Tests before the major spam attack?

[vbrookie]

Hey guys.
I've just switched my old mail server to Opensuse 10.1 with ISPConfig about week ago. It is running great and I am very satisfied with the results, But today I am getting some strange emails. I don't know if I should be concerned or not but someone out there is constantly sending same email to my mail server. So far, I got around 10-20 mails and it originated from various servers. It feels like the guy is giving me a little warning, and is going to heavily spam my servers soon. Just for preventive measures, I think I am going to notify my ISP before I get heavily attacked by this person or groups. Have anybody gotten emails similar to this? Should I be concered? What should be the other things that I should be doing beside check my system logs and mail logs right now?

Code:

  Return-Path: <wonforesters@edulink.pl>
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on ns1.mymailsver.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_XBL autolearn=no version=3.1.7
X-Original-To: catchthismail@my-web2-domain.com
Delivered-To: web1_admin@ns1.mymailsver.com
Received: by ns1.mymailsver.com (Postfix)
	id A18093FE0FE; Mon, 19 Feb 2007 10:33:53 -0500 (EST)
Delivered-To: web2_admin@ns1.mymailsver.com
Received: from kameleon.edubrovnik.org (unknown [71.30.108.74])
	by ns1.mymailsver.com (Postfix) with ESMTP id 6D1CC3FE0FA
	for <catchthismail@my-web2-domain.com>; Mon, 19 Feb 2007 10:33:53 -0500 (EST)
Received: from edulink.pl (HELO edulink.pl) ([83.238.130.114])
  by t296.edulink.pl with ESMTP id ; Mon, 19 Feb 2007 15:33:52 +0300
Received: from 0833.xavient.com ([34.85.160.196])
 by xt.filosofia.uniba.it (Sun Java System Messaging Server 6.1 HotFix 0.07 (built
 Oct 10 2005)) with ESMTP id <7fy0dazqt5yjtxd@12.115.177.38.filosofia.uniba.it> for
 catchthismail@my-web2-domain.com; Mon, 19 Feb 2007 15:33:52 +0300 (IST)
Date: Mon, 19 Feb 2007 15:33:52 +0300
From: "Trena Kim" <wonforesters@edulink.pl>
To: <catchthismail@my-web2-domain.com>
Subject: Trena
Message-ID: <KJ524JP6SLE_SPWTO_R33TOX@edulink.pl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.7/2603/Mon Feb 19 09:46:59 2007

Hi
How are you ? Call me.
one day a week. 
Poor you, i don't even think how much spam you are recive.
activities can be 
68796D6D78667179746B786E7368726668796E726E45777E666D743374

Code:

Return-Path: <refinedstillborns@hcctel.net>
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on ns1.mymailsver.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.7 required=5.0 tests=RCVD_IN_NJABL_DUL,
	RCVD_IN_SORBS_DUL autolearn=no version=3.1.7
X-Original-To: catchthismail@my-web2-domain.com
Delivered-To: web1_admin@ns1.mymailsver.com
Received: by ns1.mymailsver.com (Postfix)
	id 6D7E23FE100; Mon, 19 Feb 2007 09:49:08 -0500 (EST)
Delivered-To: web2_admin@ns1.mymailsver.com
Received: from wrzb-590cfe2c.pool.einsundeins.de (wrzb-590cfe2c.pool.einsundeins.de [89.12.254.44])
	by ns1.mymailsver.com (Postfix) with ESMTP id 923CC3FE0FA
	for <catchthismail@my-web2-domain.com>; Mon, 19 Feb 2007 09:49:05 -0500 (EST)
Received: from hcctel.net.commsysinc.mail7.psmtp.com (HELO hcctel.net) ([64.18.5.13])
  by i107.hcctel.net with ESMTP id ; Mon, 19 Feb 2007 14:51:55 -0060
Received: from nqf6.webm.ru ([90.147.90.101])
 by d9txy8.web-slingers.com (Sun Java System Messaging Server 6.1 HotFix 0.07 (built
 Sep 1 2002)) with ESMTP id <3w9i0mm0vom9n3k@201.66.57.219.web-slingers.com> for
 catchthismail@my-web2-domain.com; Mon, 19 Feb 2007 14:51:55 -0060 (IST)
Date: Mon, 19 Feb 2007 14:51:55 -0060
From: "Vanieca Knowlden" <refinedstillborns@hcctel.net>
To: <catchthismail@my-web2-domain.com>
Subject: Vanieca
Message-ID: <WJVVH8T09A6_MQU4J_NPS9AK@hcctel.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.7/2601/Mon Feb 19 06:45:48 2007

Hi
How are you ? Call me.
you almost 
Poor you, i don't even think how much spam you are recive.
resists 
68796D6D78667179746B786E7368726668796E726E45777E666D743374

Best Wishes!
Sonny...

[edge]

You are not the only one receiving this.

Google for: "Poor you, i don't even think how much spam you are recive"

[martinfst]

I have added zen.spamhaus.org to my postfix at the MTA level. This junk in not even processed on my systems

[vbrookie]

Thanks edge! I thought I was the only one, getting this kind of mails.
I guess I was right about going to heavily spamed, Just got another 10 mails containing exactly same contents passing spamassassin. I read there's going to be hundreads more of this.

Cheers!
Sonny...

[vbrookie]

Quote:

Originally Posted by martinfst

I have added zen.spamhaus.org to my postfix at the MTA level. This junk in not even processed on my systems

Thanks martinfst!!!
I am going to look in to doing samething. I guess there should be howto around here some where? Anywayz thanks for the reply! I am just relieved that I am not the only one who's getting this.

[martinfst]

There's probably no howto as it is very simple. 1st use (as root)

Code:

postconf -n | grep smtpd_recipient_restrictions

Make a note of the string behind the equal sign. Then use

Code:

postconf -e "smtpd_recipient_restrictions = <the string after = sign>, reject_rbl_client zen.spamhaus.org"

My full reject list is

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, check_sender_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client zen.spamhaus.org

but don't just copy / paste this. Try to understand the options and verify if they apply for you. Only then add them and watch your log files for FP. I'm still not having a perfect setup myself as I (including active spamassasin) still get around 10 spams per day in my inbox. I have some more ideas to add, but I'd like to make that a standard part of ISPConfig (RulesduJour, selectable FuzzyOCR, etc). Or at least a package add-on. But I don't have the time to do much on this on short notice.

[vbrookie]

Quote:

Originally Posted by martinfst

There's probably no howto as it is very simple. 1st use (as root)

Code:

postconf -n | grep smtpd_recipient_restrictions

Make a note of the string behind the equal sign. Then use

Code:

postconf -e "smtpd_recipient_restrictions = <the string after = sign>, reject_rbl_client zen.spamhaus.org

My full reject list is

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, check_sender_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client zen.spamhaus.org

but don't just copy / paste this. Try to understand the options and verify if they apply for you. Only then add them and watch your log files for FP. I'm still not having a perfect setup myself as I (including active spamassasin) still get around 10 spams per day in my inbox. I have some more ideas to add, but I'd like to make that a standard part of ISPConfig (RulesduJour, selectable FuzzyOCR, etc). Or at least a package add-on. But I don't have the time to do much on this on short notice.

You are my hero for today!
I've just added reject_rbl_client zen.spamhaus.org for now, I'll look into other options later!