ISPconfig SPAM problem

Discussion in 'ISPConfig 3 Priority Support' started by inside83, Apr 30, 2016.

  1. inside83

    inside83 Member HowtoForge Supporter

    Hello!

    Lately I have problems with SPAM on my ISPconfig servers.
    More specifically, my clients are getting mail from themselves or some other mail address in their domain.
    Eg. [email protected] is getting mail from [email protected] (from himself) or from [email protected] (and 'epson' user does not exist).
    How to prevent that?
    Is there a way to 'forbid' spoofed email addresses?

    Note that there is a SPF record on the DNS server for that domain and mail-tester.com gives 9/10 score on that domain.
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    This type of spam is quite hard to stop, imho. First step is to include RBL like spamhaus.org into the postfix server.
     
  3. inside83

    inside83 Member HowtoForge Supporter

    @Croydon
    Thank you for your reply.
    Could you, please, tell me how to do that?
     
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have a look at "System" --> "Server config" --> "yourservername" --> Tab "Mail" --> "Real-time Blackhole List"
    Enter names (comma-separated) of rbl providers there, e. g. "zen.spamhaus.org".
     
  5. inside83

    inside83 Member HowtoForge Supporter

    Thank you again.
    Is that enough or should I do something else?
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

  7. mccharlet

    mccharlet Member HowtoForge Supporter

  8. craig baker

    craig baker Member HowtoForge Supporter

    I've been seeing spam like this too recently - gets by everything even after you put in postgrey etc... and I do have zen.spamhaus.org in the RBL list (should I add some more).
    on a spammed email headers:
    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (unknown [127.0.0.1])
    by ns9.cdbsystems.com (Postfix) with ESMTP id 8DF301A584F
    for <[email protected]>; Mon, 9 May 2016 10:23:16 +0000 (UTC)
    X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
    X-Spam-Flag: YES
    X-Spam-Score: 4.992
    X-Spam-Level: ****
    X-Spam-Status: Yes, score=4.992 tagged_above=-999 required=3
    tests=[BAYES_50=1.5, DCC_CHECK=1.1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    FSL_BULK_SIG=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
    MIME_HTML_ONLY=0.723, MISSING_MID=0.497, RDNS_NONE=0.793] autolearn=no
    Received: from ns9.cdbsystems.com ([127.0.0.1])
    by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 7rLYCdzoRvKG for <[email protected]>;
    Mon, 9 May 2016 06:23:15 -0400 (EDT)
    Received: from ns79.yourdomainname.com (unknown [103.208.153.31])
    by ns9.cdbsystems.com (Postfix) with ESMTP id 420461A583C
    for <[email protected]>; Mon, 9 May 2016 06:23:11 -0400 (EDT)
    X-Sender: "Rita"
    <[email protected]>

    but a message clearly spam has as headers:

    Return-Path: <[email protected]>
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (unknown [127.0.0.1])
    by ns9.cdbsystems.com (Postfix) with ESMTP id DFE631A5848
    for <[email protected]>; Mon, 9 May 2016 11:25:21 +0000 (UTC)
    X-Virus-Scanned: amavisd-new at ns9.cdbsystems.com
    Received: from ns9.cdbsystems.com ([127.0.0.1])
    by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id Tv9Ieaz1SUcR for <[email protected]>;
    Mon, 9 May 2016 07:25:20 -0400 (EDT)
    Received: from 41.72.221.228.liquidtelecom.com (unknown [41.72.221.228])
    by ns9.cdbsystems.com (Postfix) with ESMTP id 78E711A5819
    for <[email protected]>; Mon, 9 May 2016 07:25:17 -0400 (EDT)
    Message-ID: <[email protected]>
    From: <[email protected]>
    To: <[email protected]>
    Subject: Hello!
    Date: 9 May 2016 16:03:54 +0200
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0023_01D1A9FE.02EA077A"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.4929
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.4929

    the email goes on to suggest some rather inappropriate behaviour! LOL

    but note there is NO X-Spam headers in the second email. - I have tagged-above sent to -999 so surely headers should be in ALL emails???
    how does this second one get through? note it appears to be from one of my domains but I dont think I have any blocking on those....

    any ideas?
    cdb.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if there is no spam policy set for the email address or domain that you can see in the "to" header of the second email. Check the settings in ispconfig and enable the same spamfilter policy that yo have set for the domain and / or address of the first email.
     
  10. craig baker

    craig baker Member HowtoForge Supporter

    alas not as easy as that the second email to field is actually a forwarded email to the final delivered box. not a mailbox itself.
    the domains all have normal spamfilter. but it seems like if the to field is a forwarded address rather than a destination box the spamfilter never gets applied
    and I cant have it be a mailbox because then the forward is invalid.
     
  11. Nilpo

    Nilpo Member HowtoForge Supporter

    Man, I've been doing that the hard way. I've been manually adding them to the config.
     
  12. sjau

    sjau Local Meanie Moderator

    Still doing it manually... I should change it ;)
     
  13. inside83

    inside83 Member HowtoForge Supporter

    lol
    see how seemingly stupid question leads to all kinds of helpful information :)
     
  14. Anandakrishnan

    Anandakrishnan New Member HowtoForge Supporter

    I was also having the same issue for one of my client. As Mr. Croydon said it's kind of hard to stop spam...but it can be stoped. I have succeeded partially. In our case we can stop receiving SPAM from our own domain, if the user don't exist in database...Ex:- [[email protected] (and 'epson' user does not exist)] or any random generated user ids like [email protected], [email protected].

    You can also prevent receiving SPAM messages from invalid domain names, if you like..

    All you have to do is find and modify the line starts with 'smtpd_sender_restrictions =' in '/etc/postfix/main.cf' to reflect 'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_origina[....]'

    It worked fine for me. I'm still working on solutions to stop receiving spoofed mails from my own domain's other existing user ids. I'll let you know if I ever succeed ;)
     
    Last edited: Aug 31, 2016
    inside83 likes this.
  15. Anandakrishnan

    Anandakrishnan New Member HowtoForge Supporter

    I found something close to what I am looking for...
    If you add one more parameter - 'reject_sender_login_mismatch' - to the same line ( Edited line should look like this ...

    'smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access, reject_sender_login_mismatch, regexp:/etc/postfix/tag_as_origina[....]'
    ),
    that will block spoofed mail from existing user ids of our Domains and prevent Domain users from sending spoof mails to external/internal e-mail addresses. Ex:- [email protected] won't be able to send a mail from [email protected]. It's really helpful when a hacker gets login details of a user and tries to send spoofed mails. It happened to me a year ago. Hacker was using user credentials to send tons of mails that pretend to be from a bank.

    There is a drawback with this method. The real user who is in 'from' field will receive bounce messages whenever spamer sends a mail that has his id on from field. For instance, we have two users in our domain [email protected] and [email protected]. Spamer send a mail to [email protected] pretending it is from [email protected]. Tom will receive bounce message like below, unless there is a configuration to stop this.

    <[email protected]>: host my.host.com[IP] said:
    553 5.7.1 <[email protected]>: Sender address rejected: not logged in
    (in reply to RCPT TO command)

    I hope it helps.
     
    Last edited: Aug 31, 2016
    inside83 likes this.
  16. chico11mbit

    chico11mbit Member HowtoForge Supporter

    Be careful if your system use alternative login names.
    i think reject_sender_login_mismatch is not working with an alternative login name.
    Am I wrong?
     
  17. Anandakrishnan

    Anandakrishnan New Member HowtoForge Supporter

    Yes Chico...you are absolutely right, I just noticed that feature, thank you for pointing me. For those who use alternative login names, it won't work. If one want to tighten the security, reject_sender_login_mismatch is a must to have one (in my opinion). In my case, I'm tired of spoof mails, It's hard to convince a customer if he thinks his/colleague's account is hacked, just because they receive some strange message form their own domain and no one takes responsibility for it. Personally I would do anything to prevent them. Frankly, I haven't applied it on production environment, but I'll test it on low priority customers who won't care if things are getting a little problematic for a while :D
     
    Last edited: Sep 1, 2016
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Sender restrictions are implemented in ISPConfig 3.1.
     
  19. Anandakrishnan

    Anandakrishnan New Member HowtoForge Supporter

    Is it? Where can the option be found? It'll will be much easier and right way to do it.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    System > Server config > mail "Reject sender and login mismatch"
     

Share This Page