Spam protection methods

[lonerunner]

Im administrating one hosting server with over 1000 email user accounts.
From start of administration i have been fighting with spam protection, some of methods work, some of methods don't work, and some methods work for some time and than they became unusable.
I tried thousand methods for spam protection, instaling spamassassin, blocking domain names, blocking some words, configuring exim config etc... and i forgot what i did and what i changed and configured.
Now i updated directadmin, it looks like i overwritten some files and again i have big problems with spam protection.
Can someone post here methods how i can get protected from spaming, flaming, scanning email accounts and others from my server and flocking those spammers in any way possible.
In mean time i will google and search here on forum what i can do and what info i can gather.

 

[nobaloney]

Personally I use my own SpamBlocker exim.conf file, Version 4, for DirectAdmin, available here (nobaloney.net), and the default installations of both SpamAssassin and ClamAV.

My main domain (nobaloney.net) has been eleven years, eleven months, and 19 days (today), and on these forums alone, I've got almost 23,000 instances of one of my email addresses in plain-text, yet I get almost no spam. While your results may vary, I highly recommend these steps; they work well for me.

Jeff

 

[lonerunner]

As always jlasman is here to answer.

I already followed your instructions few times earlier and it appears that your instructions always give good results. I already used your exim.conf file, activated firewall, and spamassassin and for some time i was almost free of spam.

Few days ago i updated direct admin from v1.36 to latest(1.39) and i guess updated version overwritten some files i changed and configured.

From that version it started again. One night i checked server and there was no messages, when i wake up and check my email i got 200 emails of brute force attacks. I went to check server and email and i saw 20 pages of spam email queued for sending.

I was searching on internet whole day for solutions and i found one of possible solutions here http://help.directadmin.com/item.php?id=380
I configured files from instruction above, and i see ips blocked in firewall are updating, i get less spam but still i had 5 pages of spam when i woke up today.
Some of users recommend CSF http://www.configserver.com/cp/csf.html

 

[lonerunner]

I forgot to tell that brute force monitor reports only hundreds of attacks to exim and dovecot

 

[nobaloney]

Nothing in my SpamBlocker exim.conf file for DirectAdmin will block outgoing email. If you're sending email, then something on your server has been hacked.

Jeff

 

[lonerunner]

I don't know if its hacked or not, currently i have less spam but i have 250 email of brute force attacks.
Here is example of what is currently in mail queue

And here is what i get when i open one of these emails

Here is detailed what is in E-mail Headers

E-Mail Headers
1RIOrP-00021m-J7-H
mail 8 12
<[email protected]>
1319479375 0
-helo_name 100927a
-host_address 123.11.66.203.4527
-host_auth login
-interface_address 85.17.122.1.25
-received_protocol esmtpa
-body_linecount 234
-auth_id [email protected]
-host_lookup_failed
XX
1
[email protected]

225P Received: from [123.11.66.203] (helo=100927a)
by hosting.bankerinter.net with esmtpa (Exim 4.67)
(envelope-from <[email protected]>)
id 1RIOrP-00021m-J7
for [email protected]; Mon, 24 Oct 2011 20:03:00 +0200
051 disposition-notification-to: [email protected]
017 returnreceipt: 1
018 mime-version: 1.0
036F from: eltus <[email protected]>
038S sender: eltus <[email protected]>
044T to: santafiora <[email protected]>
033 date: 25 Oct 2011 02:08:22 +0800
038 subject: =?utf-8?B?YnVvbmdpb3Jub18=?=
039 content-type: text/html; charset=utf-8
034 content-transfer-encoding: base64

 

[nobaloney]

Is 123.11.66.203 on your server? Is hosting.bankerinter.net on your server? Is studiofiori.com on your server? Is santafiora a valid user on studiofiori.com?

As I wrote above, it appears that exim is trying to deliver the email off the server but can't find the server it's looking for (host_lookup_failed).

Jeff

 

[lonerunner]

Like you said exim is trying to deliver email off the server but can't find server it's looking for, so i get back messages with host lookup failed.

But sender is [email protected] and receiver is [email protected]

036F from: eltus <[email protected]>
038S sender: eltus <[email protected]>
044T to: santafiora <[email protected]>

and [email protected] is from my server. and hosting.bankerinter.net is my server i get lot of messages like this and who knows how many messages are delivered to receivers. And i don't get messages to one user (eltus) i get messages to lot of users with usernames from my server.

Maybe i'm wrong but this is looking to me like i have spam messages, or im seeing things wrong here ?

 

[nobaloney]

Did you ever check for studiofiori.com? If you did, you would have found that it's not an active domain; it's listed for sale. So it's reasonable that it can't be found; among other issues there's no mx record for it.

If you've set up everything correctly, then your server may have on it a hacked page or php program on it somewhere, which is being used to send spam.

Possibly the result will be that something on your server has been compromised; possibly it will be that someone has found out the password for [email protected] and is sending spam through your server using that sender. Possibly it's something as simple as the domain name bankerinter.net is in one of your whitelists and someone has discovered that and is taking advantage of it.

The only way for me or others here to find and fix it is to log in and do some forensic (investigative) work on your system. That takes time, and costs money.

If you're interested in having me look at your server then please send an email request, and I'll send you information about our pricing and how to hire us.

Jeff

 

[lonerunner]

This is what i was talking about when i said that i get emails like this for lot of different users from my server.



Is it possible that all these users are using some passwords that are easy to breach?

About professional help i will have to talk with my boss.

 

[nobaloney]

Yes; it's possible.

Jeff