On Mon, Feb 13, 2012 at 4:33 PM, Eric Shubert <[email protected]> wrote:
> On 02/13/2012 03:01 PM, Robert Van Dresar wrote: > >> >> >> On Mon, Feb 13, 2012 at 3:40 PM, Eric Shubert <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 02/13/2012 02:04 PM, Robert Van Dresar wrote: >> >> I think that our toaster has been under attack all day (our mail >> volume >> is quadruple our normal load), and backscatter from forged >> addresses is >> causing our domain to keep getting black listed. Could someone >> on the >> list give me a little guidance on how to prove/disprove this >> theory? If >> the list needs more info I'm happy to post what ever. >> >> Thanks, >> Robert Van Dresar >> Airplexus, Inc. >> >> >> Let's start with triage. Do you have spamdyke installed? If not, >> install it by running >> # qtp-install-spamdyke >> >> That should give you a little room to breathe. >> >> -- >> -Eric 'shubes' >> >> >> I do have spamdyke installed, I installed it about three weeks ago. >> It's been doing really well, however I noticed on the report I received >> on Saturday, it allowed 96% of the email through, whereas before it was >> only allowing about 28%. I noticed that you and others are recommending >> placing my local domains in the blacklist-senders file, however, I don't >> think I'm using SMTP-Auth everywhere so I'm concerned that I'll block >> some of my users. What would I have to do to enable SMTP-Auth >> everywhere? Must everyone use the submission port of 587? >> >> Robert >> >> > All of your users must be using authentication, otherwise you'd be an open > relay (a very bad thing). Anything that's not authenticating would be web > apps and such, which you have specified in your tcp.smtp file. Note, if you > have web forms running on your QMT host which submit emails, these might be > blocked when blacklisting your local domains. If you don't have any web > apps that send email, you should be safe blacklisting your local domains. I > highly recommend doing this. > > Authentication can be done using port 587 (where it must be done) or port > 25 (where it may be done). Authenticated users on port 25 bypass all of > spamdyke's filters, so my guess at this point is that one (or more) of your > users' login credentials have been compromised. Have a look at your smtp > log, and see if you can determine which account(s) is being authenticated > against with the bad emails. spamdyke messages in the smtp log will tell > you the account name that was used for authentication (after auth:). The > account(s) should be pretty easy to spot. Change the associated > password(s), and notify the user. > > Keep us posted with what you find. > > -- > -Eric 'shubes' > You are right, all of our users have to authenticate to send email, I believe that's the default behavior of a stock QMT, so does that mean I can add our domains to the blacklist-senders file?? I've tested for open relay, and that test returns OK. The failure notices I receive in the postmaster account point to one of our users, but it says the offending email is from "[email protected]@some-random-ip-address", and bounces back to about 50 other email addresses. Her computer was off all weekend, and we virus scanned it this morning and nothing. I really didn't think of her password being compromised that's easy enough to change. I guess I'll try that, especially since we're listed on five block lists now. > > ------------------------------**------------------------------** > --------------------- > Qmailtoaster is sponsored by Vickers Consulting Group ( > www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > ------------------------------**------------------------------** > --------------------- > Please visit qmailtoaster.com for the latest news, updates, and > packages. > To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@** > qmailtoaster.com <[email protected]> > For additional commands, e-mail: qmailtoaster-list-help@** > qmailtoaster.com <[email protected]> > > >
