Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th February 2007, 17:48
vbrookie vbrookie is offline
Junior Member
 
Join Date: May 2006
Posts: 16
Thanks: 2
Thanked 2 Times in 2 Posts
Default Tests before the major spam attack?

Hey guys.
I've just switched my old mail server to Opensuse 10.1 with ISPConfig about week ago. It is running great and I am very satisfied with the results, But today I am getting some strange emails. I don't know if I should be concerned or not but someone out there is constantly sending same email to my mail server. So far, I got around 10-20 mails and it originated from various servers. It feels like the guy is giving me a little warning, and is going to heavily spam my servers soon. Just for preventive measures, I think I am going to notify my ISP before I get heavily attacked by this person or groups. Have anybody gotten emails similar to this? Should I be concered? What should be the other things that I should be doing beside check my system logs and mail logs right now?

Code:
  Return-Path: <wonforesters@edulink.pl>
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on ns1.mymailsver.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_XBL autolearn=no version=3.1.7
X-Original-To: catchthismail@my-web2-domain.com
Delivered-To: web1_admin@ns1.mymailsver.com
Received: by ns1.mymailsver.com (Postfix)
	id A18093FE0FE; Mon, 19 Feb 2007 10:33:53 -0500 (EST)
Delivered-To: web2_admin@ns1.mymailsver.com
Received: from kameleon.edubrovnik.org (unknown [71.30.108.74])
	by ns1.mymailsver.com (Postfix) with ESMTP id 6D1CC3FE0FA
	for <catchthismail@my-web2-domain.com>; Mon, 19 Feb 2007 10:33:53 -0500 (EST)
Received: from edulink.pl (HELO edulink.pl) ([83.238.130.114])
  by t296.edulink.pl with ESMTP id ; Mon, 19 Feb 2007 15:33:52 +0300
Received: from 0833.xavient.com ([34.85.160.196])
 by xt.filosofia.uniba.it (Sun Java System Messaging Server 6.1 HotFix 0.07 (built
 Oct 10 2005)) with ESMTP id <7fy0dazqt5yjtxd@12.115.177.38.filosofia.uniba.it> for
 catchthismail@my-web2-domain.com; Mon, 19 Feb 2007 15:33:52 +0300 (IST)
Date: Mon, 19 Feb 2007 15:33:52 +0300
From: "Trena Kim" <wonforesters@edulink.pl>
To: <catchthismail@my-web2-domain.com>
Subject: Trena
Message-ID: <KJ524JP6SLE_SPWTO_R33TOX@edulink.pl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.7/2603/Mon Feb 19 09:46:59 2007

Hi
How are you ? Call me.
one day a week. 
Poor you, i don't even think how much spam you are recive.
activities can be 
68796D6D78667179746B786E7368726668796E726E45777E666D743374
Code:
Return-Path: <refinedstillborns@hcctel.net>
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on ns1.mymailsver.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.7 required=5.0 tests=RCVD_IN_NJABL_DUL,
	RCVD_IN_SORBS_DUL autolearn=no version=3.1.7
X-Original-To: catchthismail@my-web2-domain.com
Delivered-To: web1_admin@ns1.mymailsver.com
Received: by ns1.mymailsver.com (Postfix)
	id 6D7E23FE100; Mon, 19 Feb 2007 09:49:08 -0500 (EST)
Delivered-To: web2_admin@ns1.mymailsver.com
Received: from wrzb-590cfe2c.pool.einsundeins.de (wrzb-590cfe2c.pool.einsundeins.de [89.12.254.44])
	by ns1.mymailsver.com (Postfix) with ESMTP id 923CC3FE0FA
	for <catchthismail@my-web2-domain.com>; Mon, 19 Feb 2007 09:49:05 -0500 (EST)
Received: from hcctel.net.commsysinc.mail7.psmtp.com (HELO hcctel.net) ([64.18.5.13])
  by i107.hcctel.net with ESMTP id ; Mon, 19 Feb 2007 14:51:55 -0060
Received: from nqf6.webm.ru ([90.147.90.101])
 by d9txy8.web-slingers.com (Sun Java System Messaging Server 6.1 HotFix 0.07 (built
 Sep 1 2002)) with ESMTP id <3w9i0mm0vom9n3k@201.66.57.219.web-slingers.com> for
 catchthismail@my-web2-domain.com; Mon, 19 Feb 2007 14:51:55 -0060 (IST)
Date: Mon, 19 Feb 2007 14:51:55 -0060
From: "Vanieca Knowlden" <refinedstillborns@hcctel.net>
To: <catchthismail@my-web2-domain.com>
Subject: Vanieca
Message-ID: <WJVVH8T09A6_MQU4J_NPS9AK@hcctel.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.7/2601/Mon Feb 19 06:45:48 2007

Hi
How are you ? Call me.
you almost 
Poor you, i don't even think how much spam you are recive.
resists 
68796D6D78667179746B786E7368726668796E726E45777E666D743374
Best Wishes!
Sonny...
Reply With Quote
Sponsored Links
  #2  
Old 19th February 2007, 18:04
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,034
Thanks: 265
Thanked 151 Times in 131 Posts
Default

You are not the only one receiving this.

Google for: "Poor you, i don't even think how much spam you are recive"
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 19th February 2007, 18:19
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

I have added zen.spamhaus.org to my postfix at the MTA level. This junk in not even processed on my systems
Reply With Quote
  #4  
Old 19th February 2007, 18:22
vbrookie vbrookie is offline
Junior Member
 
Join Date: May 2006
Posts: 16
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Thanks edge! I thought I was the only one, getting this kind of mails.
I guess I was right about going to heavily spamed, Just got another 10 mails containing exactly same contents passing spamassassin. I read there's going to be hundreads more of this.

Cheers!
Sonny...
Reply With Quote
  #5  
Old 19th February 2007, 18:29
vbrookie vbrookie is offline
Junior Member
 
Join Date: May 2006
Posts: 16
Thanks: 2
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by martinfst
I have added zen.spamhaus.org to my postfix at the MTA level. This junk in not even processed on my systems
Thanks martinfst!!!
I am going to look in to doing samething. I guess there should be howto around here some where? Anywayz thanks for the reply! I am just relieved that I am not the only one who's getting this.
Reply With Quote
  #6  
Old 19th February 2007, 18:40
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

There's probably no howto as it is very simple. 1st use (as root)
Code:
postconf -n | grep smtpd_recipient_restrictions
Make a note of the string behind the equal sign. Then use
Code:
postconf -e "smtpd_recipient_restrictions = <the string after = sign>, reject_rbl_client zen.spamhaus.org"
My full reject list is
Code:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, check_sender_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client zen.spamhaus.org
but don't just copy / paste this. Try to understand the options and verify if they apply for you. Only then add them and watch your log files for FP. I'm still not having a perfect setup myself as I (including active spamassasin) still get around 10 spams per day in my inbox. I have some more ideas to add, but I'd like to make that a standard part of ISPConfig (RulesduJour, selectable FuzzyOCR, etc). Or at least a package add-on. But I don't have the time to do much on this on short notice.

Last edited by martinfst; 19th February 2007 at 20:04.
Reply With Quote
  #7  
Old 19th February 2007, 19:45
vbrookie vbrookie is offline
Junior Member
 
Join Date: May 2006
Posts: 16
Thanks: 2
Thanked 2 Times in 2 Posts
 
Default

Quote:
Originally Posted by martinfst
There's probably no howto as it is very simple. 1st use (as root)
Code:
postconf -n | grep smtpd_recipient_restrictions
Make a note of the string behind the equal sign. Then use
Code:
postconf -e "smtpd_recipient_restrictions = <the string after = sign>, reject_rbl_client zen.spamhaus.org
My full reject list is
Code:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, check_sender_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client zen.spamhaus.org
but don't just copy / paste this. Try to understand the options and verify if they apply for you. Only then add them and watch your log files for FP. I'm still not having a perfect setup myself as I (including active spamassasin) still get around 10 spams per day in my inbox. I have some more ideas to add, but I'd like to make that a standard part of ISPConfig (RulesduJour, selectable FuzzyOCR, etc). Or at least a package add-on. But I don't have the time to do much on this on short notice.
You are my hero for today!
I've just added reject_rbl_client zen.spamhaus.org for now, I'll look into other options later!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam attack on one specific domain steowimmy Installation/Configuration 2 14th November 2006 21:12
System attack message from logcheck Hagforce Server Operation 6 30th August 2006 16:07
reading log for attack on sshd Ovidiu Server Operation 2 19th August 2006 20:12
The Port Scan Attack Detector (psad) edge Server Operation 1 1st July 2006 13:17
Postfix attack.... Hagforce Server Operation 2 12th April 2006 11:08


All times are GMT +2. The time now is 04:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.