Stopping spammers extreme

Prev: MIA: mstone author / maintainer
Next: timeout problem on inbound and outbound SMTP

From: Appliantologist on 3 May 2010 17:45

---

Hi everyone,

I had a situation where some of my users had compromised machines and
someone is brazil and indiawere able to authorize themselves to use
sendmail using the login then send scenario. Recently we changed
hosting and set up postfix. In addition we decided to eliminate any
access to our system buy email users, instead we asked them all to go
open gmail accounts and put the corresponding address in the virtual
file.

Now it seems the spammers are back with a vengance and still able to
send spam. I set up the rules suggested but it seems they are simply
using email that exist. I was hoping someone could point me to a
solution.


I would like to set up postfix so that:

It only accepts mail generated by the scripts on the server
and
It only accepts mail to a predefined list of email address

I tried to make a CIDR file with most of the 3rd world in it, some
30,000 ips but for some reason it doesn't seem to have the effect I
was hoping for.
Any ideas would be helpful, thanks.David

From: Gary Smith on 3 May 2010 18:49

---

> > I tried to make a CIDR file with most of the 3rd world in it, some
> > 30,000 ips but for some reason it doesn't seem to have the effect I
> > was hoping for.
> > Any ideas would be helpful, thanks.David
>
> Add amavisd to your postfix.

If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.

From: Appliantologist on 3 May 2010 19:11

---

Hi,

We don't have any legitimate users sending mail aside from scripts on
the server (linux), only mail from localhost, anyone with an email
address is listed in the virtual file and has their email forwarded to
a gmail and uses gmail's MTA to send mail.

Since we have all the email addresses we accept mail for in a file
(/etc/postfix/virtual) I was hoping there was some way to check a) is
the mail from the localhost OR is the mail for an address in some
file. My understanding is you can make a list of email addresses
that you will deliver to like a whitelist, but we also send mail from
scripts to outside addresses of which we don't alway know beforehand.

I don't think I am running an open relay, I've tested it on a couple
of sites came back clean. I come from 20 years of sendmail, which has
a completely different system and we were using pop authorization,
until people had their password compromised and spammers took over.

I am sure some of this is trojans so the amavisd seems like a solid
tool to have anyway.

Thanks guys,
David



On Tue, May 4, 2010 at 1:49 AM, Gary Smith <gary.smith(a)holdstead.com> wrote:
>> > I tried to make a CIDR file with most of the 3rd world in it, some
>> > 30,000 ips but for some reason it doesn't seem to have the effect I
>> > was hoping for.
>> > Any ideas would be helpful, thanks.David
>>
>> Add amavisd to your postfix.
>
> If they are relaying messages through their server, how is amavisd going to help?  Some additional configuration details might be useful.  Are the users authenticated?  If so, which user is sending the email?  It actually sounds like an open relay issue.  But I'm just guessing here.
>

From: Gary Smith on 3 May 2010 19:14

---

> We don't have any legitimate users sending mail aside from scripts on
> the server (linux), only mail from localhost, anyone with an email
> address is listed in the virtual file and has their email forwarded to
> a gmail and uses gmail's MTA to send mail.
>
> Since we have all the email addresses we accept mail for in a file
> (/etc/postfix/virtual) I was hoping there was some way to check a) is
> the mail from the localhost OR is the mail for an address in some
> file. My understanding is you can make a list of email addresses
> that you will deliver to like a whitelist, but we also send mail from
> scripts to outside addresses of which we don't alway know beforehand.
>
> I don't think I am running an open relay, I've tested it on a couple
> of sites came back clean. I come from 20 years of sendmail, which has
> a completely different system and we were using pop authorization,
> until people had their password compromised and spammers took over.
>
> I am sure some of this is trojans so the amavisd seems like a solid
> tool to have anyway.
>
> Thanks guys,
> David


So in short, all email is originating from scripts on your local system? These wouldn't be web mail postings by chance, would they?

From: Terry Gilsenan on 3 May 2010 19:14

---

From: owner-postfix-users(a)postfix.org [owner-postfix-users(a)postfix.org] On Behalf Of Appliantologist [octobit(a)gmail.com]
Sent: Tuesday, 4 May 2010 9:11 AM
To: Gary Smith
Cc: The Doctor; postfix-users(a)postfix.org
Subject: Re: Stopping spammers extreme

Hi,

We don't have any legitimate users sending mail aside from scripts on
the server (linux), only mail from localhost, anyone with an email
address is listed in the virtual file and has their email forwarded to
a gmail and uses gmail's MTA to send mail.

Since we have all the email addresses we accept mail for in a file
(/etc/postfix/virtual) I was hoping there was some way to check a) is
the mail from the localhost OR is the mail for an address in some
file. My understanding is you can make a list of email addresses
that you will deliver to like a whitelist, but we also send mail from
scripts to outside addresses of which we don't alway know beforehand.

I don't think I am running an open relay, I've tested it on a couple
of sites came back clean. I come from 20 years of sendmail, which has
a completely different system and we were using pop authorization,
until people had their password compromised and spammers took over.

I am sure some of this is trojans so the amavisd seems like a solid
tool to have anyway.

Thanks guys,
David

Do this..:

Then change mynetwokrs to be 127.0.0.1 and use a firewall to block incoming tcp on 25 and 587 it really is that simple. Dont allow services to listen to anything you dont want them to act on.




On Tue, May 4, 2010 at 1:49 AM, Gary Smith <gary.smith(a)holdstead.com> wrote:
>> > I tried to make a CIDR file with most of the 3rd world in it, some
>> > 30,000 ips but for some reason it doesn't seem to have the effect I
>> > was hoping for.
>> > Any ideas would be helpful, thanks.David
>>
>> Add amavisd to your postfix.
>
> If they are relaying messages through their server, how is amavisd going to help? Some additional configuration details might be useful. Are the users authenticated? If so, which user is sending the email? It actually sounds like an open relay issue. But I'm just guessing here.
>

 |  Next  |  Last
Pages: 1 2 3
Prev: MIA: mstone author / maintainer
Next: timeout problem on inbound and outbound SMTP