Spam

Discussion in 'ISPConfig 3 Priority Support' started by Dextros, May 8, 2015.

  1. Dextros

    Dextros Member

    Hi Guys

    I need some help

    I am being spammed with crap and i dont know how to deal with this, i have never had it before.

    I think i have disabled the offenders account from sending but its bringin my server to a halt.


    Code:
    2 postfix/smtp[10970]: connect to dnvrco-pub-iedge-vip.email.rr.com[107.14.73.70]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[11037]: 1B271706237D: to=<[email protected]>, relay=none, delay=2976, delays=2609/276/90/0, dsn=4.4.1, status=deferred (connect to mx.adista.fr[212.51.161.49]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[10939]: connect to exdir-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10952]: connect to mta7.am0.yahoodns.net[66.196.118.36]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10978]: connect to mx2.free.fr[212.27.42.58]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[11008]: connect to antespam.com[206.166.194.225]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[11008]: 0A4697060C41: to=<[email protected]>, relay=none, delay=23017, delays=22950/37/30/0, dsn=4.4.1, status=deferred (connect to antespam.com[206.166.194.225]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[11002]: connect to plato.mx25.net[207.200.28.36]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10967]: connect to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[11012]: connect to mail.eceti.com[74.50.117.244]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[11015]: connect to mx4.mail.icloud.com[17.172.34.66]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10974]: connect to mx4.hotmail.com[65.55.92.152]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10963]: connect to olatheschools-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10967]: 033067062138: to=<[email protected]>, relay=none, delay=6287, delays=6219/37/30/0, dsn=4.4.1, status=deferred (connect to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[10966]: connect to mail.b-io.co[50.16.235.100]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10974]: 9E2FA70622B5: to=<[email protected]>, relay=none, delay=2331, delays=1964/217/150/0, dsn=4.4.1, status=deferred (connect to mx4.hotmail.com[65.55.92.152]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[11012]: 0A4697060C41: to=<[email protected]>, relay=none, delay=23018, delays=22950/37/30/0, dsn=4.4.1, status=deferred (connect to mail.eceti.com[74.50.117.244]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[10963]: 13A507062459: to=<[email protected]>, relay=none, delay=2849, delays=2481/277/91/0, dsn=4.4.1, status=deferred (connect to olatheschools-com.mail.eo.outlook.com[207.46.163.215]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[10966]: 95BA6706146B: to=<[email protected]>, relay=none, delay=18118, delays=17751/217/151/0, dsn=4.4.1, status=deferred (connect to mail.b-io.co[50.16.235.100]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[11016]: connect to avbspam2.avalonprop.com[206.16.201.117]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10991]: connect to melmail01.isn.infoplex.com.au[119.77.8.10]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10991]: 78673706246E: to=<[email protected]>, relay=none, delay=2268, delays=1901/307/61/0, dsn=4.4.1, status=deferred (connect to melmail01.isn.infoplex.com.au[119.77.8.10]:25: Connection timed out)
    May  8 12:27:58 ns312472 postfix/smtp[10951]: connect to mail2.sitel.net[206.24.49.19]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10962]: connect to redred.com.mx1.arvig.rcimx.net[209.81.96.160]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10965]: connect to hudsonsalvage.com.mx1.megagate.rcimx.net[208.80.206.37]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10934]: connect to mx3.hotmail.com[65.55.37.120]:25: Connection timed out
    May  8 12:27:58 ns312472 postfix/smtp[10965]: 9B5E7706141C: to=<[email protected]>, relay=none, delay=18184, delays=17817/217/151/0, dsn=4.4.1, status=deferred (connect to hudsonsalvage.com.mx1.megagate.rcimx.net[208.80.206.37]:25: Connection timed out)
    May  8 12:27:59 ns312472 postfix/smtp[11010]: connect to gandycommunities-com01c.mail.protection.outlook.com[207.46.163.138]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/smtp[11021]: connect to mail.apc.net[209.223.136.74]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/smtp[11021]: 0854C70604AD: to=<[email protected]>, relay=none, delay=28710, delays=28642/37/30/0, dsn=4.4.1, status=deferred (connect to mail.apc.net[209.223.136.74]:25: Connection timed out)
    May  8 12:27:59 ns312472 postfix/smtp[10986]: connect to xo-com.mail.protection.outlook.com[207.46.163.215]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/smtp[10999]: connect to mx0a-000d4202.pphosted.com[67.231.145.47]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/smtpd[12443]: connect from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34]
    May  8 12:27:59 ns312472 postfix/smtp[10971]: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/smtp[10971]: 9EF607060D7C: to=<[email protected]>, relay=none, delay=22339, delays=21971/218/150/0, dsn=4.4.1, status=deferred (connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out)
    May  8 12:27:59 ns312472 postfix/smtp[11011]: connect to mail.b-io.co[54.235.78.85]:25: Connection timed out
    May  8 12:27:59 ns312472 postfix/error[14119]: 7D8E8706144A: to=<[email protected]>, relay=none, delay=17951, delays=17583/368/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out)
    May  8 12:27:59 ns312472 postfix/error[14012]: 48E2E7061462: to=<[email protected]>, relay=none, delay=18130, delays=17762/368/0/0.06, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx5.mail.icloud.com[17.158.8.113]:25: Connection timed out)
    May  8 12:27:59 ns312472 postfix/error[14012]: warning: connect to mysql server 127.0.0.1: Too many connections
    May  8 12:27:59 ns312472 postfix/error[14012]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem
    May  8 12:27:59 ns312472 postfix/error[14012]: warning: 48E2E7061462: flush service failure
    May  8 12:27:59 ns312472 postfix/error[14119]: warning: connect to mysql server 127.0.0.1: Too many connections
    May  8 12:27:59 ns312472 postfix/error[14119]: warning: mysql:/etc/postfix/mysql-virtual_relaydomains.cf: table lookup problem
    May  8 12:27:59 ns312472 postfix/error[14119]: warning: 7D8E8706144A: flush service failure
    May  8 12:27:59 ns312472 postfix/smtpd[12443]: warning: proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf lookup error for "[email protected]"
    May  8 12:27:59 ns312472 postfix/smtpd[12443]: NOQUEUE: reject: RCPT from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34]: 451 4.3.0 <[email protected]>: Temporary lookup failure; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<leasedline-static-080-228-094-034.ewe-ip-backbone.de>
    May  8 12:27:59 ns312472 postfix/smtpd[12443]: disconnect from leasedline-static-080-228-094-034.ewe-ip-backbone.de[80.228.94.34]
    May  8 12:27:59 ns312472 postfix/smtp[11007]: connect to braxtonculler-com.mail.protection.outlook.com[207.46.163.247]:25: Connection timed out
    
    Is there anything i can do?

    Thanks

    Lee
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Run:

    postqueue -p

    to get a list of the mails in the queue, then use th postcat command to inspect one of thes emials to ensure that you tracked down the right sender. Example for ID 590ED4DC2D34

    postcat /var/spool/postfix/deferred/5/590ED4DC2D34

    Check if there is a uthenticaed sender header, thats the sending account. If there is no such header, check if there is a X PHp header that shows the name of the sending script.

    When the email is sent trough an authenticated user, then change its password and restart postfix, saslauthd and dovecot to ensure that the old password is not cached.
     
  3. Dextros

    Dextros Member

    Hi Till

    Thanks for that.

    I have changed the users password, is there a way to delete all the defered emails, there are alot

    L
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. Dextros

    Dextros Member

    Hi Thanks, sorry for this

    When i run
    mailq | grep allmaintenance.biz | awk {'print $1′} | postsuper -d -
    it just does

    mailq | grep allmaintenance.biz | awk {'print $1′} | postsuper -d -
    >

    and it doesnt do anything.

    At least i am learning something!

    KRs

    Lee

    PS I fixed it, i took postfix offline and postsuper -d ALL

    Thank you so much for your help, i have had loads of phone calls, as i use imap and it was making it crawl. Will stay subed, as i have for the past 3 months!
     
  6. Dextros

    Dextros Member

    Hi Till

    I am mostly there now, but now most of my clients emails are not getting to their external receipents.

    Im guessing that we are marked as spam, is there anything i can do at all?

    KRs

    Lee
     
  7. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Check your server at some rbl query service like http://multirbl.valli.org
    If it is listed you might request a de-listing but that depends on the provider of each list.
     
  8. Dextros

    Dextros Member

    Thanks Croydon
    I am on 5, and i have registered to be removed from two of them.
    I will monitor over the weekend, and prey that my clients can send emails.

    Is it worth trying to use the failover IP to send emails out from.

    Also i have been seeing this, but from various amounts of ips over the past few days.

    May 8 22:49:34 ns312472 postfix/smtpd[4538]: warning: unknown[31.31.107.247]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

    Any ideas, its alway the same user atempt, but a different IP. Should i just ignore it. Its about 1 x minute.

    KRs

    Lee
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You might try using another ip for sending mails, but I don't think a failover IP is a good idea for that.
    Keep in mind that you have to adjust DNS and RDNS settings, too.

    Regarding the imap: I cannot tell you whether it is an attack or a user that has set up a wrong passwort in mail client.
     
  10. Dextros

    Dextros Member

    HI Guys

    Is there anything i can do from being seen as spam.

    My clients are just getting returned emails like

    >: host mx1.maildefender.net[195.90.97.115] said: 550
    Rejected by content scanner (CMAE). See


    host mx.avasin.plus.net[212.159.8.200] said:
    552
    Spam Message Rejected (in reply to end of DATA command)

    said: 550 csi.mimecast.org Poor
    Reputation Sender. -

    Is it just easier to ask OVH for a new IP address, and reset all the DNS up? Is there something the scanner can do on the way out?

    Our reputation is good, and we do not appear to be on any blacklists.

    Using Debian 7 if this makes any difference. Sorry im being a pain, its causing me frustration and i dont really know how to deal with it.

    Kind Regards

    Lee

    PS i have also found this:

    DKIM (Domain Keys Identified Mail) Check
    Domain Keys is a framework wherein a domain owner specifies a public key (or a set of public keys) in domain's DNS records and signs all outgoing emails with one or more keys. A recipient email server can then verify if the email actually came from the Domain specified.

    If the recipient email server finds that the keys do not match what is published, it can reject the emails. Alternately, when an email from this domain is authenticated using the keys, recipient can accept it as genuine and bypass SPAM checks.

    Specifying Domain Key records for your domain and signing all your outgoing emails reduces the chances that emails from your domain will be considered as SPAM and thus increases the deliverability of your Emails.
    ____
    Email does not contain any DKIM/Domain Keys Signature and the published Domain Keys policy does not specify whether to accept or reject unsigned Emails. Signing your Outbound emails and clearly specifying a policy to accept signed emails will minimize chances of your Email being considered as SPAM.
    ____


    BATV is a mechanism wherein an outgoing Email server adds a tag to the Envelope From address of all outgoing Emails. For example, if an Email address goes out with From address as <[email protected]>, the Envelope From is changed to <prvs=SBDGAUJ=[email protected]>, where 'SBDGAUJ' is the added tag. This tag is generated using an internal mechanism and is different for each email sent.

    If any bounce is received by the Incoming email servers, they are checked to see if the Bounce address has the proper tag (in above case 'SBDGAUJ'). If not, the email is rejected.

    BATV ensures that your Email users do not become a victim of bounce floods.


    Is this easy to implement?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

  12. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Besides what till said you should ensure you are really not sending out spam. If for any reason (e. g. hacked websites or smtp accounts) the server is sending spam, neither dkim will help nor a new ip address will.
     
  13. Dextros

    Dextros Member

    Thanks for the link Till, I will check them out.

    Croydon, I am definitely not sending out spam. I only host a few domains and they are friends and familys etc.

    Our reputation has gone from poor to good over the last few days.
     
  14. Dextros

    Dextros Member

    Right, im mostly set.

    relay=none, delay=0.19, delays=0.16/0/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)

    How can i get it to accept locally on 10026, see below the inserted, from the script, that i had to do manually, as it was upset that i was on ISP P6.

    $inet_socket_port = [10024,10026];
    $forward_method = 'smtp:[127.0.0.1]:10025';
    $notify_method = 'smtp:[127.0.0.1]:10027';
    $interface_policy{'10026'} = 'ORIGINATING';
    $policy_bank{'ORIGINATING'} = {originating => 1,smtpd_discard_ehlo_keywords => ['8BITMIME'],forward_method => 'smtp:[127.0.0.1]:10027',};
    @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16);
    $signed_header_fields{'received'} = 0;
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    @dkim_signature_options_bysender_maps = ({ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you restart amavis after adding the lines above?
     
  16. Dextros

    Dextros Member

    Hi Till

    It was my bad, i added the lines to the file, but in the wrong location, so i cp over to /etc/amavis/cond.d/ and restarted and it worked!

    I am happy to announce, that so far, so good, and emails are getting through, even to Gmail (Normally they go in spam)

    Is there a limit i can put in place so that if an authenticated user ever became compromised again, it would act something like f2ban, in the fact that if you send more that 20 emails per 10 seconds, you get shut down?

    Thank you once again, i hopefully have a smooth sailing hosting box going forward. Have been using isp for a very long time, (i think i started at V2) and this is the first time that i have really come up against something.

    I may as well ask, are there any other measures i should investigate going forward, to help secure/strengthen my installation?
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    you can do such limits with policyd. Thats a policyd damein that implements email amount quotas for postfix.
     
  18. florian030

    florian030 Well-Known Member HowtoForge Supporter

    You can also use smtpd_client_message_rate_limit (The maximum number of message delivery requests that an SMTP client may make in the time interval specified with anvil_rate_time_unit (default: 60s).).
     

Share This Page