Flooded with Spam

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
netcomseth
Forum User
Forum User
Posts: 10
Joined: Mon Feb 18, 2008 6:00 pm

Unread post by netcomseth »

Thanks for the reply,

I have checked and verified that my locals, rcpthosts are configured correctly. I have also cleared out my /tmp folder.

Problem remains.
netcomseth
Forum User
Forum User
Posts: 10
Joined: Mon Feb 18, 2008 6:00 pm

Unread post by netcomseth »

Finally got this under control.

Here is what my issues were:

1. Hacked user account - Scott helped me identify and I changed the password.

2. Too much spam coming into the server. added 2 more black lists to the one I already had in PLESK, and the spam stopped.

3. We had a ton of failure notices filling the remote queue. (around 1,000 per hour). Issue was that we had shut off mail for one domain. When mail was sent to non-existent user at that domain, PLESK said "I don't have mail for that domain, so I don't need to reject it. I'll bounce it instead. Then is was bounced back to us as a failure notice and stuck in the remote queue. I turned on mail for the domain and just disabled the domain. Failure notices are at a minimum now (about 15 a day).

To fix those, I created a shell script and stuck it in cron.daily to stop qmail, and clear the failure notices, then start qmail.

Thank you again to everyone who helped on this thread, I really do appreciate it!

Seth
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Unread post by Highland »

I had something similar happen this morning. Seems to be a new spammer tactic to send a ton out from something@yourdomain.com and then the bounce backs flood your server and can corrupt your qmail queue. I've got a simpler way to get your server back on track if it's bogged down in this manner (I have two Plesk servers and both were hammered like this).

1. Log into Plesk and go to Server > Mail > Mail Queue (tab)
Look at the number of not preprocessed. If it's large (shouldn't be more than a few normally) then this is the problem I described. Your server will be under an abnormally high load as well.

2. Stop qmail through SSH or the Plesk panel
service qmail stop
3. Set all domains to reject email to non-existant recipients

4. Start scanning the queue to see what domain is affected. You should notice a glut going to one domain in particular. Note what domain that is as you'll need it later

5. Download and install qmail-remove

6. We'll use qmail-remove to move the spam messages out of the queue. This does NOT delete them so you can still deal with them later if you think that there's ham in all that spam.
mkdir /var/qmail/queue/yanked
qmail-remove -r -p your-spammed-domain.com
7. Restart qmail
service qmail start
That should do the trick. Your not preprocessed number should drop to 0.
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Something similar and I need to find out the source of the S

Unread post by coolemail »

scott wrote:Its an smtp_auth account, unless you allow poplocking and someone is abusing that. It should be logging those smtp_auth logins to the /usr/local/psa/var/log/maillog file.
I am guessing that I have a compromised smtp_auth account with what I am getting today with some :
[root@plesk2 ~]# qmhandle.pl -l
14814888 (13, 13/14814888)
Return-path: sorteos@bbvanet.es
From: "BBVA.net"<sorteos@bbvanet.es>
Subject: BBVA.net lanza su nueva Promocion | "100 euros te esperan"
Date: Mon, 23 Mar 2009 07:26:02 -0500
Size: 674 bytes

14814946 (2, 2/14814946)
Return-path: sorteos@bbvanet.es
From: "BBVA.net"<sorteos@bbvanet.es>
Subject: BBVA.net lanza su nueva Promocion | "100 euros te esperan"
Date: Mon, 23 Mar 2009 07:37:47 -0500
Size: 674 bytes

14814912 (14, 14/14814912)
Return-path: sorteos@bbvanet.es
From: "BBVA.net"<sorteos@bbvanet.es>
Subject: BBVA.net lanza su nueva Promocion | "100 euros te esperan"
Date: Mon, 23 Mar 2009 07:27:06 -0500
Size: 674 bytes

Total messages: 5
Messages with local recipients: 0
Messages with remote recipients: 5
Messages with bounces: 4
Messages in preprocess: 0
[root@plesk2 ~]#





[root@plesk2 ~]# qmhandle.pl -m14814888

--------------
MESSAGE NUMBER 14814888
--------------
Received: (qmail 16340 invoked from network); 23 Mar 2009 12:26:18 +0000
Received: from marugoto-5-210-157-013-203.interq.or.jp (HELO User) (210.157.13.203)
by 84.45.18.8 with SMTP; 23 Mar 2009 12:26:17 +0000
From: "BBVA.net"<sorteos@bbvanet.es>
Subject: BBVA.net lanza su nueva Promocion | "100 euros te esperan"
Date: Mon, 23 Mar 2009 07:26:02 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<a href="http://besstek.com/.es/"><img src="besstek.com/.es/2.gif"></a>
[root@plesk2 ~]#
From Scott's comment, I read that the authorisation should be in /usr/local/psa/var/log/maillog but the file is massive, so is there an easy way to get to the particular time which I think is 23 Mar 2009 12:26:17 from the above example.

Can you tell me how to grep for smtp_auth and what I could do to look for it in /var/log/messages: "You want to grep for smtp_auth, assuming its even being logged. Sometimes it likes to hide in /var/log/messages too."

Many thanks in advance for whatever help people can give me.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Flooded with Spam

Unread post by scott »

grep smtp_auth <filename>
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam

Unread post by coolemail »

If I blacklist that IP (210.157.13.203) on ASL, will it prevent them from sending?

EDIT: and is there any way I can find out which domain's info@domain.com is being used to send the Spam?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Flooded with Spam

Unread post by scott »

Yeah theres a module in ASL that will dump out the weak accounts to /var/asl/reports/password.report
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Flooded with Spam

Unread post by mikeshinn »

You can also test your qmail by running this:

telnet rt.njabl.org 2500

That will connect back to your box and test it for open relay configuration vulnerabilities.
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam

Unread post by coolemail »

I'm closed to relaying with that test, and with the Plesk setup.

I did blacklist the Spammers IP on ASL, and that did appear to prevent them until they get a new IP address.

Scott's suggestion on /var/asl/reports/password.report did produce one domain that has put some simple passwords, and so now I need to get hold of them and get them to change this.

I would love to move to long mailnames only, but as I have been allowing short ones for so long, it is almost impossible to get everyone to change now. I have never found an easy way to email all email addresses in a particular domain - the mass email with Plesk only allows emailing of client & domain admins only. That does not always get through.

Thank you both for your help.
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam - greylisitng test?

Unread post by coolemail »

Is there any way I can check if greylisting is working on my server? When I migrated everything to a new one, ASL etc. stopped almost everything. Now a lot of Spam is coming back. A search suggests that it might no longer be fuly there:
[root@plesk2 ~]# locate greylist
/var/qmail/greylist
/var/qmail/bin/greylist
/var/qmail/greylist/.lastcleanup
/var/qmail/greylist/114.44.114.
/var/qmail/greylist/118.165.77.
/var/qmail/greylist/118.168.99.
/var/qmail/greylist/118.169.193.
/var/qmail/greylist/82.197.79.
/var/qmail/greylist/89.44.142.
[root@plesk2 ~]#

I did find a sugegstion to install dcc, but http://www.rhyolite.com/dcc/greylist.html. I really liked "Greylisting can help reject spam at MX secondaries. It is common for unsolicited bulk mail to be sent to MX secondaries instead of primaries because secondaries often lack the filtering of primaries. Greylisting can defend against this attack while preserving the usefulness of MX secondaries as backups for primaries." as I use secondary MX.

But do I need to worry about "False negatives are common. Greylisting can only detect bogus SMTP clients. " or is it false positives I need worry about? What really is the difference between a false negative and a false positive?

Should I yum install qgreylist? Or can I test if it is there and working already?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Flooded with Spam

Unread post by scott »

Id reinstall the package, sounds like it got zapped in the upgrade. When its working it will log greylist events to the maillog like this:

Apr 15 16:48:29 ac3 greylist[16752]: forgetting 72.15.145. (seen once at 2009-04-14 16:39)
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam

Unread post by coolemail »

thanks Scott. It appears it is there:
[root@plesk2 ~]# yum install qgreylist
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* extras: mirror.sov.uk.goscomb.net
* atomic: www5.atomicorp.com
* base: mirror.sov.uk.goscomb.net
* asl-2.0: atomicorp.com
* addons: mirror.sov.uk.goscomb.net
* updates: mirror.sov.uk.goscomb.net
Setting up Install Process
Parsing package install arguments
Package qgreylist - 0.3-3.el5.art.x86_64 is already installed.
Nothing to do
[root@plesk2 ~]#

is it /usr/local/psa/var/log/maillog that should show greylist? if so, I will try to run tail -f /usr/local/psa/var/log/maillog
and see if I can spot anything, or is there an easier way to try and find greylist entries?
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam

Unread post by coolemail »

been running maillog and monitoring it. No obvious sign of greylist entries, but then I did see an incoming Spam:
Apr 15 22:33:48 plesk2 qmail-queue[31470]: scan: the message(drweb.tmp.aSGvSO) sent by szeiuey@linux-mag.com to rcpts is passed
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: Handlers Filter before-queue for qmail started ...
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: from=szeiuey@linux-mag.com
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: to=person1@domain.com ... up to ...
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: to=personxx@domain.com
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: recipient[3] = 'person1@domain.com'
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: handlers dir = '/var/qmail//handlers/before-queue/recipient/person1@domain.com'
...
Apr 15 22:33:48 plesk2 qmail: 1239831228.616824 new msg 14814515
Apr 15 22:33:48 plesk2 qmail: 1239831228.616862 info msg 14814515: bytes 3274 from <szeiuey@linux-mag.com> qp 31472 uid 2020
Apr 15 22:33:48 plesk2 qmail-queue-handlers[31471]: starter: submitter[31472] exited normally
Apr 15 22:33:48 plesk2 qmail: 1239831228.628881 starting delivery 3729: msg 14814515 to local 45-person1@domain.com
Apr 15 22:33:48 plesk2 qmail: 1239831228.628971 status: local 1/10 remote 0/20
...
Apr 15 22:33:48 plesk2 qmail-local-handlers[31481]: Handlers Filter before-local for qmail started ...
...
Apr 15 22:33:48 plesk2 spamd[16160]: spamd: got connection over /tmp/spamd_full.sock
Apr 15 22:33:48 plesk2 spamd[16160]: spamd: using default config for person1@domain.com: /var/qmail/mailnames/domain.com/person1/.spamassassin/user_prefs
Apr 15 22:33:48 plesk2 spamd[16160]: spamd: processing message <0851CB13.57C8BABA@linux-mag.com> for person1@domain.com:110
...
Apr 15 22:33:52 plesk2 spamd[16160]: spamd: result: Y 21 - BAYES_99,DIGEST_MULTIPLE,HTML_MESSAGE,MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=4.2,size=3305,user=person1@domain.com,uid=110,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=/tmp/spamd_full.sock,mid=<0851CB13.57C8BABA@linux-mag.com>,bayes=1.000000,autolearn=spam


so SpamAssassin seems to have caught this particular one, but not greylisting, or DNS blackhole lists or anything.

I guess I have not got the server set up for best practice, and would appreciate any suggestions, please.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Flooded with Spam

Unread post by scott »

did you try re-installing it?
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: Flooded with Spam

Unread post by coolemail »

scott wrote:did you try re-installing it?
Hi Scott, Yes I did, or at least I think I did - I posted it above:
[root@plesk2 ~]# yum install qgreylist
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* extras: mirror.sov.uk.goscomb.net
* atomic: www5.atomicorp.com
* base: mirror.sov.uk.goscomb.net
* asl-2.0: atomicorp.com
* addons: mirror.sov.uk.goscomb.net
* updates: mirror.sov.uk.goscomb.net
Setting up Install Process
Parsing package install arguments
Package qgreylist - 0.3-3.el5.art.x86_64 is already installed.
Nothing to do
[root@plesk2 ~]#
Did I need to do soemthing before, or after, that? Could it be installed but not running? Is there a command to restart/start it?

Thanks as always for the help.
Post Reply