Blocking Outgoing Spam

Submitted by methownet on Mon, 12/03/2012 - 17:39 Pro Licensee

A client on the network got a virus and sent thousands of emails out in an hour. We turned the account off and the mail stopped but not before giving us a terrible reputation, so mail is not going out. What is the best way to prevent run-away outbound spam and virus emails?

Here is a little piece of the log file:Dec 3 14:58:57 gto postfix/qmgr[1522]: DFEC316AFA4: from=mhanley@methownet.com, size=643, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D708216ACEA: from=mhanley@methownet.com, size=639, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D050B16ABA4: from=mhanley@methownet.com, size=723, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: DA77516A9A1: from=mhanley@methownet.com, size=619, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D9AA916AD28: from=mhanley@methownet.com, size=611, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: DC91316ABAF: from=mhanley@methownet.com, size=620, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D40F316ACC8: from=mhanley@methownet.com, size=671, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: DA9E016AC6D: from=mhanley@methownet.com, size=637, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D6AAF16AD44: from=mhanley@methownet.com, size=641, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D2EDF16A9B8: from=mhanley@methownet.com, size=648, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: DEDFA16ACD1: from=mhanley@methownet.com, size=679, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D823016A577: from=mhanley@methownet.com, size=664, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D0D5F163A35: from=mhanley@methownet.com, size=645, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D9D5516A98E: from=mhanley@methownet.com, size=626, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D9B3E16AAE6: from=mhanley@methownet.com, size=668, nrcpt=1 (queue active) Dec 3 14:58:57 gto postfix/qmgr[1522]: D55A016AC37: from=mhanley@methownet.com, size=635, nrcpt=1 (queue active) Dec 3 14:58:59 gto spamd[2325]: spamd: setuid to mhanley.methownet succeeded Dec 3 14:58:59 gto spamd[2325]: spamd: processing message 20121203225858.993771633FE@gto.methowdata.net for mhanley.methownet:2030 Dec 3 14:59:00 gto spamd[2325]: spamd: clean message (0.0/8.0) for mhanley.methownet:2030 in 1.3 seconds, 2892 bytes. Dec 3 14:59:00 gto spamd[2325]: spamd: result: . 0 - NO_RELAYS,URIBL_PH_SURBL scantime=1.3,size=2892,user=mhanley.methownet,uid=2030,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=52518,mid=20121203225858.993771633FE@gto.methowdata.net,autolearn=ham Dec 3 14:59:00 gto postfix/local[2271]: 993771633FE: to=mhanley.methownet@gto.methowdata.net, orig_to=mhanley@methownet.com, relay=local, delay=2.3, delays=0/0/0/2.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) Dec 3 14:59:28 gto spamd[2325]: spamd: setuid to mhanley.methownet succeeded Dec 3 14:59:28 gto spamd[2325]: spamd: processing message 20121203225928.3A2B916A9DF@gto.methowdata.net for mhanley.methownet:2030 Dec 3 14:59:29 gto spamd[2381]: spamd: setuid to mhanley.methownet succeeded Dec 3 14:59:29 gto spamd[2381]: spamd: processing message <20121203225928.EFB6516266E@gto.methowdata.net

Thanks for any help/guidance you can give. Jeff

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Mon, 12/03/2012 - 17:47

Howdy -- yeah, that's an unfortunate problem that can sometimes happen.

One thing you could do is setup notifications if your mail queue grows too large.

To do that, you can go into Webmin -> Others -> System and Server Status, and add a new monitor for "Mail Queue Size". That can then notify you whenever your mail queue grows to "N" messages.

Submitted by methownet on Mon, 12/03/2012 - 18:28 Pro Licensee

OK, I'll do that.
It looks like a BOT was testing one email account from multiple computers from all around the world. Is there a way to test the system email accounts (about 800) for weak passwords? Also, they tried thousands of logins each on that one account. Isn't there some program that will lock an IP out if it tries more than a certain number of times?

Submitted by andreychek on Mon, 12/03/2012 - 19:49

You can setup software to look out for events like that... some folks in the community like the software called "fail2ban", which monitors the logs for failed login attempts, and when a certain threshold is reached, it can block the host. That software can be found here:

http://www.fail2ban.org/

You can also explore denyhosts and pam_abl, each of which is in that same software "genre".

We're not able to support those, those are third party software applications, but we wanted to point out some that we've heard good things about.

Submitted by methownet on Mon, 12/03/2012 - 19:51 Pro Licensee

I installed BFD with hopes that might help with the login attempts. It looks like they were testing the capabilities of SpamAssassin and finally found something that would go through the filter. They appeared to be working through a client computer.

Submitted by methownet on Tue, 12/04/2012 - 09:28 Pro Licensee

Is there a way to limit the number of outgoing messages in a day?

Submitted by andreychek on Tue, 12/04/2012 - 09:42

Postfix doesn't, to my knowledge, have a built-in way to rate limit emails.

There are policy add-ons that you could use to implement such a feature.

One example I've read about is that policyd should be able to do that sort of thing:

http://www.policyd.org/

You can read about the policy accounting here:

http://wiki.policyd.org/accounting

Submitted by methownet on Tue, 12/04/2012 - 13:19 Pro Licensee

Thanks. I'll give that a try. Jeff