1 Topic by windigo

  • windigo
  • Member
  • Offline
  • Registered: 2011-11-02
  • Posts: 11

Topic: Need help tracking down spammer

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
==== ==== Required information ====
- iRedMail version: 0.7.3
- Store mail accounts in which backend : MySQL
- Linux/BSD distribution name and version: Ubuntu server 11.04 32 bits
- Related log if you're reporting an issue:
====

Hello all,
Just found out that my server is blacklisted on the following : inps_de, nixspam, truncate & uceprotectl1, seems one of my users is spamming. I'm a noob at running a mail server so I would appreciate any pointers/help on what to check to track down the user(s) responsible. I' ve looked in /var/log/mail.log, but there's so much in there, don' t really know what to look for specifically.

uceprotectl1 gives me an approximate time/date, I can see many entries around this time hinting to my being blacklisted  ie : "xxx refused to talk to me", "... will be permanently deferred..." etc.

How can I find which user is sending these ? Any other logs (or mysql tables) I should be looking at

Can't post log here since it' s close to 2 Megs (for a 10 minute period...)

Thanks in advance

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,790

Re: Need help tracking down spammer

You can try Awstats, it should be installed if you chose it during iRedMail installation. URL is: httpS://your_server/awstats/awstats.pl?config=smtp

Another solution: if you have iRedAdmin-Pro installed, and integrate MySQL in Amavisd, you can see the top 10 senders/recipients in iRedAdmin-Pro Dashboard page.  Screenshot for your reference (Oops, only one sender in the screenshot):
http://www.iredmail.org/images/iredadmin/dashboard.png

3 Reply by windigo

  • windigo
  • Member
  • Offline
  • Registered: 2011-11-02
  • Posts: 11

Re: Need help tracking down spammer

Thanks for the quick reply.

I checked out awstats, under "sender email" the first item is 105877 emails with external "notice@ppal.com" avg size 2.38Kb, so that seems to indicate spamming, but nothing is shown under "local" for this entry.

Attached are the first 5 lines of this section.

I unfortunately don't have the Pro version at this time however, so I cannot see the top 10 senders on the dashboard.

Any other way to identify the culprit(s) ?

Thanks again.

Post's attachments

Capture.png
Capture.png 29.1 kb, 1 downloads since 2012-08-28 

You don't have the permssions to download the attachments of this post.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,790

Re: Need help tracking down spammer

windigo wrote:

so that seems to indicate spamming, but nothing is shown under "local" for this entry.

It sent to too many local recipients, so it shows empty.

windigo wrote:

Any other way to identify the culprit(s) ?

Identify it or block it?

Steps to block it:

- Prepend a restriction rule in Postfix parameter "smtpd_recipient_restrictions", for example:

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blacklisted_senders, [...OMIT EXISTING ONES HERE...]

- Create plain text file /etc/postfix/blacklisted_senders, add one line:

notice@ppal.com REJECT

- Execute command:

# postalias /etc/postfix/blacklisted_senders

- Restart Postfix service.

That's all. Hope it helps.

5 Reply by windigo

  • windigo
  • Member
  • Offline
  • Registered: 2011-11-02
  • Posts: 11

Re: Need help tracking down spammer

Thanks for the info,

Did the mods as specified, looked at syslog and turns out the spammer was from an external network somewhere in Taiwan. Somehow they got username/pass from one of our customers. Had to block that IP range, changed customer password. Also had to flush postfix queue as it was still trying to resend refused spam.

So far, all looks fine.

Thanks again