Koozali.org: home of the SME Server

spam - how to reject emails which has multiple from

Offline larieu

  • ****
  • 214
  • +0/-0
spam - how to reject emails which has multiple from
« on: August 30, 2013, 07:41:21 AM »
I face a situation where I receive lots of mails which are formatted like this

From: <user1@mydomain.tld>,
         <user2@mydomain.tld>,
         .....
         <usern@mydomain.tld>

To: <user1@mydomain.tld>,
         <user2@mydomain.tld>,
         .....
         <usern@mydomain.tld>


where userN are a mix of real users or just fraction of them

mails are sent mainly directly to the server probably from a bootnet infested computers but probably 20% are relayed by legit servers

I am not able to find a solution to this
can someone point me in the right direction?
if everybody's life around you is better, probably yours will be better
just try to improve their life

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: spam - how to reject emails which has multiple from
« Reply #1 on: August 30, 2013, 12:34:00 PM »
welcome to the fight against spam! :)

Do you have anti-spam measures enabled on your server?
What about rfc-ignorant list... I'm pretty sure one e-mail cannot have several from!

Start reading here: http://wiki.contribs.org/Email

Good luck.
Jáder
...

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: spam - how to reject emails which has multiple from
« Reply #2 on: August 30, 2013, 02:49:38 PM »
I had a similar situation in 2011, and opened a bug on it:
http://bugs.contribs.org/show_bug.cgi?id=6591

My problem fixed itself before I was able to find anything to fix, however.


One option is to establish accurate 'spf' dns records that include "-all" to deny email for your domain(s) from unauthorized servers.  In my case I guess the geoip plugin could have helped.

I think my issue fixed itself as I addressed other errors in my logs about spamd and possibly pyzor.

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: spam - how to reject emails which has multiple from
« Reply #3 on: August 31, 2013, 10:19:27 AM »
Not really sure that you can fix your problem but Vip-ire has made a fail2ban contrib that can block for few minutes a smtp sender which send bad mail to your server.
As example this is what you can find when your  server receive more than 9 E-mail to unknown users

Quote
Hi,

The IP 93.17.128.20 has just been banned by Fail2Ban after
9 attempts against Qpsmtpd.

Regards,

Fail2Ban

you can find the contrib at http://wiki.contribs.org/Fail2ban
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline larieu

  • ****
  • 214
  • +0/-0
Re: spam - how to reject emails which has multiple from
« Reply #4 on: September 03, 2013, 12:55:50 AM »
Thanks to all


jader
unfortunately YES

mmccarn
in my case the final mail has the spam tags (-80 or something around) - and the spam is not in english (is in romanian - which is default dfor that server users) 


stephdl
I have installed - I believe will not harm
and in less that 30 minutes already 10 IP,s in qpsmtpd jail

Also I have used the mailsort and dropped many of them with around 50 rules
unfortunately that plugin cannot check the body of messages (all mails contain a randomadress@gmailjobs-ro.com for example - but has > 50 subjects)
in thunderbird for an user is easy to put a rule that body contain @gmailjobs to be deleted - but it is mandatory to be on server
I will provide more info if I'll find them



if everybody's life around you is better, probably yours will be better
just try to improve their life

Offline larieu

  • ****
  • 214
  • +0/-0
Re: spam - how to reject emails which has multiple from
« Reply #5 on: September 19, 2013, 02:28:32 PM »
As I said - I came back with an answer

The method of installing fail2ban was quite effective but not from the beginning ( in first day only around 200 IP's where banned but in the first week around 4 000 IP's where banned in the following one around 500 and now it seems that only several at each 1~2 days)
that means it is very useful but you need to be patient and wait to do his job

if everybody's life around you is better, probably yours will be better
just try to improve their life

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: spam - how to reject emails which has multiple from
« Reply #6 on: September 19, 2013, 06:50:03 PM »
As I said - I came back with an answer

The method of installing fail2ban was quite effective but not from the beginning ( in first day only around 200 IP's where banned but in the first week around 4 000 IP's where banned in the following one around 500 and now it seems that only several at each 1~2 days)
that means it is very useful but you need to be patient and wait to do his job

WOUHA!!!!! incredible

4000 IP in one week....it is War :D

Therefore for you opinion it could be an essential tools against Spams ?

Should we mention it in the documentation of the contribs, i think so.

If i remember well the discussion with daniel, after 9 attempts the ip is banned for 15 minutes. Perhaps there is a method to increase it (I think about the template)
« Last Edit: September 19, 2013, 06:51:43 PM by stephdl »
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline stephdl

  • *
  • 1,519
  • +0/-0
    • Linux et Geekeries
Re: spam - how to reject emails which has multiple from
« Reply #7 on: September 19, 2013, 06:54:26 PM »
Not sure for the 15' when i see the template

Code: [Select]
[qpsmtpd]
enabled  = true
filter   = qpsmtpd
logpath  = /var/log/*qpsmtpd/current
maxretry = 9
action   = smeserver-iptables[port="25,465",protocol=tcp,bantime=1800]
          smeserver-sendmail[name="Qpsmtpd",dest=root]
1800''=30'
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Offline StuC

  • **
  • 46
  • +0/-0
Re: spam - how to reject emails which has multiple from
« Reply #8 on: September 30, 2013, 01:55:56 PM »
Thanks for the fail2ban information, for some reason I had not associated fail2ban with mail (I know I'll stand in the corner).
I have a server that mops up misdirected .co.uk mail that should have gone to our remote-hosted .com domain, it gets very little traffic so I'd sort of left it to do it's thing.
Recently the spammers had started hitting it with zips files so I figured have a quick look at it to save time hunting for any real mail.

Installed fail2ban but then thought "I wonder how to test it" I should not have worried, in the time it took to read down and locate the right log I found I had a ban and another two while typing this thanks.
Awesome as I tail the log I keep waiting to see the words "how exciting to block mail from you!"

Stu

Offline Knyte

  • *
  • 39
  • +0/-0
    • knyte.org
Re: spam - how to reject emails which has multiple from
« Reply #9 on: October 17, 2013, 04:22:10 PM »
Another option exists at the firewall level.

I have almost zero spam (~5 per month) after deploying a pfsense firewall with the Country Block plugin.  Just pick the country you wish to block, and you'll never receive email from them.  Not a perfect solution for all, however I have found by picking the 6 top countries of known spammers, it has reduced spam significantly.
SME 8.1 (currently restoring to SME 9.2) running in ESXi 5.5