On 02/13/2012 03:01 PM, Robert Van Dresar wrote:
On Mon, Feb 13, 2012 at 3:40 PM, Eric Shubert <[email protected]
<mailto:[email protected]>> wrote:
On 02/13/2012 02:04 PM, Robert Van Dresar wrote:
I think that our toaster has been under attack all day (our mail
volume
is quadruple our normal load), and backscatter from forged
addresses is
causing our domain to keep getting black listed. Could someone
on the
list give me a little guidance on how to prove/disprove this
theory? If
the list needs more info I'm happy to post what ever.
Thanks,
Robert Van Dresar
Airplexus, Inc.
Let's start with triage. Do you have spamdyke installed? If not,
install it by running
# qtp-install-spamdyke
That should give you a little room to breathe.
--
-Eric 'shubes'
I do have spamdyke installed, I installed it about three weeks ago.
It's been doing really well, however I noticed on the report I received
on Saturday, it allowed 96% of the email through, whereas before it was
only allowing about 28%. I noticed that you and others are recommending
placing my local domains in the blacklist-senders file, however, I don't
think I'm using SMTP-Auth everywhere so I'm concerned that I'll block
some of my users. What would I have to do to enable SMTP-Auth
everywhere? Must everyone use the submission port of 587?
Robert
All of your users must be using authentication, otherwise you'd be an
open relay (a very bad thing). Anything that's not authenticating would
be web apps and such, which you have specified in your tcp.smtp file.
Note, if you have web forms running on your QMT host which submit
emails, these might be blocked when blacklisting your local domains. If
you don't have any web apps that send email, you should be safe
blacklisting your local domains. I highly recommend doing this.
Authentication can be done using port 587 (where it must be done) or
port 25 (where it may be done). Authenticated users on port 25 bypass
all of spamdyke's filters, so my guess at this point is that one (or
more) of your users' login credentials have been compromised. Have a
look at your smtp log, and see if you can determine which account(s) is
being authenticated against with the bad emails. spamdyke messages in
the smtp log will tell you the account name that was used for
authentication (after auth:). The account(s) should be pretty easy to
spot. Change the associated password(s), and notify the user.
Keep us posted with what you find.
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
