smtp spam problem maybe?

[Chrysalis]

Ok I have started getting spam, the from address is my own address, the same as the sent to address. I had a look at the email headers and the smtp server used is my own server so it looks like its not spoofed but rather they somehow are able to freely use the smtp server.

From exim/mainlog

2005-10-29 14:07:31 SMTP connection from mail
2005-10-29 14:07:32 1EVqQl-000BGj-W9 <= [email protected] U=mail P=spam-scanned S=3089 [email protected] T="[email protected]" from <[email protected]> for [email protected]
2005-10-29 14:07:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1EVqQl-000BGj-W9
2005-10-29 14:07:33 1EVqQl-000BGj-W9 => blah ([email protected]) <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=3264
2005-10-29 14:07:33 1EVqQl-000BGj-W9 => blah2 ([email protected]) <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=3264
2005-10-29 14:07:33 1EVqQl-000BGj-W9 Completed
2005-10-29 14:07:33 1EVqQi-000B8O-Q6 => blah <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=3003
2005-10-29 14:07:33 1EVqQi-000B8O-Q6 Completed
2005-10-29 14:07:33 SMTP connection from pc-70-47-104-200.cm.vtr.net [200.104.47.70]:1434 I=[1.1.1.1]:25 closed by QUIT

Or is [email protected] the real sender and they not sending via the server?

is there an easy way to stop spam appearing from your own email address on exim?

 

[nobaloney]

Where are the IP#s? I don't see them in your cut-and-paste.

Are you using SpamBlocker? If so do you have your domain in /etc/virtual/whitelist_domains?

If so, take it out. Many admins think it's a good idea to put it in to make sure your users can use your server to send mail even if their sending IP would otherwise be blocked.

But it enables anyone to send email through your server using your domain. Unforunately spammers know about this and use it.

Jeff

 

[Chrysalis]

not using spamblocker
and ip edited so I am not putting my ip on public forum.
there was no other ip's in the logs other then the server ip.
We are now getting tons of these now with from address set to same as to address and topic set to same, may consider enabling spf checking to stop it as its getting horrid but worried spf will make too many false positives. It does seem to be a remote smtp server now but because the from email address is set to a local address it is not getting points on spamassassin.

 

[nobaloney]

ip edited so I am not putting my ip on public forum.

It's hard to help you when you're not giving us the only information we can use to tell you where the email is coming from.

there was no other ip's in the logs other then the server ip.

Then unless you've modified the logging instructions in /etc/exim.conf, or unless the sender is spoofing their address (very hard to do), then the email is originating on your server.

We are now getting tons of these now with from address set to same as to address and topic set to same,

If the mail is coming in through smtp, then the IP# of the originating server is between square brackets. If there's no set of square brackets, then the mail is coming in through what I call "direct injection"; that is it's being sent by a program on your server calling exim directly.

So if you see your server IP# in square brackets either you're being hit by a very sophisticated attack by someone who knows how to disassemble and reassemble packets on the fly so they look like they come from your IP# (very hard to do) or a program on your server is using smtp to send the spam through your external interface.

If the log lines don't have an IP# between square brackets then the mail is being injected locally.

You can use your firewall to disallow any connections from your IP# on any external interface, but doing so may block some legitimate programs. Specific instructions on how to do it will differ depending on your OS distribution, and are beyond the scope of this thread.

may consider enabling spf checking to stop it as its getting horrid but worried spf will make too many false positives.

If the IP#s don't exist in the logs, or if they're the right IP# for your domain, then SPF won't matter, as SPF only works on outside interfaces.

Also, strict SPF checking will mean that no one who uses their work email address while sending email through their ISP (including me when I send email from home) will be able to send you email. I've written over and over again that SPF is flawed. This is only one of the ways in which it's flawed.

It does seem to be a remote smtp server now

How do you determine that?

Jeff

 

[Chrysalis]

I am not fully sure but look at this line.

2005-10-29 14:07:33 SMTP connection from pc-70-47-104-200.cm.vtr.net [200.104.47.70]:1434 I=[1.1.1.1]:25 closed by QUIT

the 1.1.1.1 is the server's network ip address thats all you need to know, 200.104.47.70 is the ip of whatever connected to the server to send the email so I did give you that information. What I ideally need to know is does the above line mean someone connected to my smtp server and then sent the email from it or is that a remote smtp server connecting to me that is sending the email.

I found a few more of these email's which spamassasin did catch addressed to different email addresse's but the same domain.

I assumed spf would work providing it is a remote smtp server been used since it would pick up on that the sending server isn't authorised to send the email. But I am aware of the downside of enabling spf checking so left it disabled.

Also from one of the email header's.

Received: from localhost.localdomain (HELO localhost.localdomain [127.0.0.1])
by diabolic.168city.com (Mostfix) with ESMTP id BAD7653BFF

my server doesnt have localhost set to localhost.localdomain so that does seem to indicate my original fear's were wrong, I just need to get a good way to reliably mark these as spam. Now spamblocker v2 is released with the gui plugin that is likely going to be my next step. Would spamblocker work better against these email's?

The email in question I looking at now has nothing in the body, the sent from and to are the same and the topic is set to the email address and it has 2 attachments named as the email adress ending in .dat .

X-Spam-Status: No, score=1.5 required=5.0 tests=EMPTY_MESSAGE,
MIME_HEADER_CTYPE_ONLY autolearn=no version=3.1.0
Received: from c-24-22-62-40.hsd1.wa.comcast.net ([24.22.62.40]:3396)
by x.x.x with smtp (Exim 4.54)

 

[nobaloney]

Note that it's not my intention, nor is it within my ability to spend the time... to solve your spam problems. We happily search these issues for our clients at our regular hourly rate and we can't take the time to do all the detail work as a favor.

2005-10-29 14:07:33 SMTP connection from pc-70-47-104-200.cm.vtr.net [200.104.47.70]:1434 I=[1.1.1.1]:25 closed by QUIT

and

What I ideally need to know is does the above line mean someone connected to my smtp server and then sent the email from it or is that a remote smtp server connecting to me that is sending the email.

A system at 200.104.47.70 attempted to connect to your server, and your server closed the connection.

This will not tell you if it's one of your customers connecting from that system (if it's a desktop system), or if it's a remote server. SMTP just doesn't understand the difference.

Also from one of the email header's.

Received: from localhost.localdomain (HELO localhost.localdomain [127.0.0.1])
by diabolic.168city.com (Mostfix) with ESMTP id BAD7653BFF

my server doesnt have localhost set to localhost.localdomain so that does seem to indicate my original fear's were wrong, I just need to get a good way to reliably mark these as spam.

You can only trust the topmost "Received:" header in an email; all the rest could have been forgeries.

I can't tell you how to reliably mark them as spam, because I don't know of any reliable way, including SpamBlocker, to mark spam.

But using SpamBlocker2 you can certainly block the IP in a local blocklist.

Now spamblocker v2 is released with the gui plugin that is likely going to be my next step. Would spamblocker work better against these email's?

Once you've entered the IP#s into the local blocklist it would. Absolutely.

The email in question I looking at now has nothing in the body, the sent from and to are the same and the topic is set to the email address and it has 2 attachments named as the email adress ending in .dat .

You can have exim return mail with attachments, or filter it out for examination. But it would then do it for all attachments, not just certain ones.

Jeff

 

[Chrysalis]

thanks for your reply and I understand what you was saying, the first recieved from header says from mail on server. I assume the user 'mail'. This would then indicate internal again. However genuine emails all say the same thing thing and I think it says from 'mail' because it is been passed from spamassassin. So I think it does look like its from an external smtp server. The spam problem is one thing but my initial concern was that someone found a way to use my smtp server to send spam.

Unfortenatly blacklisting ip addresses will be ineffective since it changes with each email, but luckily now these email's seem to have stopped.