14 posts / 0 new
Last post
#1 Wed, 12/14/2016 - 17:57
antioch

spamming?

had a couple spam issues lately.

first a wordpress site i was hosting was successfully attacked through a buggy plugin. so the site was rolled back to before the problem started.

then a couple weeks later an account was compromised, sending out a deluge of spam. this was caught and the password changed almost immediately.

senderbase registered the drop in volume by the next morning. and by the next day it was back to 0.0, where it has stayed ever since.

but sender score is another story completely:

Sender Score Metrics for 216.235.107.56
Score: 5/100
Hostname :: smtp.antiochtechnologies.com
Very High Volume Sender

Reputation Measures Impact on this score
  Blacklists  Low
  Complaints  High
  Infrastructure  Low
  ISP Bulk Rate  Contact us for details
  Message Filtered  High
  Sender Rejected  High
  Spam Traps  147
  Unknown Users  High

they also have a list of sending domains that includes 16 domains atm. some of them i recognize, but most i dont.

whats more, im still getting complaints from my subscribers that their outbound mail is landing in spam folders. however im not on any blacklists and havent been for nearly a week.

Wed, 12/14/2016 - 20:15
Diabolico
Diabolico's picture

Companies like Hotmail, Google, Yahoo, etc. have their inhouse blacklist and they are not publicly available. For example Google in first case of abuse will keep your IP/domain on their blacklist from 1-2 weeks up to 2-3 months. Second abuse will go from few months up to a year or even more. If the severity of the abuse is high then there is a chance you will be immediately blacklisted for a long time.

With Hotmail i think there is a chance to contact them to get unlisted but i know by fact with Google you cant and only thing left to do is wait or change IP. In case they blacklisted your domain then new IP will not help and will be immediately blacklisted.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 12/14/2016 - 20:41
antioch

i figured as much...but that doesnt explain why sender score is reporting my volume is as high as ever?

Wed, 12/14/2016 - 20:55
Diabolico
Diabolico's picture

When your server/WP was hacked and it start sending spam i suspect it was not one email per hour but more likely hundreds emails per hour (or even per minute). Thats why is good to disable mail() function (and use SMTP) if you are not 100% sure you can keep up with bugs and updates. It will not save you if the server is hacked but at least it will make it harder to spam from WP alone.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 12/14/2016 - 21:26
antioch

but why is sender score STILL reporting very high volume everyday? the hole was sealed nearly a week ago...or so i think. is senderbase missing something? idk how they can both be right?

Thu, 12/15/2016 - 03:44
Diabolico
Diabolico's picture

It could be that you are still sending spam or different tools have different measurements, including how frequently they will re-check the IP/domain. I went to check again that IP and it looks like in the same IP block (/24) there are several other IP's with pretty high email volume and that could affect your reputation. Many companies will blacklist entire IP ranges if the amount of spam reaches high levels. Not only that but using residential IP (hosting from home) was never good idea because ISP usually doesnt operate under same rules as hosting company.

You should collocate your server with some good DC or just rent a server, and if you need large amount of emails use dedicated service like Zoho Campaigns or Mailchimp.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 12/15/2016 - 16:28
antioch

that i could still be sending spam is sort of the point of the topic. im just not sure how to tell. only weird thing in mail.log atm is a bunch of non-existent mailboxes in my domain sending messages to other mailboxes in my domain, some existent, some not so much. but the log volume is nothing like during the account compromise. now i can actually read it as it tails out of the log, rather than it just being a blur.

server is hosted at a datacenter btw. not a residential setup.

Fri, 12/16/2016 - 07:46
Diabolico
Diabolico's picture

Maybe DC is renting IP space because ISP is the owner of your IP address, but this is not so important right now. If you see in your mail log entries what doesnt belong to you or your clients that means something is not right and the abuse could still going on. Like i previously said, first disable mail() function in php.ini for all accounts on that server. After that check the log files and see if there is any difference. If you still have unknown emails that means the hack went much deeper and it could be a big problem to solve.

For your clients who use WP (or other CMS) you can install plugins to enable SMTP.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 12/16/2016 - 13:47
antioch

the log entries im talking about arent outgoing mail. its incoming, supposedly from my domain but from from unrecognized ip's. i just assumed the sender address was forged, no?

ive been logging mail() in another log file per the php mail.log directive. its not an issue - very little volume, all recognized.

finally, just this morning, my volume dropped on sender score. alas, so did what little reputation i had left there too. weird.

Fri, 12/16/2016 - 14:22
Diabolico
Diabolico's picture

It could be that you are running mail open relay. Please go here and check: http://www.mailradar.com/openrelay/.

You will have 10+ consecutive test and all should be green (e.g. test passed). If you get something different then maybe we are step closer to see what could be the problem.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 12/16/2016 - 14:25
antioch

passed all 20 tests.

Fri, 12/16/2016 - 15:30
Diabolico
Diabolico's picture

Well best would be to copy here part of the log file containing unrecognized ip's. Another thing you can copy here is smtp_* restrictions what should be located at the end of main.cf file.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 12/16/2016 - 16:10
antioch

there is not, nor has there ever been, a Jana11@mydomain.tld. and 106.198.180.186 traces to the other side of the planet from me.

Dec 12 06:28:04 lamp1 postfix/smtpd[25767]: connect from unknown[106.198.180.186]
Dec 12 06:28:04 lamp1 postfix/policy-spf[28984]: Policy action=PREPEND Received-SPF: neutral (mydomain.tld: Domain does not state whether sender is authorized to use 'Jana11@mydomain.tld' in 'mfrom' identity (mechanism '?all' matched)) receiver=lamp1.antiochtechnologies.com; identity=mailfrom; envelope-from="Jana11@mydomain.tld"; helo="[106.198.180.186]"; client-ip=106.198.180.186
Dec 12 06:28:04 lamp1 postfix/smtpd[25767]: DEA24B81FE1: client=unknown[106.198.180.186]
Dec 12 06:28:05 lamp1 postfix/cleanup[28805]: DEA24B81FE1: message-id=<5f0c4d1502c21373169c380ddd783b2@mydomain.tld>
Dec 12 06:28:06 lamp1 postfix/qmgr[12848]: DEA24B81FE1: from=<Jana11@mydomain.tld>, size=14338, nrcpt=1 (queue active)
Dec 12 06:28:06 lamp1 clamsmtpd: 100705: accepted connection from: 127.0.0.1
Dec 12 06:28:06 lamp1 postfix/smtpd[27817]: connect from localhost[127.0.0.1]
Dec 12 06:28:06 lamp1 postfix/smtpd[27817]: 575CDB82B42: client=localhost[127.0.0.1], orig_queue_id=DEA24B81FE1, orig_client=unknown[106.198.180.186]
Dec 12 06:28:06 lamp1 postfix/cleanup[27814]: 575CDB82B42: message-id=<5f0c4d1502c21373169c380ddd783b2@mydomain.tld>
Dec 12 06:28:06 lamp1 clamsmtpd: 100705: from=Jana11@mydomain.tld, to=ap@mydomain.tld, status=CLEAN
Dec 12 06:28:06 lamp1 postfix/qmgr[12848]: 575CDB82B42: from=<Jana11@mydomain.tld>, size=14583, nrcpt=1 (queue active)
Dec 12 06:28:06 lamp1 postfix/smtp[27815]: DEA24B81FE1: to=<ap@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.6, delays=1.4/0/0.04/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 575CDB82B42)
Dec 12 06:28:06 lamp1 postfix/smtpd[27817]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Dec 12 06:28:06 lamp1 postfix/qmgr[12848]: DEA24B81FE1: removed
Dec 12 06:28:06 lamp1 postfix/smtpd[25767]: disconnect from unknown[106.198.180.186] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec 12 06:28:07 lamp1 spamd[18471]: spamd: connection from localhost [::1]:46968 to port 783, fd 5
Dec 12 06:28:07 lamp1 spamd[18471]: spamd: setuid to ap@mydomain.tld succeeded
Dec 12 06:28:07 lamp1 spamd[18471]: spamd: processing message <5f0c4d1502c21373169c380ddd783b2@mydomain.tld> for ap@mydomain.tld:1029
Dec 12 06:28:07 lamp1 spamd[18471]: spamd: identified spam (8.9/5.0) for ap@mydomain.tld:1029 in 0.2 seconds, 14518 bytes.
Dec 12 06:28:07 lamp1 spamd[18471]: spamd: result: Y 8 - DOS_OUTLOOK_TO_MX,HELO_MISC_IP,HTML_MESSAGE,MIME_HTML_MOSTLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SPF_NEUTRAL,TVD_SPACE_RATIO scantime=0.2,size=14518,user=ap@mydomain.tld,uid=1029,required_score=5.0,rhost=localhost,raddr=::1,rport=46968,mid=<5f0c4d1502c21373169c380ddd783b2@mydomain.tld>,autolearn=no autolearn_force=no
Dec 12 06:28:07 lamp1 spamd[6781]: prefork: child states: II
Dec 12 06:28:07 lamp1 postfix/local[27819]: 575CDB82B42: to=<ap-mydomain.tld@antiochtechnologies.com>, orig_to=<ap@mydomain.tld>, relay=local, delay=1.4, delays=0.12/0/0/1.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Dec 12 06:28:07 lamp1 postfix/qmgr[12848]: 575CDB82B42: removed

from main.cf

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service unix:private/policy-spf
Sat, 12/17/2016 - 03:27
Diabolico
Diabolico's picture

This settings i didnt have time to test as right now i have some work to finish before Christmas so please make a local copy of entire postfix folder before you apply them:

smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname,
permit

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
permit

Last 3 lines are checking the incoming emails against 3 most popular and used services for tracking spam or other unwanted activities.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked