Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: larieu on August 30, 2013, 07:41:21 AM
-
I face a situation where I receive lots of mails which are formatted like this
From: <user1@mydomain.tld>,
<user2@mydomain.tld>,
.....
<usern@mydomain.tld>
To: <user1@mydomain.tld>,
<user2@mydomain.tld>,
.....
<usern@mydomain.tld>
where userN are a mix of real users or just fraction of them
mails are sent mainly directly to the server probably from a bootnet infested computers but probably 20% are relayed by legit servers
I am not able to find a solution to this
can someone point me in the right direction?
-
welcome to the fight against spam! :)
Do you have anti-spam measures enabled on your server?
What about rfc-ignorant list... I'm pretty sure one e-mail cannot have several from!
Start reading here: http://wiki.contribs.org/Email
Good luck.
Jáder
-
I had a similar situation in 2011, and opened a bug on it:
http://bugs.contribs.org/show_bug.cgi?id=6591
My problem fixed itself before I was able to find anything to fix, however.
One option is to establish accurate 'spf' dns records that include "-all" to deny email for your domain(s) from unauthorized servers. In my case I guess the geoip plugin could have helped.
I think my issue fixed itself as I addressed other errors in my logs about spamd and possibly pyzor.
-
Not really sure that you can fix your problem but Vip-ire has made a fail2ban contrib that can block for few minutes a smtp sender which send bad mail to your server.
As example this is what you can find when your server receive more than 9 E-mail to unknown users
Hi,
The IP 93.17.128.20 has just been banned by Fail2Ban after
9 attempts against Qpsmtpd.
Regards,
Fail2Ban
you can find the contrib at http://wiki.contribs.org/Fail2ban
-
Thanks to all
jader
unfortunately YES
mmccarn
in my case the final mail has the spam tags (-80 or something around) - and the spam is not in english (is in romanian - which is default dfor that server users)
stephdl
I have installed - I believe will not harm
and in less that 30 minutes already 10 IP,s in qpsmtpd jail
Also I have used the mailsort and dropped many of them with around 50 rules
unfortunately that plugin cannot check the body of messages (all mails contain a randomadress@gmailjobs-ro.com for example - but has > 50 subjects)
in thunderbird for an user is easy to put a rule that body contain @gmailjobs to be deleted - but it is mandatory to be on server
I will provide more info if I'll find them
-
As I said - I came back with an answer
The method of installing fail2ban was quite effective but not from the beginning ( in first day only around 200 IP's where banned but in the first week around 4 000 IP's where banned in the following one around 500 and now it seems that only several at each 1~2 days)
that means it is very useful but you need to be patient and wait to do his job
-
As I said - I came back with an answer
The method of installing fail2ban was quite effective but not from the beginning ( in first day only around 200 IP's where banned but in the first week around 4 000 IP's where banned in the following one around 500 and now it seems that only several at each 1~2 days)
that means it is very useful but you need to be patient and wait to do his job
WOUHA!!!!! incredible
4000 IP in one week....it is War :D
Therefore for you opinion it could be an essential tools against Spams ?
Should we mention it in the documentation of the contribs, i think so.
If i remember well the discussion with daniel, after 9 attempts the ip is banned for 15 minutes. Perhaps there is a method to increase it (I think about the template)
-
Not sure for the 15' when i see the template
[qpsmtpd]
enabled = true
filter = qpsmtpd
logpath = /var/log/*qpsmtpd/current
maxretry = 9
action = smeserver-iptables[port="25,465",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Qpsmtpd",dest=root]
1800''=30'
-
Thanks for the fail2ban information, for some reason I had not associated fail2ban with mail (I know I'll stand in the corner).
I have a server that mops up misdirected .co.uk mail that should have gone to our remote-hosted .com domain, it gets very little traffic so I'd sort of left it to do it's thing.
Recently the spammers had started hitting it with zips files so I figured have a quick look at it to save time hunting for any real mail.
Installed fail2ban but then thought "I wonder how to test it" I should not have worried, in the time it took to read down and locate the right log I found I had a ban and another two while typing this thanks.
Awesome as I tail the log I keep waiting to see the words "how exciting to block mail from you!"
Stu
-
Another option exists at the firewall level.
I have almost zero spam (~5 per month) after deploying a pfsense firewall with the Country Block plugin. Just pick the country you wish to block, and you'll never receive email from them. Not a perfect solution for all, however I have found by picking the 6 top countries of known spammers, it has reduced spam significantly.