Stephen J. Turnbull wrote: > Paul via Mailman-users writes: > > Iam getting alot of such from my mail server mail queue lately > > 4d08rT4xMHzMCD6S 2393 Mon Nov 3 01:43:21 > > [email protected] > > (host mx-aol.mail.gm0.yahoodns.net[67.195.228.84] said: > > 421 4.7.0 [TSS04] Messages from my-mail-server-IP temporarily > > deferred due to unexpected volume or user complaints - 4.16.55.1 > > If "my-mail-server-IP" is in fact your mail server's IP, then you may > have a problem: spammers may be using your server as a relay for > spoofed emails. > Are these the only entries for those messages in your logs when your > system contacts the Yahoo MTAs? It may be useful to increase the > verbosity of the MTA's logging if so. Also double-check whether these > events seem to be correlated with any entries in the Mailman logs. > > This is becoming problematic because am currently being blocked on > > Yahoo domains. > > This is the natural result if your server is being abused in that > way. > Are you seeing similar events for non-Yahoo-managed recipients? If > not that's pretty strange. > > My setup is as follows: > > I host mailman3 list server which uses our mail server as a > > relay. > > > Do you manage the mail server itself? What software do you use > for your MTA (Postfix, Exim4, Sendmail, qmail are common MTAs). > > Does your MTA allow relaying from other hosts? This includes > accepting submissions from remote logged-in users (usually port > 587, the submission service, but sometimes port 465, smpts/ssmtp)? > (Mailman is *not* a relay according to the definition used in the > email system. It involves accepting the message, processing it > locally, and *reinjecting* the message into the Internet mail > system. In a relay, the message gets no local processing outside > the MTA itself, and is immediately forwarded on to the "next > hop".) > > Try to correlate these bounces with incoming messages, including > from logged-in users (either local shell users or remote via > authenticated mail). Perhaps you can block their sources, > although spammers usually use botnets to frustrate that kind of > defense. If you can't find the source, that's a big problem. > > What kind of user accounts with shell login access are present on > your mail server? (Generally we advise limiting these to root > and a small number of personal accounts for host admins.) Shell > access should be SSH-only, using public key authentication. Are > there any suspicious logins around the times the spam messages are > known to have been sent to Yahoo? > > > For future reference, answers to the below may be helpful in deciding > what you can do to frustrate the spammers. > > Is Mailman used for business communication, or are these messages > within a discussion group? What other mail flows does your server > handle (ie, personal to/from for members of your organization, > business marketing, business transactions including customer > support, other)? > > Do you have SPF set up for your server's IP? > > Do you have DKIM set up for your server's domain(s)?
1. strangely so far i only see Yahoo domain in the spam 2. I use Postfix as the MTA 3. The MTA only relays for a specific list of senders 4. It is a production mail server so we have most of those controls in place i.e DKIM, SPF 5. I have not identified any suspicious logins, the bad actors must be using the subscription option on my mailing lists info page _______________________________________________ Mailman-users mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/[email protected]/message/WSW4IEFVXLC52FWYYBVZQQ6F7CQJU5J6/ This message sent to [email protected]
