TONS OF SPAM!!! HELP!!!

19 posts / 0 new
Last post
#1 Tue, 04/29/2008 - 04:43
nhsitehost

TONS OF SPAM!!! HELP!!!

OK.. panic mode here... i'm getting TONS of spam to my an email address within one of my domains.. it's as if the spam filter is not working... i've poked around in the various logs but have not been able find anything...

where should i look?

or better yet..how can i STOP the spam!!!

thanks...

Tue, 04/29/2008 - 07:48
nihal

i have same problem from yesterday. All the domains mail quotas blocked with this spam mail. So how can i delete all this spam. And how can change the spam mail saving configuration. what must i do delete all the spam directly?

Please help

Sat, 05/03/2008 - 07:41 (Reply to #2)
PlayGod

The biggest spam problem occurring at the moment (for about the past 2 months) is NDRs (Non-Delivery Receipts) -- 554 (service unavailable) or 550 (user unknown) "bounce" errors. These are legitimate responses from mailservers which have been hit using reply-to addresses harvested from your web users.

Although this sort of attack has been used sporadically in the past, it now seems to be commonplace. We have 2 or 3 users per day complaining about it. It appears to actually be a tactic to get users to actually open and investigate, and click the links inside the NDR's if they copy the message text back to the reply-to recipient.

Load on our mailservers is higher than it has been since we started using Postini to filter the majority of our mail and mailservers.

More info:
http://www.chattanooga.net/20080407112/faqs/web-hosting/email-cloaking.html

(yes, I wrote that FAQ so I could easily reply to the hundreds of customers who are complaining about this very issue).

Sun, 06/07/2009 - 07:21 (Reply to #3)
flatpackedworld

So I'm having this issue also, that I don't think spamassasin is doing anything. I've restarted it and checked maillog and procmail.log. procmail.log has stuff in but in neither log file can I see any mention of spam checking.

This is my procmailrc file:

[code:1]
LOGFILE=/var/log/procmail.log
TRAP=/usr/libexec/webmin/virtual-server/procmail-logger.pl

:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl $LOGNAME
:0
* ?test $VIRTUALMIN !=
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DROPPRIVS=yes
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
:0
$DEFAULT
:0
* ^X-Spam-Status: Yes
/dev/null
[/code:1]

That also doesn't look like it's doing anything spam related aside from the X-Spam-Status line.

Help would be appreciated.

Sun, 06/07/2009 - 07:22 (Reply to #4)
flatpackedworld

So I'm having this issue also, that I don't think spamassasin is doing anything. I've restarted it and checked maillog and procmail.log. procmail.log has stuff in but in neither log file can I see any mention of spam checking.

This is my procmailrc file:

[code:1]
LOGFILE=/var/log/procmail.log
TRAP=/usr/libexec/webmin/virtual-server/procmail-logger.pl

:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl $LOGNAME
:0
* ?test $VIRTUALMIN !=
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
DROPPRIVS=yes
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
:0
$DEFAULT
:0
* ^X-Spam-Status: Yes
/dev/null
[/code:1]

That also doesn't look like it's doing anything spam related aside from the X-Spam-Status line.

Help would be appreciated.

Tue, 04/29/2008 - 10:33
nhsitehost

issue is that email is not getting scanned by the spam filter so none of the email is getting caught... it's all being passed to the inbox instead of the mail folder.. it's like spamassisan just stopped working

Tue, 04/29/2008 - 12:12
nihal

yes, what must we do ?

Tue, 04/29/2008 - 12:16
nihal

at this day we update some packages, and at that moment we are under spam rain

Tue, 04/29/2008 - 12:19
nhsitehost

i've reviewed a few email headers and noticed that spamassassin was not canning any of the emails.. or at least there was no sign on scanning in the email header.. maybe Joe from virtualmin will chime in here and help...

Tue, 04/29/2008 - 13:27 (Reply to #9)
Joe
Joe's picture

Hey guys,

I actually saw this behavior on Virtualmin.com a few days ago--not sure what triggered it, but a restart of the spamassassin daemon fixed it. Of course, if you aren't using spamd, then this definitely won't solve the problem.

On most Linux systems, I think this would do it:

/etc/init.d/spamassassin restart

If that doesn't solve the problem, check the maillog/mail.log to be sure mail is being delivered to procmail-wrapper. If so, look in the procmail.log to see if there are any clues about what's going wrong. If not, send along your /etc/procmailrc and we'll see if there are any hints there. Finally, the procmail rules for the domain in question have the final say on delivery--but that's a little harder to find, as it's in a numbered file within /etc/webmin/virtual-server/procmail.

--

Check out the forum guidelines!

Tue, 04/29/2008 - 13:45
nhsitehost

ok a restart is now showing the X headers in the email

X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on mysite.com
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=3.0 tests=BAYES_00,FORGED_RCVD_HELO,
HTML_MESSAGE,KAM_STOCKOTC,URIBL_BLACK autolearn=no version=3.1.9
X-Original-To: me@mysite.com

but the scoring is way off... this email was a huge spam email... viraga content...and such..

so how do i fix the spam level.. and i dont mean the user_prefs I've change the score to 3.0

emails that are MAJOR spam are being marked really low..

Tue, 04/29/2008 - 13:45
nihal

There is no change when ru /etc/init.d/spamassasin.

So now what must we do? This so urgent for my server. Please say clearly again.

Tue, 04/29/2008 - 13:49
nhsitehost

another sample

[code:1]
Return-Path: <Cash4Gold@remotenow.info>
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on mysite.com
X-Spam-Level:
X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_00,GET_PAID,HTML_MESSAGE,
OPTING_OUT_CAPS,URIBL_BLACK autolearn=no version=3.1.9
X-Original-To: me@mysite.com
[/code:1]

This one scored a bit higher bit still was not blocked..
the score of 4.5 was higher than the 3.o required..
[code:1]
Return-Path: <3f0.4.44416897-6343066@guylikesme.com>
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on mysite.com
X-Spam-Level: ****
X-Spam-Status: No, score=4.6 required=3.0 tests=BAYES_00,HTML_90_100,
HTML_MESSAGE,MIME_HTML_MOSTLY,URIBL_BLACK,URIBL_OB_SURBL autolearn=no
version=3.1.9
X-Original-To: me@mysite.com
[/code:1]

Wed, 04/30/2008 - 07:54 (Reply to #13)
nihal

This is not a spamassassin on my server. This caused by ClamAv update. i updated the ClamAv yesterday. And all of my mail did not go to user. i think all the my mail assigned infected and sent to tmp/clamav... Or what else? Because when i remove the clamav from the system. all thing are normal. But then whrn i reinstall it, same problem continue again.

Please help..

Thu, 05/01/2008 - 16:04 (Reply to #14)
Joe
Joe's picture

<div class='quote'>This is not a spamassassin on my server. This caused by ClamAv update.</div>

First piece of advice: Start a thread about <i>your</i> problem. This thread is about spam and spam delivery. So, all of the advice doesn't apply to your case at all.

I have seen your multiple other threads about your clamav issues...how about picking one of those threads, and follow up on it with reasonable information (like log entries) so we can help you solve the problem? Don't chime in on completely unrelated threads. It confuses everybody (me, especially, as I'm trying to answer dozens of posts every day, on top of a couple hundred emails and another couple dozen tickets in the tracker). Take pity on poor, easily confused, old me. ;-)

--

Check out the forum guidelines!

Fri, 05/02/2008 - 04:19 (Reply to #15)
nihal

ok. you are right
i apologize.

Thank you.

Sat, 05/03/2008 - 10:54
nhsitehost

spam is still getting through... it's not getting scored correctly by spamassassin.. there is a score applied to 'some' of the emails but tno all of them.. and the score that is applied is VERY low like 0.5 or less

so now what?

Fri, 05/09/2008 - 00:02
flatpackedworld

Any ideas guys on what could be up? Is it a problem in the procmailrc file?

Fri, 05/09/2008 - 00:08
Joe
Joe's picture

You've actually got two different (and incompatible) rulesets there. Remove these lines:

:0
$DEFAULT
:0
* ^X-Spam-Status: Yes
/dev/null

The last two, in particular, aren't the right way to go--it takes control out of the hands of Virtualmin (and your users).

But, neither of these things has any impact on spam filtering.. All of the spam filtering happens in the VIRTUALMIN section, and the behavior of procmail is determined by the configuration (per-domain and possibly per-user).

You'll want to look in the procmail.log to see if there are any clues.

You'll also want to be sure Postfix is actually delivering to procmail-wrapper. Check the maillog/mail.log for this.

--

Check out the forum guidelines!

Topic locked