spamscan outgoing mail

M

mo.mentum

Verified User
Joined
Jun 9, 2004
Messages
37
Hello!

We're having some difficulties with local ISPs blocking our IPs and so do not receive emails from our servers. After speaking to them, they're saying a huge amount of SPAM is leaving our machines and suggested i install SpamAssassin or equivalent to scan OUTGOING mail....is this possible...? i wasnt aware of that.
 
If you are in Quebec,Canada
I bet is videotron.ca

I've got the same problem and try to find a solution.
 
ur exactly right. I've been speaking to the Departement de Securite..and they showed me the stats that apparently 90% of mail coming out of my servers is spam. They're gonna send me samples now so i can try to figure it out.

But they recommended i install anti-spam on outgoing mail
 
If your server is sending spam it's most likely sending out much more email than SpamAssassin will be able to process without bringing your server to it's knees. Better find out who's sending spam, and get rid of them.

Jeff
 
i totally agree. other than staring at /var/log/exim/main_log and trying to figure out who's the spammer....any suggestions?

,m
 
For each <username>:
Code: 
# grep -c <username> /var/log/exim/mainlog
This will give you a count for how many lines are in the log for each user. The huge one is the problem :) .

Jeff
 
Thank Jeff

I did what you suggest

and the user who have the higher result
is:
user1 1238
root 5800
mail 12000

Ok user1 I manage it, he doesn't spam but he had a lot of direction where spam where redirect..so I deleted them


I use eximstats to get a readable log I want to know if normal to have - F=<>- empty
exemple:
------------------
[email protected] F=<> R=lookuphost T=remote_smtp:
SMTP error from remote mail server after RCPT TO:<[email protected]
---------------------

another question:
How to know if the server it use to relay spam not open relay but un malicious script or something like that.

here report from eximstats
Top 50 local senders by volume
------------------------------

3627 215MB mail
265 13MB apache
1282 1058KB root
62 915KB majordomo
409 288KB azcghhd
4 7766 diradmin
8 5872 etudiante
6 4538 poitras
 
First of all, a blank <> from field generally indicates a return of an undelivered email sent by Mailer-Daemon. A properly configured DA system shouldn't have too many of these, but you may get a few in a normal system.

Second of all, the mail user is generally responsible for sending back undeliverable email, and again, a properly configured DA system shouldn't have many.

So you may have a script on your server attempting to send spam to nondeliverable addresses, and then trying to return the nondeliverable email to the (usually forged) sender.

Do you have a standard configuration for exim and exim.conf, or have you made changes or have you had someone else make changes?

DA's SpamBlocker shouldn't allow undeliverable email to be accepted on your server.

DA's SpamAssassin shouldn't allow undeliverable email to be accepted on your server.

Have you installed either ClamAV or some other virus checker?

Jeff
 
Heya.

NO i didn't add clamAV or any virus checker. Nor did i change any exim confs, using defaults. Same for SpamAssassin.

Is it ok to use both SA and SpamBlocker?

it seems SA is being very ineffective..letting too much through!
 
You can use both SpamAssassin and SpamBlocker.

Both are included in the DA exim.conf file, and both are turned off by default.

Jeff
 
looking through the forums here...to turn on spamblocker..u just need to downoad the special spamblocker exim.conf..or am i missing something?

and im not talking about the plugin obviously.
 
The SpamBlocker exim.conf file comes with DirectAdmin. Depending on the age of your install it's possible you've already got the latest version.

Be sure to look through exim.conf; before using it for SpamBlocker you need to change a lot of URLs for example.com, and create your own destination page for people to go to if they ever receive bounces.

Jeff
 
I had the same problem. Here's what I found:

Some users had their email messages (on our server) forwarded to their home address @videotron.ca. These users had SpamAssassin disabled. Now all the spam they got @ourserver.com was being redirected @videotron.ca, therefore being considered as spam coming from our server.

Now the way Videotron works is that they evaluate the amount of spam they get from a particular IP. The higher the amount of spam is, the lower the bandwidth you get from them.

So let's say that 60% of all messages sent to Videotron from your server are considered spam, you will get (I don't know exactly) about 40% of Videotron's bandwidth to their email server. Therefore, you'll get some timeout from time to time.

Now it's not impossible to get that spam level down. You might want to call Videotron security center (877-551-8019) or you can also fix the problem, send a few "good emails" @videotron.ca and wait for your spam level to come down.

Now sorry for my english, I speak french.

Hope this helps!
 
Hi.

That is what i ended up doing after a long conversation with Videotron security department. Anyway i got my client to activate spamassassin for all custoemrs on his machine, and i also added the spamblocker config to his exim. Waiting on videotron to resend me the spam ratio...they're painfully slow sometimes.
--
Mohamad Salamé <http://www.netelligent.ca>
Netelligent - Technology Director
514.369.2209

"How far that little candle throws his beams!
So shines a good deed in a naughty world."
-- W. Shakespeare, The Merchant of Venice
 
Did your client worked a way out to activate SpamAssassin in all accounts without having to log in to each of them manually?
 
Haha. No. We were actually wondering about that, but he ended up doing it for each account. Took a while..
 
We (and just about everyone else) have a similar problem with AOL.

What happens is that the user forwards his domain email to his account on AOL. Then when he see's it's spam, he clicks on This is Spam (or whatever it says; I don't use AOL so I don't know the exact words). AOL notices the last IP# was ours, so by default they blocklist us.

However you can sign up at postmaster.aol.com to get the spam forwarded to you each time instead.

That's what we do. We're inundated with sometimes over a hundred of emails a day.

But the good news is we don't have to do anything with them most of the time because that's all AOL does is forward them to us.

AOL doesn't tell you their user's email information but sometimes you can find it imbedded in the spams you get.

And they're all sent from the same return address, so you can forward them to one mailbox (we do it one mailbox for each server, simply using the Kmail filters). And if there's less than hundreds for each machine you know it's not really spam moving through your server, but simply emails your customer marked as spam in their AOL account.

We delete them daily.

If we get thousands, of course we know there's a problem and we look for it.

It's a great early warning system too, to tell if anyone's using your server to send spam, because everyone targets AOL addresses.

Jeff
 
You must log in or register to reply here.
Back
Top