On Mon, Feb 13, 2012 at 4:47 PM, Robert Van Dresar <[email protected] > wrote:
> > > On Mon, Feb 13, 2012 at 4:33 PM, Eric Shubert <[email protected]> wrote: > >> On 02/13/2012 03:01 PM, Robert Van Dresar wrote: >> >>> >>> >>> On Mon, Feb 13, 2012 at 3:40 PM, Eric Shubert <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On 02/13/2012 02:04 PM, Robert Van Dresar wrote: >>> >>> I think that our toaster has been under attack all day (our mail >>> volume >>> is quadruple our normal load), and backscatter from forged >>> addresses is >>> causing our domain to keep getting black listed. Could someone >>> on the >>> list give me a little guidance on how to prove/disprove this >>> theory? If >>> the list needs more info I'm happy to post what ever. >>> >>> Thanks, >>> Robert Van Dresar >>> Airplexus, Inc. >>> >>> >>> Let's start with triage. Do you have spamdyke installed? If not, >>> install it by running >>> # qtp-install-spamdyke >>> >>> That should give you a little room to breathe. >>> >>> -- >>> -Eric 'shubes' >>> >>> >>> I do have spamdyke installed, I installed it about three weeks ago. >>> It's been doing really well, however I noticed on the report I received >>> on Saturday, it allowed 96% of the email through, whereas before it was >>> only allowing about 28%. I noticed that you and others are recommending >>> placing my local domains in the blacklist-senders file, however, I don't >>> think I'm using SMTP-Auth everywhere so I'm concerned that I'll block >>> some of my users. What would I have to do to enable SMTP-Auth >>> everywhere? Must everyone use the submission port of 587? >>> >>> Robert >>> >>> >> All of your users must be using authentication, otherwise you'd be an >> open relay (a very bad thing). Anything that's not authenticating would be >> web apps and such, which you have specified in your tcp.smtp file. Note, if >> you have web forms running on your QMT host which submit emails, these >> might be blocked when blacklisting your local domains. If you don't have >> any web apps that send email, you should be safe blacklisting your local >> domains. I highly recommend doing this. >> >> Authentication can be done using port 587 (where it must be done) or port >> 25 (where it may be done). Authenticated users on port 25 bypass all of >> spamdyke's filters, so my guess at this point is that one (or more) of your >> users' login credentials have been compromised. Have a look at your smtp >> log, and see if you can determine which account(s) is being authenticated >> against with the bad emails. spamdyke messages in the smtp log will tell >> you the account name that was used for authentication (after auth:). The >> account(s) should be pretty easy to spot. Change the associated >> password(s), and notify the user. >> >> Keep us posted with what you find. >> >> -- >> -Eric 'shubes' >> > > You are right, all of our users have to authenticate to send email, I > believe that's the default behavior of a stock QMT, so does that mean I can > add our domains to the blacklist-senders file?? > > I've tested for open relay, and that test returns OK. The failure notices > I receive in the postmaster account point to one of our users, but it says > the offending email is from > "[email protected]@some-random-ip-address", > and bounces back to about 50 other email addresses. Her computer was off > all weekend, and we virus scanned it this morning and nothing. I really > didn't think of her password being compromised that's easy enough to > change. I guess I'll try that, especially since we're listed on five block > lists now. > Eric, OK, I changed the password for the user I see in the emails. Also, I added our domains to the blacklist_senders file for spamdyke, and we don't have any webforms. However, I'm not the sharpest knife in the drawer when it comes to reading the smtp logs. I assume you mean the "current" log in the /var/logs/qmail/smtp directory. I'm doing a tail -f now to see if I can spot any patterns. I do see spamdyke doing its job and denying plenty of email. >> ------------------------------**------------------------------** >> --------------------- >> Qmailtoaster is sponsored by Vickers Consulting Group ( >> www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and installations. >> If you need professional help with your setup, contact them today! >> ------------------------------**------------------------------** >> --------------------- >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. >> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@** >> qmailtoaster.com <[email protected]> >> For additional commands, e-mail: qmailtoaster-list-help@** >> qmailtoaster.com <[email protected]> >> >> >> >
