How to prevent sending spam mail from my domains?

11 posts / 0 new
Last post
#1 Fri, 03/27/2009 - 01:46
nihal

How to prevent sending spam mail from my domains?

Hello,

There is a spam problem on my server. Because of this some RBL list my IP on the blacklist.

When i notice that i can not send mail to hotmail accounts, and read the error message, i realize that is aspam problem.

When i check my postfix mail queue, i saw some mail address that is not open my server, but the domain hosted on my server (for example mydomain.com hosted my server, but there is no example@mydomain.com mail account in my mail accounts. But example@mydomain.com send a lot of mail to a lot of different mail accounts.) sends a lot of spam mails. But in real there is no real mail account like this. Because of a lot these mail, my server is listed in blacklist now.

To solve this, how can i configure my postfix?

i add smtpd_client_restrictions: check_sender_access hash: /etc/postfix/virtual.db line to my postfix configuration file. But this gave an SMTP configuration error.

[file name=postfix_configuration.txt size=28101]http://www.virtualmin.com/components/com_fireboard/uploaded/files/postfi...

Fri, 03/27/2009 - 08:15
Joe
Joe's picture

You mean your local users are sending spam? You should be talking to those users...not us. ;-)

A default configuration, as installed by install.sh, will only allow relaying in the following circumstances:

The sending client authenticates using SASL. They have a valid user name and password on your system.

Or, the sending client is "local". Either running on the machine itself, or on an IP that you've specified in your mynetworks setting.

Note that in either case, the From: address is irrelevant. Any email can send with any From: address they want...and there are all sorts of reasons this is a legitimate thing (mailing lists with special From magic, users using multiple email addresses for various tasks, etc.).

It sounds like you're wanting to go about this from entirely the wrong end. You need to solve your spam problem...not prevent people from sending out email with an address not on your approved list. Spammers don't <i>care</i> what address is in the From: field. Find out how someone is spamming through your box, and fix <i>that</i>.

You've probably had an exploited user account. Someone broke in either via a brute force password attack (due to weak passwords), or due to an exploit in a web application. Once they were in, they setup a bot to send spam 24 hours a day. Since they're local, they have nothing preventing them from sending out as much spam as your bandwidth allows. The RBL would be absolutely right to list you, if you've got an exploited system sending out spam.

If you do insist on using a map, rather than solving the real problem, you need to leave off the &quot;.db&quot; part of the file name. The db is generated by Postfix from the plain text file.

Also, the smtpd_client_restrictions doesn't have a &quot;check_sender_access&quot; directive. I assume you really wanted &quot;smtpd_sender_restrictions&quot;, which does have check_sender_access. Reading the manpage makes me think you might need a separate file; virtual seems to be a slightly different format from access (access only has one field, while virtual has two). But maybe it'll ignore the second field when used in this context. That seems pretty likely, actually...

But, again, that's not going to solve your problem. You have either have a gross misconfiguration of mynetworks (which needs to be fixed), or you have an exploited user account (which <i>really</i> needs to be fixed). Putting your fingers in your ears and saying, &quot;LALALALALALA, I can't hear you!&quot; is roughly the solution you've proposed...and I don't think that's the right tactic. ;-)

--

Check out the forum guidelines!

Thu, 04/30/2009 - 00:35 (Reply to #2)
nihal

<div class='quote'>But, again, that's not going to solve your problem. You have either have a gross misconfiguration of mynetworks (which needs to be fixed), or you have an exploited user account (which <i>really</i> needs to be fixed).</div>

Yes you are right, i must solve this exploited user. But what dou you mean this user, mail account or webmin account?

But this problem not only one mail users, lots of users have this problem. Most of mail accounts using to send spam mail themselves and to the internet.

How can start to search to find the problem source? More than 300 webmib account and more than 1000 mail account exists on the server.

Can you give an advice.

Thank you.

Thu, 04/30/2009 - 02:42 (Reply to #3)
Joe
Joe's picture

Watch the maillog for when it's happening (if it's a serious spammer, rather than just a user being an asshole and sending out a bunch of unsolicited mail, it's likely happening all the time). Then use ps to see which accounts have active processes. Then figure out which one is the culprit.

<div class='quote'>But what dou you mean this user, mail account or webmin account? </div>

It's probably a user with shell access...but it could also just be an exploited PHP or CGI script. If you have any applications that are old, and haven't been updated in a while...that'd be a very likely source of trouble.

--

Check out the forum guidelines!

Thu, 04/30/2009 - 03:21 (Reply to #4)
nihal

Ok. When i run ps -aux | grep &quot;postfix&quot; command more than 200 postfix process listed. But how can i understand this normal or abnormal?

Also if there is a PHP or CGI exploit how can search it? with find command or what?
In public_html directory or in all the server?

Thu, 04/30/2009 - 06:47 (Reply to #5)
andreychek

Seeing lots of Postfix processes is a symptom of the problem, rather than the problem itself.

Tracking down the source of the problem can be tough. One could write a book on the subject, and that still may not be thorough enough :-)

However, you can start by looking through the &quot;ps auxw&quot; output, as well as &quot;top&quot;, and looking for any non-standard processes that are using a crazy amount of resources.

But in general, you'll want to go through all the web apps on the system, and make certain that they're all up to date. It could be any of them :-)
-Eric

Fri, 03/27/2009 - 08:17
andreychek

Well, yes, it is possible someone is relaying through Postfix, though at a glance your configuration looks good.

My guess is that someone is using a hole in a web app to send spam, which I've seen happen to a lot of folks lately. Someone breaks in through an older version of Wordpress, or RoundCube, or whatever, then uploads a script that sends spam.

My suggestion would be to check what processes are running on your machine, and to make sure none of them are troublemakers!

And if there are some, make note of who they're running as, you'll need that info to help you track down what account they're breaking in through.
-Eric

Fri, 03/27/2009 - 08:18 (Reply to #7)
andreychek

Drat, Joe beat me to it :-)
-Eric

Sat, 12/05/2015 - 21:59
leewells2000

Not every client is a villan because spam is sent through their accounts, in fact, they're usually victims.

I'm quite disappointed in the community here or has anyone not even thought about the possibility of a site becoming compromised and STOPPING the spam before it starts being the best course of action? This software is for hosting multiple sites, right? This is bound to be an issue, right? So riddle me why it is suddenly a better solution to stop spam after said spam damages your mail server's reputation than to aspire to stop it before it happens?

The OP clearly stated he was looking for a way to stop the spam before it happens. For postfix this is only possible using smtpd_sender_restrictions = DB as specified here: http://www.postfix.org/ADDRESS_VERIFICATION_README.html

In such case, to my knowledge, there is no map that can be dropped into that map that works. hash:virtualpath doesn't work, hash:aliases doesn't work, and for some inherent reason, virtualmin doesn't seem to like doing sender mapping.

To my disappointment I came to these forums in search of a virtualmin map that would work, instead I see copouts and workarounds, with no solution actually in sight.

Sun, 12/06/2015 - 11:15
Welshman
Welshman's picture

I would clean your IP to start with. What is it?

So we can all look at it.

Also who is your server provider.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Mon, 12/07/2015 - 21:23
Diabolico
Diabolico's picture

@leewells2000: Best solution it would be to implement spamexperts. It is not free but not even expensive and you can buy from resellers for few $ per domain and push the cost to your clients. They are the best and right now i dont know for any other solution what comes even close ofc. if you do not intend to spend way more than few bucks per domain.

Spam changes almost on weekly base and you must have someone who will update all the rules thats why any software what is basically install and leave it will not work. So you have a choice to use some software/script and manually keep track on spam and change/adapt the rules or you will pay someone else for this job.

It is not fair to ask from Virtualmin to implement everything because you want that or it would be cheaper. Even other big names like cPanel or Plesk do not have proper filter and any decent host got the protection from spamexperts. My advice, contact spamexperts and see what would be the price or find their resellers and probably you will get much cheaper solution.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked