[xmail] message logging
Hello all, I have a situation with an installation where someone has managed to get hold of an e-mail address (the boss' actually) and is sending spam to the outside world. To an extend, I've managed to isolate the problem and it seems it's the mail server itself. I still don't know if it's XMail or an anti-spam solution I've adopted since about 2004. I would like to monitor the mail that goes out to the world. Can I do this with XMail ? Do I check the logs ? Which logs ? I've never done this before, so I would be greatful to any help. thank you, spyros "I merely function as a channel that filters music through the chaos of noise" - Vangelis___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] message logging
Hello, It is also possible that someone is sending spam messages directly, not via your mailserver. If you have a spam message, you can usually find out if this is the case by viewing the e-mail headers (often visible in the "raw email source"). Is your mail server listed in the headers (in a Received: line)? You could try to look into the XMail SMTP logs. Their location depends on the OS. If the spam mails are listed in these logs, something else is sending the emails to your XMail server and your XMail server is forwarding these spam messages. In this case you can find the IP address and possibly username of the sender. Possibly some account information for your mailserver has leaked, or the server may be configured as an open relay. You can also use a tool like wireshark or tcpdump to monitor communications on tcp port 25, which would also tell you if your server is sending spam mails (if it is sending at that moment). I hope this helps. Ivo Op 21-5-2013 16:26, Spyros Tsiolis schreef: Hello all, I have a situation with an installation where someone has managed to get hold of an e-mail address (the boss' actually) and is sending spam to the outside world. To an extend, I've managed to isolate the problem and it seems it's the mail server itself. I still don't know if it's XMail or an anti-spam solution I've adopted since about 2004. I would like to monitor the mail that goes out to the world. Can I do this with XMail ? Do I check the logs ? Which logs ? I've never done this before, so I would be greatful to any help. thank you, spyros "I merely function as a channel that filters music through the chaos of noise" - Vangelis ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] message logging
Hi Spyros I experienced a similar situation some months ago: one of my server email owner was sending tons of spam After figthing with many log files, I have discovered that the hacker had been able to hack the mailbox pwd, and he was sending the email using smtp autetication method. You can find the evidence of that inside the smtp log, looking for all the authenticated users that are sending email, and find the ones that are spam Il 21/05/2013 16:26, Spyros Tsiolis ha scritto: Hello all, I have a situation with an installation where someone has managed to get hold of an e-mail address (the boss' actually) and is sending spam to the outside world. To an extend, I've managed to isolate the problem and it seems it's the mail server itself. I still don't know if it's XMail or an anti-spam solution I've adopted since about 2004. I would like to monitor the mail that goes out to the world. Can I do this with XMail ? Do I check the logs ? Which logs ? I've never done this before, so I would be greatful to any help. thank you, spyros ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] message logging
> > From: Stefano Pascucci > To: XMail Users Mailing List > Sent: Tuesday, 21 May 2013, 19:05 > Subject: Re: [xmail] message logging > > > > Hi Spyros > I experienced a similar situation some months ago: one of my > server email owner was sending tons of spam > After figthing with many log files, I have discovered that the > hacker had been able to hack the mailbox pwd, and he was sending > the email using smtp autetication method. > You can find the evidence of that inside the smtp log, looking for > all the authenticated users that are sending email, and find the > ones that are spam Hi Stefano, That's just it. I don't know of a way to check the log files for outgoing mail. That's what I am asking. Thank you though, s. "I merely function as a channel that filters music through the chaos of noise" - Vangelis ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] SPF update?
Below a message from Davide about SPF: -- On Thu, 29 Jan 2009, Ralf wrote: I'm trying to switch from qmail to xmail. There I had SPF activated and would like to use SPF also in xmail. I saw that there is a perl script for SPF (http://www.xmailserver.org/xm-spf.pl), but how do I integrate it into xmail? Suggestion. Leave SPF alone. Nobody is using it and its contribution on SPAM-cutting on my servers was totally irrelevant WRT greylisting and RBLs. The whole SPF project tanked, badly. - Davide -- Edinilson -- ATINET Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - Original Message - From: "U.Mutlu" To: Sent: Sunday, May 19, 2013 4:31 PM Subject: [xmail] SPF update? Hi Davide & All, just a question: does the SPF script (xm-spf.pl) cover the final SPFv1 specification (RFC 4408) as depicted here: http://www.openspf.org/Specifications The script is from the year 2004, but the above RFC was ratified in 2006. Can something go wrong when the script is used nowadays? Thx ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] message logging
I think that the best way to avoid this kind of problem is making an OUTPUT filter that insert email headers (from, to, date/time) into a sql table to EACH message your XMail sends. So you can schedule another script in your OS (every 5 minutes, for example) that sum these table rows and take some action based on some rules (same FROM sending more than 5000 messages a day = BLOCK, same domain sending more than 2 messages a day = BLOCK, etc, etc). Without this, you will became crazy trying to analyze tons os logs... Regards Edinilson -- ATINET Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - Original Message - From: "Spyros Tsiolis" To: "XMail Users Mailing List" Sent: Tuesday, May 21, 2013 3:35 PM Subject: Re: [xmail] message logging From: Stefano Pascucci To: XMail Users Mailing List Sent: Tuesday, 21 May 2013, 19:05 Subject: Re: [xmail] message logging Hi Spyros I experienced a similar situation some months ago: one of my server email owner was sending tons of spam After figthing with many log files, I have discovered that the hacker had been able to hack the mailbox pwd, and he was sending the email using smtp autetication method. You can find the evidence of that inside the smtp log, looking for all the authenticated users that are sending email, and find the ones that are spam Hi Stefano, That's just it. I don't know of a way to check the log files for outgoing mail. That's what I am asking. Thank you though, s. "I merely function as a channel that filters music through the chaos of noise" - Vangelis ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail
Re: [xmail] SPF update?
Too bad xmail doesn't have natively spf-support yet, many other mailers do: http://www.openspf.org/Implementations Here's a description of my solution of SPF with xmail: I tried to use the xm-spf.pl, but perl reported some errors about a missing component or so. Then I found a package named "spfquery" in the Debian repository, it's an executable (or maybe just a perl script?). So I managed to write a small filter programm (for filters.pre-data.tab) in C/C++, and from within that I'm calling the spfquery program with the right parameters. This works well. I can recommend it. It needs just 3 parameters (all supplied by xmail to the filter), like so: spfquery --ip=x.x.x.x --mfrom=u...@example.com --helo=hostname.com and returns a few lines where the first is the status, like "pass", "fail", "softfail" etc. For more info one should consult the man page of spfquery. But: one has to do some reformatting of the params, for example stripping off the braces from the ip "[x.x.x.x]" And here is an spf tester: http://www.kitterman.com/spf/validate.html Hope this info helps others wanting to add SPF-protection to their xmail server. But beware: this stuff is IMHO very advanced stuff, one needs some experience with DNS records, and some experience in writing a filter, ie. programming. So, my advice: if possible just hire someone who already has experience in this stuff and xmail. cu uenal Edinilson - ATINET wrote, On 05/21/2013 09:26 PM: Below a message from Davide about SPF: -- On Thu, 29 Jan 2009, Ralf wrote: I'm trying to switch from qmail to xmail. There I had SPF activated and would like to use SPF also in xmail. I saw that there is a perl script for SPF (http://www.xmailserver.org/xm-spf.pl), but how do I integrate it into xmail? Suggestion. Leave SPF alone. Nobody is using it and its contribution on SPAM-cutting on my servers was totally irrelevant WRT greylisting and RBLs. The whole SPF project tanked, badly. - Davide -- Edinilson -- ATINET Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br - Original Message - From: "U.Mutlu" To: Sent: Sunday, May 19, 2013 4:31 PM Subject: [xmail] SPF update? Hi Davide & All, just a question: does the SPF script (xm-spf.pl) cover the final SPFv1 specification (RFC 4408) as depicted here: http://www.openspf.org/Specifications The script is from the year 2004, but the above RFC was ratified in 2006. Can something go wrong when the script is used nowadays? Thx ___ xmail mailing list xmail@xmailserver.org http://xmailserver.org/mailman/listinfo/xmail