Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 29th March 2013, 23:29
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
Default

It only works if the spammer is not logged in and doesn't know your login password so if he is still trying

what do you see in the E-Mail mail-log ?
And in the Show fail2ban-log ?
Reply With Quote
Sponsored Links
  #22  
Old 29th March 2013, 23:34
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by arraken View Post
another question: i have tried to ban a suspictious ip via route add -host 90.146.13.50 reject, but when i try iptables -L i dont see the ip listed anywhere. is this normal?
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP

1.2.3.4= ip you want to block
Reply With Quote
  #23  
Old 29th March 2013, 23:46
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

the mail.log is the same as in my second post, when the attacks are running. at the moment, after banning the suspictious ip, the spam has stopped. but it may just be a break, and then start again i fear.

also: the ip belongs to a company which we host on our server. the suspictious user that i banned earlier also works at this company.

so if banning this ip really stops the spam (i will monitor it in the next hour or so), i still have to find a way to stop the spamming, because i have to unblock their ip at some point..

anyway - i'll see if the spamming goes on. if not, i'll go to sleep and start working at it again tomorrow.

for now: thanks a LOT for your quick and tireless help so far compugraphix. i think i owe you some beers or something
Reply With Quote
  #24  
Old 29th March 2013, 23:53
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
Default

than the guy has a virus or he is hacked by a trojan so he must cleanup his pc
Ow and change his email password
Reply With Quote
  #25  
Old 30th March 2013, 08:13
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

ok, so i banned the "problematic" ip, and the spam attack stopped until now (ca. 7 hours without spam).

I'm guessing if i unblock the IP, the spam attacks will begin again. The fact that the spam only apparently only get sent over this one IP (fingers crossed) - does that mean there is no harmful script on the server, and the problem is for example a compromised PC from the company with said IP?

It would already help if i can assume that there is no harmful script on my server, as it makes finding the problem much easier...

Also, i tried to set up this: http://neunzehn83.de/blog/2012/01/29...-username.html

it should block emails where the sender isn't the same as the sasl login - so it should block most of the spam being sent. But as soon as i put this line " check_policy_service unixrivate/policy," in my main.cf, i get an error from my mail client: "451 4.3.5 Server configuration problem"'.
Reply With Quote
  #26  
Old 30th March 2013, 09:05
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

just found this:
http://ezinearticles.com/?Easy-Steps...fix&id=5744562

describes my problem pretty well. also a nice solution for how to find the compromised email account in the more detailed explanation:
http://www.1a-centosserver.com/cento...k-solution.php

very useful. i found out that one user has over 30.000 sasl logins, and another over 1700. The problem is that i already changed the pw of one user, and the spams continued. I'll try changing all mail-pw's on said domain.
Reply With Quote
  #27  
Old 30th March 2013, 09:52
Lionheart82 Lionheart82 is offline
Member
 
Join Date: May 2011
Posts: 40
Thanks: 3
Thanked 4 Times in 4 Posts
Default

Quote:
Originally Posted by arraken View Post
@Lionheart82: you talked about configuring monit to find out who sends the mails. Do you have any concrete tips for that. I never worked with monit before.
Monit has a postfix graph where you can actually see the spikes and understand if something is wrong i am afraid that you have to dig the log files to learn about the compromised account.

Edit: i saw both links, really nice guides i can say

Last edited by Lionheart82; 30th March 2013 at 10:10.
Reply With Quote
  #28  
Old 30th March 2013, 09:57
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default

thanks for the explanation lionheart.

the second link in my previous post has a great way to dig the logfiles and find out the compromised accounts. I think i pinned the problem down to two accounts - let's see what happens when i change their pw's.
Reply With Quote
  #29  
Old 30th March 2013, 11:16
compugraphix compugraphix is offline
Member
 
Join Date: Jul 2010
Posts: 39
Thanks: 6
Thanked 1 Time in 1 Post
Default

Nice to see you are locating the problem and getting grip on the situation
your client has the problem with a virus/botnet/trojan not you, your just dealing with the problems he created.

Have you got any banned ip's in your fail2ban log allready?
it looks something like:
fail2ban.actions: WARNING [ssh] Ban 113.107.101.234

for de munin monit install, look here

http://www.howtoforge.com/server-mon...debian-squeeze

Last edited by compugraphix; 30th March 2013 at 11:26.
Reply With Quote
  #30  
Old 4th April 2013, 14:08
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
 
Default

Ok, for anyone who is interested how this story ended:

The problem apparently was a compromised exchange server. All the spam sent through my server was originating from one IP, which was as i found out the IP of the compromised, or poorly configurated exchange server. The accounts through which the spam mail was sent belonged to the same company as the exchange server, and thus were managed on this server. After i talked to the admin of the exchange-server he found out the problem (i don't know what it was exactly), and fixed it. I unbanned the IP afterwards, and the spam flood didn't return for some days now, so i guess the problem is solved.

@compugraphix: You were exactly right: the problem was created by the client. Fortunately he was able to remedy the situation.
I got some banned IP's from fail2ban. Gotta finetune it a bit though - but it seem's to be working fine.


I still get many deferred mail's though, but i think it's a different problem. I summed it up here: http://www.howtoforge.com/forums/sho...335#post295335

Last edited by arraken; 4th April 2013 at 14:47.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 00:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.