Too many spam mails

Discussion in 'ISPConfig 3 Priority Support' started by pawan, May 5, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    My mail Log reads like this -

    Code:
    <[email protected]> from p57bfa587.dip0.t-
    ipconnect.de[87.191.165.135]; from=<[email protected]
    o.in> to=<[email protected]> proto=ESMTP helo=<p57bfa587.dip0.t-
    ipconnect.de>
    Now mywebsolutions.co.in is my domain.
    but others are not.
    is there a way I can prevent this senders.
    I have added in postfix:
    smtpd_reject_unlisted_sender = Yes

    Also smtpd_sender_restrictions = reject_unlisted_sender

    The total block reads like this:

    smtpd_sender_restrictions = reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

    Thanks.
     
  2. sjau

    sjau Local Meanie Moderator

    you could add some RBLs as well....

    I currently use those options:

    Code:
    smtpd_relay_restrictions =
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client blackholes.easynet.nl,
    reject_rbl_client proxies.blackholes.wirehub.net,
    reject_rbl_client bl.spamcop.net,
    reject_rhsbl_sender dbl.spamhaus.org,
    reject_rhsbl_reverse_client dbl.spamhaus.org
    
     
  3. concept21

    concept21 Member

    Most spams can be blocked. Just install more RAM and load more black lists. There are many long lists recommended by CSF. Load them all. :D

    Also learn the technique to use mail headers for blocking.
     
  4. sjau

    sjau Local Meanie Moderator

    Using RBLs won't have a big effect on ram.
     
  5. pawan

    pawan Member HowtoForge Supporter

    Hi Sjau -
    I have added all the rules in posfix smtpd relay restrictions as suggested by yet, I am getting this in the logs:

    May 7 18:53:33 server1 postfix/smtpd[22820]: 7C78060493D: client=23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5], sasl_method=LOGIN, sasl_username=[email protected]
    May 7 18:53:34 server1 postfix/cleanup[22824]: 7C78060493D: message-id=<[email protected]>
    May 7 18:53:34 server1 postfix/cleanup[22824]: 7C78060493D: warning: header From: <[email protected]> from 23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost>
    May 7 18:53:34 server1 postfix/cleanup[22824]: 7C78060493D: warning: header To: <[email protected]> from 23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost>
    May 7 18:53:34 server1 postfix/cleanup[22824]: 7C78060493D: warning: header Subject: 117.247.67.136;[email protected];postmaster123 from 23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost>
    May 7 18:53:34 server1 postfix/qmgr[22293]: 7C78060493D: from=<[email protected]>, size=768, nrcpt=1 (queue active)
    May 7 18:53:34 server1 postfix/smtpd[22820]: disconnect from 23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5]
    May 7 18:53:35 server1 postfix/smtpd[22830]: connect from localhost.localdomain[127.0.0.1]
    May 7 18:53:35 server1 postfix/smtpd[22830]: CB333604E30: client=localhost.localdomain[127.0.0.1]
    May 7 18:53:35 server1 postfix/cleanup[22824]: CB333604E30: message-id=<[email protected]>
    May 7 18:53:35 server1 postfix/qmgr[22293]: CB333604E30: from=<[email protected]>, size=1279, nrcpt=1 (queue active)
    May 7 18:53:35 server1 postfix/smtpd[22830]: disconnect from localhost.localdomain[127.0.0.1]
    May 7 18:53:35 server1 amavis[17817]: (17817-16) Passed CLEAN, ORIGINATING LOCAL [23.24.170.5] [23.24.170.5] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: Co9Y4KdWh0v3, Hits: 6.652, size: 768, queued_as: CB333604E30, 1237 ms
    May 7 18:53:35 server1 postfix/smtp[22825]: 7C78060493D: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.7, delays=1.5/0.01/0/1.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: queued as CB333604E30)
    May 7 18:53:35 server1 postfix/qmgr[22293]: 7C78060493D: removed
    May 7 18:53:36 server1 postfix/smtpd[22254]: warning: unknown[218.189.140.2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    May 7 18:53:42 server1 postfix/smtp[22831]: CB333604E30: to=<[email protected]>, relay=smtp-ovhfr7.mailjet.com[178.32.115.14]:25, delay=6.2, delays=0.05/0.03/5.5/0.58, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F01620E00D1)
    May 7 18:53:42 server1 postfix/qmgr[22293]: CB333604E30: removed

    Any idea How can plug that hole.
     
  6. OpenSources

    OpenSources Member

    There doesn't always seem to be a one script fix all solution. In my case I had to start with checking headers and seeing what Spammassassin was grading them and set the sensitivity accordingly. After that I had to go into main.cf and edit some configurations. I'm also training bayes to be my automated solution.

    With just those setups I completely got rid of spam in 1 week. I would also check to see what tlds are sending spam. For my server .us was a big culprit. I just started spending more time on the filtering process.
     
  7. pawan

    pawan Member HowtoForge Supporter

    I think you have got my question wrong.
    I am more concerned about the spam mails being sent from my server(originating from my server), which I want to restrict.
    The logs I have put up in previous post is related to spam being sent through my server, who i not authorized to do so.
     
  8. OpenSources

    OpenSources Member

    Sorry about that. I'm still learning myself. I was trying to find the link to the solution I read about this before.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The log you posted above is an email that is received by your server and not a mail sent by your server. RBL's like the ones posted above can help in that case, especially when the sender seems to be a dial-in account (
    p57bfa587.dip0.t-
    ipconnect.de[87.191.165.135]).

    And you should consider to setup SPF records and dkim for that domain to make it easier for the spam filter to catch emails that are send by non authorized servers.
     
  10. pawan

    pawan Member HowtoForge Supporter

    Hi Till,
    I am using Mailjet as relay server for sending mails. I received a notification from them that unless you authorize this mail id (sender mail-id) mail will not be sent.
    The email id mentioned in that email is "[email protected]"
    The relay mail server for mailjet is - "relay=smtp-ovhfr7.mailjet.com[178.32.115.14]"

    Therefore as per the notification from mailjet "[email protected]" is the sender and mail being sent from my server.
    I may be reading the log wrong. but I have posted the log around same time when I received the notification form Mailjet.

    Now what I want is - I want to restrict any sender domain/alias - which is not on my domain list. what directive I need to add in Postfix to achieve that.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    My post was about the log excerpt in post #1. The log excerpt in post #5 is about sending an email trough your server, and the person that sent the mail seems to have a valid password:

    May 7 18:53:33 server1 postfix/smtpd[22820]: 7C78060493D: client=23-24-170-5-static.hfc.comcastbusiness.net[23.24.170.5], sasl_method=LOGIN, sasl_username=[email protected]

    Do you have a mailbox for [email protected] ? If yes, then set a new password for that mailbox.
     
    pawan likes this.
  12. pawan

    pawan Member HowtoForge Supporter

    Thanks Till,
    That seems to have resolved the issue.
     

Share This Page