Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 19th January 2008, 15:41
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

I'd change web2_bob's password and see if that changes anything.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Sponsored Links
  #12  
Old 19th January 2008, 19:27
zetnsh zetnsh is offline
Senior Member
 
Join Date: Aug 2007
Posts: 111
Thanks: 8
Thanked 5 Times in 5 Posts
Smile

Just my brief thoughts on this:

Firstly, you can find older log files in the same directory as the maillog, but with different suffixes - on my system the relevant files are in /var/log:

Code:
[root@mail ~]# ls -al /var/log/mail*
-rw------- 1 root root 835677 Jan 19 17:18 /var/log/maillog
-rw------- 1 root root 182263 Jan 13 04:06 /var/log/maillog.1
-rw------- 1 root root 184045 Jan  6 04:06 /var/log/maillog.2
-rw------- 1 root root 155908 Dec 30 04:06 /var/log/maillog.3
-rw------- 1 root root  98734 Dec 23 04:06 /var/log/maillog.4
You will see from the dates that the log rotates every few days when it gets beyond a certain size, and the old one gets archived (as in /var/log/maillog.x) the bigger 'x' is, the older the file. In my system, it only keeps 4 copies.

Also with reference to your worries about spam, I would say that you are very likely to see ISPConfig usernames in the log files, simply because the incoming e-mail addresses at some point get rewritten to that. Just because you're seeing those usernames doesn't necessarily mean anything's wrong - you would see those even if you received a normal mail.

What generally happens in these cases is that a third party sends out SPAM mail using an address on one of your domains as the sending address. This kind of sender forgery is unfortunately very common, and the mere fact that the domain is even registered is often enough for spammers to have a go. Of course the vast majority of this spam is send to non-existent addresses, or gets bounced by a spam filter, so of course your mailserver, as the one genuinely responsible for handling mail for the domain, gets hit with the bounces. This is sometimes called "backscatter", and simply handling the volume can present problems for any system administrator.

I think the important things are to check that you really are not an open relay (ie. anyone can send using your SMTP server) - Hans provided a good link to a site which tests that, and also make sure you haven't got any misbehaving CGI/PHP programs running on your server. Common examples of these would be feedback forms on websites - they usually provide a mechanism for sending e-mail to an address configured in the form's hidden fields, which can often be used malitiously for spamming. Older versions of formmail.pl had this problem, but it's been fixed in newer versions. Any custom written scripts might have this problem of course! The golden rule really should be never send e-mail to an address given in a web form...

Hope all that is some sort of help!

Neil
Reply With Quote
  #13  
Old 21st January 2008, 17:08
thctlo thctlo is offline
Junior Member
 
Join Date: Jun 2006
Posts: 9
Thanks: 2
Thanked 1 Time in 1 Post
Default Antispam solution /add in postfix main.cf stop 90% of all spam

myhostname = host.domain.com
myorigin = host.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = host.domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
#inet_interfaces = all
inet_interfaces = host.domain.com localhost
inet_protocols = ipv4

message_size_limit = 10485760

notify_classes =
resource,
software

bounce_size_limit = 1024
invalid_hostname_reject_code = 554
access_map_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
non_fqdn_reject_code = 554
unknown_sender_reject_code = 554
unverified_sender_reject_code = 554
unverified_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
multi_recipient_bounce_reject_code = 554
unknown_virtual_mailbox_reject_code = 554

disable_vrfy_command = yes

smtpd_restriction_classes = verify_sender
verify_sender = reject_unverified_sender, permit


## in order of processing. restrictions/anti-spam
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_rhsbl_sender dsn.rfc-ignorant.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client list.dsbl.org,
# reject_unknown_client

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
permit

smtpd_sender_restricitons =
permit_sasl_authenticated,
permit_mynetworks,
check_relay_domains,
permit_tls_all_clientcerts,
reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,
reject_unknown_sender_domain

smtpd_delay_reject = yes

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/verify_sender.map
reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client bogusmx.rfc-ignorant.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,
# reject_rbl_client cbl.anti-spam.org.cn,
# reject_rbl_client blackholes.five-ten-sg.com,
# reject_rbl_client dnsbl.ahbl.org,
# reject_rbl_client dnsbl.njabl.org,
# reject_rbl_client multi.surbl.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client cbl.abuseat.org,
# reject_rbl_client ix.dnsbl.manitu.net,
# reject_rbl_client l1.apews.org,
# reject_rbl_client l2.apews.org,
# reject_rbl_client t1.dnsbl.net.au,
# reject_rbl_client combined.rbl.msrbl.net,
# reject_rbl_client rabl.nuclearelephant.com,
# reject_rbl_client dnsbl.sorbs.net,
# reject_rhsbl_sender rhsbl.sorbs.net,
reject_non_fqdn_recipient,
reject_unauth_destination

smtpd_data_restrictions =
reject_unauth_pipelining,
permit


# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
### see also local.cf from spamassassin, add header if user auth over smtp
smtpd_sasl_authenticated_header = yes


virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names


extra files.
/etc/postfix/helo.regexp
/^localhost$/ 550 Don't use my own hostname
/^host\.domain\.com$/ 550 Don't use my own hostname
/^127\.0\.0\.1$/ 550 Don't use my own IP address
/^\[180\.169\.9\.91]$/ 550 Don't use my own IP address
/^\[180\.169\.9\.92]$/ 550 Don't use my own IP address
#/^[0-9.]+$/ 550 Your software is not RFC 2821 compliant
#/^[0-9]+(\.[0-9]+){3}$/ 550 Your software is not RFC 2821 compliant

/etc/postfix/verify_sender.map
## reverse check the email adresses.
## Example: domain.extention verify_sender
earthlink.net verify_sender
hotmail.com verify_sender
lycos.com verify sender
msn.com verify_sender
netscape.com verify_sender
netscape.net verify_sender
yahoo.com verify_sender
gmail.com verify_sender
gmail.nl verify_sender
live.com verify_sender
charter.net verify_sender

and dont forget to postmap verify_sender.map !!! and reload postfix ( /etc/init.d/postfix reload )
Im running this setup on my company's server, without the zen.spamhouse i get about 1600 spam mails a day.
with about 160, add urirbl + verify sender + rfc ignorat and i saves again 5-8 % of spam.
so just 2 % comes in my netwerk, .. and than it comes in the antispam server.
I get only 1 spam message a week for about 100 user.

goodluck.

the remarded lines you better leave the remarkt.
these can block webmail of roaming users.

Last edited by thctlo; 21st January 2008 at 17:14.
Reply With Quote
The Following User Says Thank You to thctlo For This Useful Post:
zetnsh (22nd January 2008)
  #14  
Old 27th January 2008, 20:41
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I just got another round of bounces from spam that appears to be from my server. I'm assuming that by adding the above spam changes I'll need to change all of the 'host.domain.com' to match my domain(s) correct? Or, are there no changes that need to be made?
Reply With Quote
  #15  
Old 27th January 2008, 21:37
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
I'd change web2_bob's password and see if that changes anything.
Except that the reply to in most of the spams are bogus addresses@mydomain, ie. lesizzxxy@mydomain.com.
Reply With Quote
  #16  
Old 28th January 2008, 18:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
 
Default

Quote:
Originally Posted by greenhornet
I'm assuming that by adding the above spam changes I'll need to change all of the 'host.domain.com' to match my domain(s) correct?
That's right.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 07:05.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.