Server Spamming
Server Spamming
I have now received two calls about my server sending SPAM. I would like to secure it, but I'm not sure how.
So far I've tried
1) Closing all relaying (through plesk)
2) Turning off qmail (through plesk), but I can't do that cause it shuts down incomming mail too.
3) Configuring the firewall (through plesk) to be more strict, but again, my incomming mail has been shut down.
Can someone post their spam blocking, known good, merciless plesk firewall configuration? Or tell me how to block these spammers.
Stucco
So far I've tried
1) Closing all relaying (through plesk)
2) Turning off qmail (through plesk), but I can't do that cause it shuts down incomming mail too.
3) Configuring the firewall (through plesk) to be more strict, but again, my incomming mail has been shut down.
Can someone post their spam blocking, known good, merciless plesk firewall configuration? Or tell me how to block these spammers.
Stucco
-
- Forum Regular
- Posts: 471
- Joined: Mon Dec 06, 2004 10:43 pm
-
- Forum Regular
- Posts: 471
- Joined: Mon Dec 06, 2004 10:43 pm
Change the /8 to /32 and that should fix your problem and the ip should be 120.0.0.1 which is the internal loop back ip.. I'd probably remove the other one. the /32 restricts communications to only the ip and the /8 gives it a few more that it will listen to.. This ip is the one the server communicates on.
I also installed rules_du_jour. Was this a good idea?
To do it I did...
mkdir /root/bin
cd /root/bin
wget http://sandgnat.com/rdj/rules_du_jour
chmod +x rules_du_jour
mkdir /etc/rulesdujour
joe /etc/rulesdujour/config
Contents >>
*********************************
TRUSTED_RULESETS="ANTIDRUG BIGEVIL BLACKLIST BOGUSVIRUS EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_SPECIFIC SARE_SPOOF TRIPWIRE"
SA_DIR="/etc/mail/spamassassin"
MAIL_ADDRESS="aaron@gadberry.com"
SA_RESTART="/etc/rc.d/init.d/spamassassin restart"
*********************************
Everything works great, spam is obliterated, but...
It's now taking 5 seconds minimum to process an email. Is there a way to speed it up?
To do it I did...
mkdir /root/bin
cd /root/bin
wget http://sandgnat.com/rdj/rules_du_jour
chmod +x rules_du_jour
mkdir /etc/rulesdujour
joe /etc/rulesdujour/config
Contents >>
*********************************
TRUSTED_RULESETS="ANTIDRUG BIGEVIL BLACKLIST BOGUSVIRUS EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_SPECIFIC SARE_SPOOF TRIPWIRE"
SA_DIR="/etc/mail/spamassassin"
MAIL_ADDRESS="aaron@gadberry.com"
SA_RESTART="/etc/rc.d/init.d/spamassassin restart"
*********************************
Everything works great, spam is obliterated, but...
Code: Select all
Thu, 10 Nov 2005 12:29:09 CST:2401: SA: finished scan in 4.475615 secs - hits=112.3/7.0
Thu, 10 Nov 2005 12:30:22 CST:2606: SA: finished scan in 10.015877 secs - hits=0.0/7.0
Thu, 10 Nov 2005 12:31:04 CST:2629: SA: finished scan in 10.286849 secs - hits=3.0/7.0
Thu, 10 Nov 2005 12:31:08 CST:2638: SA: finished scan in 7.118204 secs - hits=4.3/7.0
Thu, 10 Nov 2005 12:31:24 CST:2669: SA: finished scan in 5.882463 secs - hits=1.3/7.0
-
- Forum User
- Posts: 46
- Joined: Thu May 12, 2005 3:50 am
- Location: Sunny California
RDJ is a good thing.Stucco wrote:I also installed rules_du_jour. Was this a good idea?
It's now taking 5 seconds minimum to process an email. Is there a way to speed it up?
Re:Speed it up - faster server... faster drive system...
Even on a Celeron based server, most of the scanned messages I've seen take less than 1 sec. But some have taken over 10 seconds, depends on how many checks were done on the message, size of message, etc. (on dual Xeon servers the avg time is much lower than the following examples from a celeron server. Drive access/transfer speed on the higher end servers is of course much faster as well, amount of RAM is higher too....):
DCC_CHECK,DIGEST_MULTIPLE,FORGED_RCVD_HELO,INVALID_MSGID,MSGID_SPAM_LETTERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,TW_ZF,TW_ZZ scantime=8.5
DCC_CHECK,DIGEST_MULTIPLE,FORGED_RCVD_HELO,INVALID_MSGID,MSGID_SPAM_LETTERS,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,TW_GU,TW_ZF,TW_ZZ scantime=0.9
ALL_TRUSTED,NO_REAL_NAME scantime=0.9
DATE_IN_FUTURE_06_12,HELO_DYNAMIC_IPADDR2 scantime=0.8
Ok, my server is still contributing to the SPAM in your inbox. I am running out of ideas to stop this.
Right now I have two prevention methods.
1) My whitelist contents is
127.0.0.0/32
2) I have rdj with the above rulesets
Right now I have two prevention methods.
1) My whitelist contents is
127.0.0.0/32
2) I have rdj with the above rulesets
I'm still spamming. How can I stop it? I'm thinking I would just like to stop the server from sending all mail. We can use seperate smtp servers, and I set it up to use a seperate one on the website, so the only mail coming from the server right now should be horde. I wouldn't mind turning it off, assuming I could reroute hordemail through another server.ANTIDRUG BIGEVIL BLACKLIST BOGUSVIRUS EVILNUMBERS EVILNUMBERS1 EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_SPECIFIC SARE_SPOOF TRIPWIRE
yup, here's one from Time Warner just the other day.
Code: Select all
Return-Path: <seminarcrowds@taa01.com>
Received: from rly-xa05.mx.aol.com (rly-xa05.mail.aol.com [172.20.64.41]) by air-xa03.mail.aol.com (v107.13) with ESMTP id MAILINXA34-77438ca8481bb; Tue, 29 Nov 2005 14:13:31 -0500
Received: from webserver.treeoflifechurch.org (rrcs-71-41-8-230.sw.biz.rr.com [71.41.8.230]) by rly-xa05.mx.aol.com (v107.13) with ESMTP id MAILRELAYINXA59-77438ca8481bb; Tue, 29 Nov 2005 14:13:12 -0500
Received: (qmail 10428 invoked by uid 2520); 29 Nov 2005 13:09:37 -0600
Received: from 127.0.0.1 by webserver.treeoflifechurch.org (envelope-from <seminarcrowds@taa01.com>, uid 110) with qmail-scanner-1.25st
(clamdscan: 0.87/1198. spamassassin: 3.1.0. perlscan: 1.25st.
Clear:RC:1(127.0.0.1):SA:0(2.1/7.0):.
Processed in 14.531184 secs); 29 Nov 2005 19:09:37 -0000
X-Spam-Status: No, hits=2.1 required=7.0
X-Spam-Level: ++
Delivered-To: 8-don@gadberry.com
Received: (qmail 10394 invoked by uid 2520); 29 Nov 2005 13:09:23 -0600
Received: from 205.134.229.178 by webserver.treeoflifechurch.org (envelope-from <seminarcrowds@taa01.com>, uid 2020) with qmail-scanner-1.25st
(clamdscan: 0.87/1198. spamassassin: 3.1.0. perlscan: 1.25st.
Clear:RC:0(205.134.229.178):SA:0(2.1/7.0):.
Processed in 14.715359 secs); 29 Nov 2005 19:09:23 -0000
X-Qmail-Scanner-MOVED-X-Spam-Status: No, hits=2.1 required=7.0
X-Qmail-Scanner-MOVED-X-Spam-Level: ++
Received: from unknown (HELO taa012291.com) (205.134.229.178)
by rrcs-71-41-8-230.sw.biz.rr.com with SMTP; 29 Nov 2005 13:09:08 -0600
From: Charles Morenus <seminarcrowds@taa01.com>
To: <Undisclosed Recipients>
Reply-To: seminarcrowds@taa01.com
Subject: Get Ready for your January Seminars
Date: Tue, 29 Nov 2005 11:14:55 -0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="8f7126d3-c762-4601-8003-9e8a675f701f"
X-Qmail-Scanner-Message-ID: <113329134892210381@webserver.treeoflifechurch.org>
X-AOL-IP: 71.41.8.230
Message-ID: <200511291413.77438ca8481bb@rly-xa05.mx.aol.com>
X-Mailer: Unknown (No Version)
--8f7126d3-c762-4601-8003-9e8a675f701f
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hi, I'm Charlie Morenus, from Seminar Crowds, with a 'gentle reminder' about=
your upcoming January seminars.
Now is the time to start saving thousands on your early-2006 seminars. Our=20=
mailers start at 29.9 cents, and that low price includes RSVPs, first class=20=
postage, and our highly-rated mailing lists.
I'd like to send you information on our services, either by email or postal=20=
mail, or call you if you prefer. We fill seminars with qualified seniors for=
agents all over the country. May I have your permission to send you our inf=
ormation?
Sincerely,
Charles Morenus
Vice-President, Sales & Marketing
Seminar Crowds
1100 North 4th Street, Suite 133
Fairfield, Iowa 52556
800-207-3840 x516
P.S. I'm also trying to be respectful of your time. If you don't want to rec=
eive e-mails or ads (like this one) from me, just send me back a note with N=
o Thanks and I won't write to you again. =20
--8f7126d3-c762-4601-8003-9e8a675f701f--
--part1_1e9.4829ee37.30be271f_boundary--
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
A ha, the sender is coming from AOL:
Received: from unknown (HELO taa012291.com) (205.134.229.178)
by rrcs-71-41-8-230.sw.biz.rr.com with SMTP; 29 Nov 2005 13:09:08 -0600
I'll bet you allow pop-locking for sending mail over SMTP right? If so then what is probably happening is that some user from AOL is getting mail from your system, which are all nat'd to the same IP space. Then some other guy is just riding his authentication coat tails and spamming through your system. You are in effect whitelisting AOL whenever someone from there POP's mail from your box. Turning off pop locking will make this go away.
If its not the case, then that guy (rrcs-71-41-8-230.sw.biz.rr.com) has valid login credentials on your system.
Received: from unknown (HELO taa012291.com) (205.134.229.178)
by rrcs-71-41-8-230.sw.biz.rr.com with SMTP; 29 Nov 2005 13:09:08 -0600
I'll bet you allow pop-locking for sending mail over SMTP right? If so then what is probably happening is that some user from AOL is getting mail from your system, which are all nat'd to the same IP space. Then some other guy is just riding his authentication coat tails and spamming through your system. You are in effect whitelisting AOL whenever someone from there POP's mail from your box. Turning off pop locking will make this go away.
If its not the case, then that guy (rrcs-71-41-8-230.sw.biz.rr.com) has valid login credentials on your system.
-
- Forum User
- Posts: 46
- Joined: Thu May 12, 2005 3:50 am
- Location: Sunny California
Shouldn't this be 127.0.0.1/32 ??1) My whitelist contents is
127.0.0.0/32
Interesting, the X header is reporting that your IP belongs to AOL:
X-AOL-IP: 71.41.8.230
ARIN reports:
OrgName: Road Runner-Commercial
Are your SA rules up to date? Hmmm, wondering if it may be from a RDJ ruleset... as a test, you may want to disable the use of RDJ's 70_sare_header.cf and 70_sare_redirect_post3.0.0.cf (if you are using them). Those are the only 2 that I can see that check for AOL (in RDJ)
(Scott, please correct me if I am heading down the wrong path here)