Server Spamming

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 12:25 pm

I have now received two calls about my server sending SPAM. I would like to secure it, but I'm not sure how.

So far I've tried
1) Closing all relaying (through plesk)
2) Turning off qmail (through plesk), but I can't do that cause it shuts down incomming mail too.
3) Configuring the firewall (through plesk) to be more strict, but again, my incomming mail has been shut down.

Can someone post their spam blocking, known good, merciless plesk firewall configuration? Or tell me how to block these spammers.

Stucco

Galactic Zero · Thu Nov 10, 2005 1:01 pm

what is your white list set to for your 120.0.0.1 ip?

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 1:09 pm

My whitelist in my plesk mail settings has one ip, it is
127.0.0.0 / 8

Galactic Zero · Thu Nov 10, 2005 1:13 pm

Change the /8 to /32 and that should fix your problem and the ip should be 120.0.0.1 which is the internal loop back ip.. I'd probably remove the other one. the /32 restricts communications to only the ip and the /8 gives it a few more that it will listen to.. This ip is the one the server communicates on.

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 1:17 pm

Won't let me, IP address/net mask paid is invalid.
I am assuming i need to make it 127.0.0.1 / 32

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 1:17 pm

Which doesn't work either

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 1:18 pm

Don't use spaces.
Worked, thanks

Stucco · Unread post by **Stucco** » Thu Nov 10, 2005 2:37 pm

I also installed rules_du_jour. Was this a good idea?

To do it I did...

mkdir /root/bin
cd /root/bin
wget http://sandgnat.com/rdj/rules_du_jour
chmod +x rules_du_jour
mkdir /etc/rulesdujour
joe /etc/rulesdujour/config

Contents >>
*********************************
TRUSTED_RULESETS="ANTIDRUG BIGEVIL BLACKLIST BOGUSVIRUS EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_SPECIFIC SARE_SPOOF TRIPWIRE"
SA_DIR="/etc/mail/spamassassin"
MAIL_ADDRESS="aaron@gadberry.com"
SA_RESTART="/etc/rc.d/init.d/spamassassin restart"
*********************************

Everything works great, spam is obliterated, but...

Code: Select all

Thu, 10 Nov 2005 12:29:09 CST:2401: SA: finished scan in 4.475615 secs - hits=112.3/7.0
Thu, 10 Nov 2005 12:30:22 CST:2606: SA: finished scan in 10.015877 secs - hits=0.0/7.0
Thu, 10 Nov 2005 12:31:04 CST:2629: SA: finished scan in 10.286849 secs - hits=3.0/7.0
Thu, 10 Nov 2005 12:31:08 CST:2638: SA: finished scan in 7.118204 secs - hits=4.3/7.0
Thu, 10 Nov 2005 12:31:24 CST:2669: SA: finished scan in 5.882463 secs - hits=1.3/7.0

It's now taking 5 seconds minimum to process an email. Is there a way to speed it up?

jamesyeeoc · Unread post by **jamesyeeoc** » Fri Nov 11, 2005 6:47 am

Stucco wrote:I also installed rules_du_jour. Was this a good idea?

It's now taking 5 seconds minimum to process an email. Is there a way to speed it up?

RDJ is a good thing.

Re:Speed it up - faster server... faster drive system...

Even on a Celeron based server, most of the scanned messages I've seen take less than 1 sec. But some have taken over 10 seconds, depends on how many checks were done on the message, size of message, etc. (on dual Xeon servers the avg time is much lower than the following examples from a celeron server. Drive access/transfer speed on the higher end servers is of course much faster as well, amount of RAM is higher too....):

DCC_CHECK,DIGEST_MULTIPLE,FORGED_RCVD_HELO,INVALID_MSGID,MSGID_SPAM_LETTERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,TW_ZF,TW_ZZ scantime=8.5

DCC_CHECK,DIGEST_MULTIPLE,FORGED_RCVD_HELO,INVALID_MSGID,MSGID_SPAM_LETTERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,TW_GU,TW_ZF,TW_ZZ scantime=0.9

ALL_TRUSTED,NO_REAL_NAME scantime=0.9

DATE_IN_FUTURE_06_12,HELO_DYNAMIC_IPADDR2 scantime=0.8

Stucco · Unread post by **Stucco** » Wed Nov 30, 2005 6:53 pm

Ok, my server is still contributing to the SPAM in your inbox. I am running out of ideas to stop this.

Right now I have two prevention methods.
1) My whitelist contents is
127.0.0.0/32

2) I have rdj with the above rulesets

ANTIDRUG BIGEVIL BLACKLIST BOGUSVIRUS EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_SPECIFIC SARE_SPOOF TRIPWIRE

I'm still spamming. How can I stop it? I'm thinking I would just like to stop the server from sending all mail. We can use seperate smtp servers, and I set it up to use a seperate one on the website, so the only mail coming from the server right now should be horde. I wouldn't mind turning it off, assuming I could reroute hordemail through another server.

Unread post by **scott** » Wed Nov 30, 2005 10:51 pm

I'd say its probably running through a web app, do you happen to have any of the full spam headers that I can look at?

Stucco · Unread post by **Stucco** » Thu Dec 01, 2005 12:53 am

yup, here's one from Time Warner just the other day.

Code: Select all

Return-Path: <seminarcrowds@taa01.com>

Received: from  rly-xa05.mx.aol.com (rly-xa05.mail.aol.com [172.20.64.41]) by air-xa03.mail.aol.com (v107.13) with ESMTP id MAILINXA34-77438ca8481bb; Tue, 29 Nov 2005 14:13:31 -0500
Received: from  webserver.treeoflifechurch.org (rrcs-71-41-8-230.sw.biz.rr.com [71.41.8.230]) by rly-xa05.mx.aol.com (v107.13) with ESMTP id MAILRELAYINXA59-77438ca8481bb; Tue, 29 Nov 2005 14:13:12 -0500
Received: (qmail 10428 invoked by uid 2520); 29 Nov 2005 13:09:37 -0600
Received: from 127.0.0.1 by webserver.treeoflifechurch.org (envelope-from <seminarcrowds@taa01.com>, uid 110) with qmail-scanner-1.25st
 (clamdscan: 0.87/1198. spamassassin: 3.1.0. perlscan: 1.25st.  
 Clear:RC:1(127.0.0.1):SA:0(2.1/7.0):.
 Processed in 14.531184 secs); 29 Nov 2005 19:09:37 -0000
X-Spam-Status: No, hits=2.1 required=7.0
X-Spam-Level: ++
Delivered-To: 8-don@gadberry.com
Received: (qmail 10394 invoked by uid 2520); 29 Nov 2005 13:09:23 -0600
Received: from 205.134.229.178 by webserver.treeoflifechurch.org (envelope-from <seminarcrowds@taa01.com>, uid 2020) with qmail-scanner-1.25st
 (clamdscan: 0.87/1198. spamassassin: 3.1.0. perlscan: 1.25st.  
 Clear:RC:0(205.134.229.178):SA:0(2.1/7.0):.
 Processed in 14.715359 secs); 29 Nov 2005 19:09:23 -0000
X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=7.0
X-Qmail-Scanner-MOVED-X-Spam-Level: ++
Received: from unknown (HELO taa012291.com) (205.134.229.178)
  by rrcs-71-41-8-230.sw.biz.rr.com with SMTP; 29 Nov 2005 13:09:08 -0600
From: Charles Morenus <seminarcrowds@taa01.com>
To: <Undisclosed Recipients>
Reply-To: seminarcrowds@taa01.com
Subject: Get Ready for your January Seminars
Date: Tue, 29 Nov 2005 11:14:55 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="8f7126d3-c762-4601-8003-9e8a675f701f"
X-Qmail-Scanner-Message-ID: <113329134892210381@webserver.treeoflifechurch.org>
X-AOL-IP: 71.41.8.230
Message-ID: <200511291413.77438ca8481bb@rly-xa05.mx.aol.com>
X-Mailer: Unknown (No Version)
 

--8f7126d3-c762-4601-8003-9e8a675f701f
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi, I'm Charlie Morenus, from Seminar Crowds, with a 'gentle reminder' about=
 your upcoming January seminars.
 

Now is the time to start saving thousands on your early-2006 seminars.  Our=20=
mailers start at 29.9 cents, and that low price includes RSVPs, first class=20=
postage, and our highly-rated mailing lists.

 
I'd like to send you information on our services, either by email or postal=20=
mail, or call you if you prefer. We fill seminars with qualified seniors for=
 agents all over the country. May I have your permission to send you our inf=
ormation?

Sincerely,

Charles Morenus
Vice-President, Sales & Marketing
Seminar Crowds
1100 North 4th Street, Suite 133
Fairfield, Iowa 52556
800-207-3840 x516

P.S. I'm also trying to be respectful of your time. If you don't want to rec=
eive e-mails or ads (like this one) from me, just send me back a note with N=
o Thanks and I won't write to you again. =20

--8f7126d3-c762-4601-8003-9e8a675f701f--

--part1_1e9.4829ee37.30be271f_boundary--

Unread post by **scott** » Thu Dec 01, 2005 1:59 am

A ha, the sender is coming from AOL:

Received: from unknown (HELO taa012291.com) (205.134.229.178)
by rrcs-71-41-8-230.sw.biz.rr.com with SMTP; 29 Nov 2005 13:09:08 -0600

I'll bet you allow pop-locking for sending mail over SMTP right? If so then what is probably happening is that some user from AOL is getting mail from your system, which are all nat'd to the same IP space. Then some other guy is just riding his authentication coat tails and spamming through your system. You are in effect whitelisting AOL whenever someone from there POP's mail from your box. Turning off pop locking will make this go away.

If its not the case, then that guy (rrcs-71-41-8-230.sw.biz.rr.com) has valid login credentials on your system.

Stucco · Unread post by **Stucco** » Thu Dec 01, 2005 4:56 am

scott wrote:If its not the case, then that guy (rrcs-71-41-8-230.sw.biz.rr.com) has valid login credentials on your system.

That guy is me. The server's IP is 71.41.8.230.

Stucco

jamesyeeoc · Unread post by **jamesyeeoc** » Sat Dec 03, 2005 11:44 pm

1) My whitelist contents is
127.0.0.0/32

Shouldn't this be 127.0.0.1/32 ??

Interesting, the X header is reporting that your IP belongs to AOL:

X-AOL-IP: 71.41.8.230

ARIN reports:

OrgName: Road Runner-Commercial

Are your SA rules up to date? Hmmm, wondering if it may be from a RDJ ruleset... as a test, you may want to disable the use of RDJ's 70_sare_header.cf and 70_sare_redirect_post3.0.0.cf (if you are using them). Those are the only 2 that I can see that check for AOL (in RDJ)

(Scott, please correct me if I am heading down the wrong path here)