Topic: spam

[BlueLake]

Hi

My server has reported that unusual amounts of emails are being sent...(spam)

checked the qpsmtpd/current log which gives me this...

2014-12-17 08:10:46.382241500 12290 Accepted connection 0/40 from 103.225.130.213 / Unknown
2014-12-17 08:10:46.382379500 12290 Connection from Unknown [103.225.130.213]
2014-12-17 08:10:46.383769500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.386196500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.396003500 12290 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.396281500 12291 Accepted connection 1/40 from 103.225.130.238 / Unknown
2014-12-17 08:10:46.396379500 12291 Connection from Unknown [103.225.130.238]
2014-12-17 08:10:46.397447500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.399443500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:46.407701500 12291 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2014-12-17 08:10:47.400816500 12290 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2014-12-17 08:10:47.401829500 12290 220 bluelake.glaslyn.com ESMTP
2014-12-17 08:10:47.412462500 12291 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2014-12-17 08:10:47.413470500 12291 220 bluelake.glaslyn.com ESMTP
2014-12-17 08:10:47.577263500 12290 dispatching EHLO cool19.tdpthom.org
2014-12-17 08:10:47.578442500 12290 250-glaslyn.com Hi Unknown [103.225.130.213]
2014-12-17 08:10:47.578466500 12290 250-PIPELINING
2014-12-17 08:10:47.578486500 12290 250-8BITMIME
2014-12-17 08:10:47.578509500 12290 250-SIZE 15000000
2014-12-17 08:10:47.578530500 12290 250 STARTTLS
2014-12-17 08:10:47.590004500 12291 dispatching EHLO cool44.tdpthom.org
2014-12-17 08:10:47.591021500 12291 250-glaslyn.com Hi Unknown [103.225.130.238]
2014-12-17 08:10:47.591044500 12291 250-PIPELINING
2014-12-17 08:10:47.591065500 12291 250-8BITMIME
2014-12-17 08:10:47.591088500 12291 250-SIZE 15000000
2014-12-17 08:10:47.591108500 12291 250 STARTTLS
2014-12-17 08:10:47.755579500 12290 dispatching QUIT
2014-12-17 08:10:47.755673500 12290 221 glaslyn.com closing connection. Have a wonderful day.
2014-12-17 08:10:47.755713500 12290 click, disconnecting
2014-12-17 08:10:47.768251500 12291 dispatching QUIT
2014-12-17 08:10:47.768398500 12291 221 glaslyn.com closing connection. Have a wonderful day.
2014-12-17 08:10:47.768449500 12291 click, disconnecting
2014-12-17 08:10:48.390285500 2324 cleaning up after 12290
2014-12-17 08:10:48.390310500 2324 cleaning up after 12291

it seems ip address 103.225.130.213 and 103.225.130.238 are using my server to relay or send spam out

not sure what course of action to take from here really, other posts with this problem refer to blocking the IPs (not sure how to do that) or even understand how the spammers are using my server to start with.

As with other posts, all workstations are shut down at night, usually by 5.30 / 6 pm gmt leaving just the server running. I have traced the IPs to a spammer site.(http://103.225.130.213) ...
other posts also refer to blocking emails on port 25 but will that also block my emails? are they using my website to connect to the server?

if i change emails from smtp to smtps and use port 465 instead of 25 (as per howto info) would that have the desired effect?
very worried...

 

[guest22]

Hi,

I would block those IP's to begin with, and then see if someone can provide in depth info on your issue.
To block IP's entirely, please see: http://wiki.contribs.org/Firewall#Block_incoming_IP_address

guest

[BlueLake]

Hi
Thanks for the reply - I was just looking at that in the Howto's and thinking it could be a good first step...
Thanks

[holck]

Please show the output of the following command (as root):
# /sbin/e-smith/db configuration show qpsmtpd

[BlueLake]

hi
thanks for the reply, showing output of - /sbin/e-smith/db configuration show qpsmtpd

    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

cheers

[BlueLake]

sorry there was a couple of other things at the top I missed in the previous post

qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

[Stefano]

you have DNSBL and RHSBL disabled..
enable them

[BlueLake]

Hi Stefano
How do I do that, in the server manager?
Cheers

[BlueLake]

Hi Stefano

To enable RBL blocking for the default lists do the following

config setprop qpsmtpd DNSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

use these commands as root...?

[BlueLake]

Hi Stefano

Yes managed that, they are both enabled now...

Thank you

[janet]

BlueLake

Some of those lists are aggressive & may block valid mail.
You should read the FAQ (link at top of forums) for current recommended "best practice".
Also most SBL lists are no longer effective ie no list is perhaps the best option these days.

[BlueLake]

Hi Janet

Yes , thanks for that, I have been scouring the forums - google - howto's etc... for anything that remotely helps me to reduce spam. Especially when it could even be my own fault (lack of expertise) that caused the problem. Two of my pet hates with the internet, is spam and hackers. So anything I can do to reduce this is good in my book...
Cheers

[Daniel B.]

My server has reported that unusual amounts of emails are being sent...(spam)

The logs you've pasted here don't show any email being sent. It show someone trying to send you emails (probably spams yes), but are those spams accepted ? You need to check your logs further. You can for example filter on the logterse keyword (it's a plugin for the smtp server which prints each transaction status in one line), something like:

Code: [Select]

cat /var/log/qpsmtpd/current | grep logterse | tai64nlocal | grep 103.225.130.

Unless you see that qpsmtpd accepts those emails, you shouldn't worry at all. One way to get rid of this is by using the fail2ban contrib (it'll blacklist hosts for 15 minutes if they fail 9 email delivery in less than 15 minutes)

[janet]

BlueLake

I have been scouring the forums... howto's etc... for anything that remotely helps me to reduce spam.

Well now that RBL lists have been enabled, you should see a big reduction in incoming spam.
Another very effective tool is executable content blocking for email file attachments.
Many ZIP files are viruses in disguise.

You can enable that for various file types, in the server manager Email panel.
You can even add more file types yourself if necessary, refer
http://wiki.contribs.org/Virus:Email_Attachment_Blocking
which is still applicable to sme 8 & 9.

Some newish ZIP files were added recently to the mailpatterns database & are in the updated SME OS now, you should see them in server manger Email panel.

[BlueLake]

Hi

The thing that put me onto this was a contrib i installed (sme9admin) which started reporting large amounts of outgoing emails are being sent, in one case that was 180...(worrying) at the most I may send 2-3 a day. So I checked the logs and found a few suspicious IPs, which I checked out, and were definitely spammers. (which verified the report from sme9admin). So I am convinced my server has been hijacked...but I will look at installing the fail2ban contrib

cheers

[Daniel B.]

Your logs only show inbound emails. If your server is being used to relay spam, please open a bug and tick the security box

[BlueLake]

Ok...

[Knuddi]

180 mails per day is hardly a hijacked server - if the bad guys have their hands on it, it will send thousands per day. The qpsmtpd is used for inbound mails and qmail is used for outbound. You should check the qmail logs and see whether you can see something unusual there are from which user.