Koozali.org: home of the SME Server

Trapping outgoing Spam ??

Offline ReetP

  • *
  • 3,722
  • +5/-0
Trapping outgoing Spam ??
« on: October 30, 2008, 06:44:05 PM »
I have a 7.3 server with 6 or 7 clients. The IP address is being blacklisted due a compromised machine. Two of the clients are owned by people not working in the company but sharing the internet connection - not a situation I am happy with, but I'm not the boss.

As far as I can tell, our own machines are all OK - I have been through them and can't see anything obvious - and am fairly sure the compromised machine is one of the other two.

They do not use our email system for sending/receiving mail.

Can anyone suggest a simple method of trying to detect where on the network the spam mails are originating as we cannot obtain a copy of the mails themselves ?

Any bright ideas appreciated as I'm stumped and I'm sure someone has been down this road before ?


Best regards,

John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online Stefano

  • *
  • 10,836
  • +2/-0
Re: Trapping outgoing Spam ??
« Reply #1 on: October 30, 2008, 07:27:45 PM »
Hi

if you control the FW, make a rule that deny all outgoing connection to 25 tcp for every ip but the server..

in this situation clients using SME to send email can continue to work, the others no..

another idea is to block their ip, i.e. deny every kind of traffic.. security and legality is not an option.. IMHO

Ciao
Stefano

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #2 on: October 30, 2008, 07:30:43 PM »
Can anyone suggest a simple method of trying to detect where on the network the spam mails are originating as we cannot obtain a copy of the mails themselves ?

Examine your mail log files.

Online Stefano

  • *
  • 10,836
  • +2/-0
Re: Trapping outgoing Spam ??
« Reply #3 on: October 30, 2008, 09:06:51 PM »
Examine your mail log files.

Charlie, I think you missed this:
Quote from: ReetP
They do not use our email system for sending/receiving mail.

:-)

Ciao
Stefano

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #4 on: October 30, 2008, 09:23:04 PM »
Charlie, I think you missed this:
:-)

Ciao
Stefano

Yes, I did. I didn't realise the question had nothing to do with SME server.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #5 on: October 30, 2008, 09:25:10 PM »
They do not use our email system for sending/receiving mail.

They probably do use your email system if your system is their gateway to the internet. SME server captures all attempted outbound SMTP and processes them locally.

If you haven't done so, you should examine the mail logs.

Online Stefano

  • *
  • 10,836
  • +2/-0
Re: Trapping outgoing Spam ??
« Reply #6 on: October 30, 2008, 09:26:31 PM »
Yes, I did. I didn't realise the question had nothing to do with SME server.

indeed.. you are right

so, could please a moderator move this 3ad to general discussions forum?

TIA
Stefano

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #7 on: October 30, 2008, 09:29:43 PM »
indeed.. you are right

so, could please a moderator move this 3ad to general discussions forum?

If you wanna talk to the moderator, there is a button on the UI to do so. But see my most recent comment. If SME is in server-gateway mode and is the gateway, the maillogs should record SMTP activity, unless the transparent proxy has been disabled.

Online Stefano

  • *
  • 10,836
  • +2/-0
Re: Trapping outgoing Spam ??
« Reply #8 on: October 30, 2008, 09:34:51 PM »
If you wanna talk to the moderator, there is a button on the UI to do so.

doh.. I never thought I an use that link for such a request :-)

thank you
Ciao
Stefano

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Trapping outgoing Spam ??
« Reply #9 on: October 31, 2008, 12:11:29 AM »
Humble apologies and sorry for the confusion.

The server is in server only mode :-(

It doesn't therefore capture all traffic.

Does someone want to move this to general discussions ?

I was just wondering if there was some form of traffic monitoring I could employ to trap port 25 traffic on the network but I guess the answer is you have to do it at the router ?

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #10 on: October 31, 2008, 01:11:33 AM »
I was just wondering if there was some form of traffic monitoring I could employ to trap port 25 traffic on the network but I guess the answer is you have to do it at the router ?

In the days of hubs and coax it might have been possible, but these days with switches traffic from A to B cannot be seen by C.

Offline akhilmathema

  • **
  • 42
  • +0/-0
Re: Trapping outgoing Spam ??
« Reply #11 on: October 31, 2008, 06:00:12 AM »
I have a 7.3 server with 6 or 7 clients. The IP address is being blacklisted due a compromised machine. Two of the clients are owned by people not working in the company but sharing the internet connection - not a situation I am happy with, but I'm not the boss.

As far as I can tell, our own machines are all OK - I have been through them and can't see anything obvious - and am fairly sure the compromised machine is one of the other two.

They do not use our email system for sending/receiving mail.

Can anyone suggest a simple method of trying to detect where on the network the spam mails are originating as we cannot obtain a copy of the mails themselves ?

Any bright ideas appreciated as I'm stumped and I'm sure someone has been down this road before ?


Best regards,

John

It could be possible that bounce back spams from your mail server to remote servers can also blacklist your IP. Verify you've blacklisting turned on on qpsmtpd. In order to verify smtp traffic, tcpdump is the best.
#tcpdump -i localinterface -port 25

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Trapping outgoing Spam ??
« Reply #12 on: November 01, 2008, 01:11:10 AM »
Many thanks for all your answers. We tracked down the culprit eventually - it was one of the machines I do not manage. Yes, it is a struggle if the router is not in gateway mode.

The only way I could see was to run logging on the router.

I was trying to get the router to log to syslog, which I basically managed, but couldn't figure out how to filter to it's own log file. I guess it comes in under one of the 'local' lines, but not sure which.

Any ideas on this ?

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Trapping outgoing Spam ??
« Reply #13 on: November 01, 2008, 03:23:06 AM »
I was trying to get the router to log to syslog, which I basically managed, but couldn't figure out how to filter to it's own log file. I guess it comes in under one of the 'local' lines, but not sure which.

It doesn't. Each message has a 'facility' and 'loglevel', just like locally produced messages.