TPS FC4, mail server abused to send spam?

Discussion in 'HOWTO-Related Questions' started by Hagforce, Nov 11, 2006.

  1. Hagforce

    Hagforce New Member

    Hello.

    I used the exelent how to guide on your pages to setup a web/mail server.

    The server is setup with an official IP adress, so no NAT or firewall protects it.
    Just the firewall in ISPConfig (erverything is set up as in the tutorial).

    I`m worried that my server is used as a "spam server".
    I`ve been locking at the logs, but I`m not shore what to loock for etc.

    Is there any way to see what messages are beeing sent out from my server, from witch adress, subject, reciever, IP adr etc.

    I`would really like some help with this. :confused:
     
  2. falko

    falko Super Moderator

    It's all in your mail log. If you have lots of activity there that could be a sign of spam (unless your mail server is usually busy anyway). You can also check the mail queue:
    Code:
    postqueue -p
    If you see lots of mails there, this could also be a sign of spam abuse.
    Then you can check of your server is blacklisted:
    http://www.mxtoolbox.com/blacklists.aspx

    Also make sure that your mynetworks setting allows unauthenticated sending only from localhost. What's the output of
    Code:
    postconf -d | grep mynetworks
    and
    Code:
    postconf -n | grep mynetworks
    ?
     
  3. Hagforce

    Hagforce New Member

    Code:
    [root@www ~]# postconf -n | grep mynetworks
    mynetworks = 127.0.0.0/8
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    
    Code:
    [root@www ~]# postconf -d | grep mynetworks
    mynetworks = 127.0.0.0/8 85.118.78.0/24
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    
    My mail log is very large, but I got over 400 mail users on my server....
    The postqueue -p also contains a lot of mails, and with adresses I do not use as vbhnuz@static47.bane-cust.com, static47.bane-cust.com is a dns for the IP on the server I think???

    Is all the mails in the log actualy sent?.

    I`m not blacklisted, but this does not lock good. :(
     
    Last edited: Nov 12, 2006
  4. falko

    falko Super Moderator

    This looks good. :)

    What's your server's IP address? What's the output of
    Code:
    dig -x [I]your_ip_address[/I]
    ?

    This is recorded also in the mail log.
     
  5. Hagforce

    Hagforce New Member

    output of "dig -x your_ip_address"

    Code:
    ;; ANSWER SECTION:
    47.78.118.85.in-addr.arpa. 86400 IN     PTR     static47.bane-cust.com.
     
  6. falko

    falko Super Moderator

    So static47.bane-cust.com is your server, and Postfix translates local domains to static47.bane-cust.com. that's why you see this domain in your mail log. That's the ususal behaviour, there's nothing wrong with it.
     
  7. Hagforce

    Hagforce New Member

    Ok, now I`m sure the server is used to send spam.
    Mail log is getting wery wery big.
    Also que.

    Guess it`s brute force password guessing....

    How can I see witch account the spam is beeing sent from (not e-mail account but autenticated smtp account).

    Is there any way to filter outgoing mail from postfix, to take care of the worst?

    I guess some users have changed to week passwords in mailuser setup, is there any way to set a strong password policy in ispconfig so they dont do this?

    I really need help now before I get blacklisted and things get out of hand :eek:
     
  8. falko

    falko Super Moderator

    I think all you can do is take a look at the mail log.

    You can set up amavisd-new with Postfix. amavisd-new scans incoming and outgoing emails.

    No.
     
  9. Hagforce

    Hagforce New Member

    Thank you again falco (as always :) )

    The mail log doesn`t tell me what IP the messages is being sent from, what user account etc... So with my limeted skills I can`t read mutch out of it.

    Is there any way to set that one account only can send 100 e-mails per houer or something like that, and if it sends more I get an alert so that I can change the password.....

    Maybe another solution you could reccomend?

    What does this config do: http://www.spamcop.net/fom-serve/cache/349.html
    This is for relaying right? And would not help in this case..?

    All the how to`s and guides I find consentrate on stopping incoming spam.
    On this front I got a nice solution with ISPConfig and spamassasin, clam etc.
    Any (noob) howtos you can reccomend on this?

    I hate the fackt that my server is used to send even more spam out in the world :(
     
    Last edited: Jan 18, 2007
  10. falko

    falko Super Moderator

    I'm sure there is, but I can't remember one right now... :eek:

    IT's for checking emails if they are on a blacklist. If they are they are rejected before they even enter the system, thus reducing the system load.

    I don't have a tutorial for this, but you could try amavisd-new.
     
  11. Hagforce

    Hagforce New Member

    Ok, I guess I have to try amavisd-new, ASSP or something....

    But I have to find out witch account or accounts have been broken.
    There has to be a way to see this.....
    I can`t change passwords on several hundred accounts....

    I have search high and low to find the log witch shows witch account is used to send, but I can`t find it.

    Can anybody please tell me how to find this information? :confused:
    Without it I can`t get out of this hell.

    If i know the accounts that is used, I can change them to strong passwords and problem is mostly solved.

    I also see servers say " .. Sender domain must exist (in reply to MAIL FROM command))"
    How do I make my FC4TPS do this?

    Edit: Just add
    smtpd_delay_reject = yes
    smtpd_sender_restrictions = reject_unknown_sender_domain
    to your main.cf seems to reduse spam sending greatly.

    Sorry about all the naging :eek:
     
    Last edited: Jan 21, 2007
  12. falko

    falko Super Moderator

Share This Page