How to disarm spam

9

97niekos

Verified User
Joined
Sep 15, 2008
Messages
12
Hello People

After a couple reinstallations, our server is propably sending spam, http://cbl.abuseat.org/lookup.cgi our ip is registered in this list.

Now i was wondering how to fix this!

* Disabling sendmail function.. only sending with verification and not without??
--> but how should this be arranged in Directadmin?

* Update Config server to the latest and set the security to the highest level, done

* installed spamassin, done

How can i fix this and be sure that i will be deleted from this list.

Thanks already
 
Last edited:
97niekos said:
Hello People

After a couple reinstallations, our server is propably sending spam, http://cbl.abuseat.org/lookup.cgi our ip is registered in this list.

Now i was wondering how to fix this!

* Disabling sendmail function.. only sending with verification and not without??
--> but how should this be arranged in Directadmin?

* Update Config server to the latest and set the security to the highest level, done

* installed spamassin, done

How can i fix this and be sure that i will be deleted from this list.

Thanks already
Click to expand...

Spamassasin is no saviour in this, Spamassin is for incoming spam, not for outgoing.

Just monitor your logs to see if there are any outgoing spam messages (but probably you're already infected with a hack or something), and if the logs don't show anything weird, contact the administrator of the blacklist..
 
Hi people,

Is should name my servers Exim name instead of server ip to
my servername.

ANy id how

I found

# primary_hostname =

# qualify_domain =
 
Those settings are correct; they're supposed to be empty. I don't understand the rest of y your question.

If your server is sending spam there's probably a lot of junk stuck in your queue; you can look there to determine which of your users is sending spam, and shut him/her down.

And then delete all the spam in the queue.

Jeff
 
An example email in "/CMD_MAIL_QUEUE"




**
1PB4IR-0008LK-5O-H
mail 8 8
<>
1288179359 0
-ident mail
-received_protocol local
-body_linecount 35
-max_received_linelength 271
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1288179359
-localerror
XX
1
root@MYIPADRES

136P Received: from mail by MYIPADRES with local (Exim 4.71)
id 1PB4IR-0008LK-5O
for root@MYIPADRES; Wed, 27 Oct 2010 13:35:59 +0200
038 Date: Wed, 27 Oct 2010 13:35:59 +0200
045I Message-Id: <E1PB4IR-0008LK-5O@MYIPADRES>
038 X-Failed-Recipients: lsw@MYIPADRES
029 Auto-Submitted: auto-replied
056F From: Mail Delivery System <Mailer-Daemon@MYIPADRES>
022T To: root@MYIPADRES
059 Subject: Mail delivery failed: returning message to sender
Click to expand...

**
1PB4IR-0008LK-5O-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

lsw@MYIPADRES
(generated from root@MYIPADRES)
Unrouteable address

------ This is a copy of the message, including all the headers. ------

Return-path: <root@MYIPADRES>
Received: from root by MYIPADRES with local (Exim 4.71)
(envelope-from <root@MYIPADRES>)
id 1PB4IR-0008LI-0y
for root@MYIPADRES; Wed, 27 Oct 2010 13:35:59 +0200
Date: Wed, 27 Oct 2010 13:35:59 +0200
Message-Id: <E1PB4IR-0008LI-0y@MYIPADRES>
To: root@MYIPADRES
Subject: lfd on MYIPADRES: 85.114.137.99 (DE/Germany/i099.indigo.fastwebserver.de) blocked for port scanning
From: <root@MYIPADRES>

Time: Wed Oct 27 13:35:59 2010 +0200
IP: 85.114.137.99 (DE/Germany/i099.indigo.fastwebserver.de)
Hits: 6
Blocked: Temporary Block

Sample of block hits:
Oct 27 13:35:53 85 kernel: [802074.251498] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=MYIPADRES LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=4696 DF PROTO=TCP SPT=54731 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 27 13:35:53 85 kernel: [802074.259842] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=85.17.173.110 LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=4744 DF PROTO=TCP SPT=54841 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 27 13:35:53 85 kernel: [802074.259842] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=85.17.173.111 LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=4745 DF PROTO=TCP SPT=54842 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 27 13:35:56 85 kernel: [802077.580580] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=MYIPADRES LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=6561 DF PROTO=TCP SPT=54731 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 27 13:35:56 85 kernel: [802077.583065] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=85.17.173.111 LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=6578 DF PROTO=TCP SPT=54842 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 27 13:35:56 85 kernel: [802077.583065] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:1e:c9:ff:29:b3:00:d0:02:33:3c:00:08:00 SRC=85.114.137.99 DST=85.17.173.110 LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=6590 DF PROTO=TCP SPT=54841 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Click to expand...



And;;;;


in the exim log;...


2010-10-27 19:57:53 1PARAb-0003IE-SJ Unfrozen by errmsg timer
2010-10-27 19:57:53 1PARAb-0003IE-SJ => info <root@MYIPADRES> F=<> R=virtual_user T=virtual_localdelivery S=1518
2010-10-27 19:57:53 1PARAb-0003IE-SJ Completed
2010-10-27 19:57:53 1PARGP-0003Lf-Ei Unfrozen by errmsg timer
2010-10-27 19:57:53 1PARGP-0003Lf-Ei => info <root@MYIPADRES> F=<> R=virtual_user T=virtual_localdelivery S=1516
2010-10-27 19:57:53 1PARGP-0003Lf-Ei Completed
2010-10-27 19:57:53 1PARAc-0003IL-Ba Unfrozen by errmsg timer
2010-10-27 19:57:53 1PARAc-0003IL-Ba => info <root@MYIPADRES> F=<> R=virtual_user T=virtual_localdelivery S=1725
2010-10-27 19:57:53 1PARAc-0003IL-Ba Completed
2010-10-27 19:57:53 1PARAc-0003II-1j Unfrozen by errmsg timer
2010-10-27 19:57:54 1PARAc-0003II-1j => info <root@MYIPADRES> F=<> R=virtual_user T=virtual_localdelivery S=1516
2010-10-27 19:57:54 1PARAc-0003II-1j Completed
Click to expand...


Hope this helps!
 
This particular email is being sent to root account at your IP addres, but exim can't delivery email to your root account so unless you have a forward created for it this email will always stay stuck in your queue until it expires.

It looks as if you've got some kind of firewall is installed and the message is to let you know that
DE/Germany/i099.indigo.fastwebserver.de
Click to expand...
is blocked for port scanning. So this is not spam.

Once you fix your system so either your firewall won't send email, or it will send it to a deliverable address, you can concentrate on finding real spam.

To get a summary of email stuck in your queue:
Code: 
# exim -bp | exiqsumm
Once you've got the summary you can try to figure out the spam. Look for large amounts of email stuck in the queue for something like aol.com, hotmail.com, etc.

Jeff
 
You must log in or register to reply here.
Back
Top