    Hans Moderator ISPConfig Developer

    Add Procmail

    I think that is a good idea.

    I believe Procmail is not included within Falko's "Perfect howto "for Debian Sarge.

    There is a lot of info available here about procmail at URL http://www.howtoforge.com/taxonomy_menu/1/23

    Do you know how i can add and setup procmail for my Debian server with ISPConfig?
     
  16. Hans

    Hans Moderator ISPConfig Developer

    Add Procmail

    I think that is a good idea.

    There is a lot of info available here about procmail at URL http://www.howtoforge.com/taxonomy_menu/1/23

    Do you know how i can setup procmail for my Debian server with ISPConfig for www-data?
     
  17. falko

    falko Super Moderator ISPConfig Developer

    It's installed automatically, and the rest is configured by ISPConfig. :)

    This might give you the idea: http://www.howtoforge.com/howto_spamassassin_clamav_procmail

    Actually, 192.168.1.0 is your network address, not the address of your network card, and /24 is the subnet mask (it's the same as 255.255.255.0).
    If you use the subnet mask /32, then the IP address would be your network card's IP address.
     
  18. tycho

    tycho New Member

    I don't agree with that. But it will at least buy you some time.
    And you are going to need that time to come up with a real solution (installing a pre-processor in this case is just a work-around), because you will be blacklisted if you don't.
    Bear in mind that not postfix is the weak chain in this, apache, and/or programs executed thru apache, are giving the spammers an open relay.
     
    Last edited: Dec 14, 2006
  19. Hans

    Hans Moderator ISPConfig Developer

    A little step further

    In the mean time, i found the vulnerable contact form within a site.
    The form is deactivated and since that moment everything looks great again.

    It is time to create more secure contact forms and to make my server more secure by adding a pre-processor or whatever.

    For today i go to bed now, as i am sick of SPAM.
     
    Last edited: Dec 14, 2006
  20. Hans

    Hans Moderator ISPConfig Developer

    Captha

    I have put a captcha on the webforms and this really helps to prevent spam provided by automatic processes without human interaction via webforms.

    Definition: http://nl.wikipedia.org/wiki/Captcha

    :)
     
Thread Status:
Not open for further replies.

Share This Page