Wild_Cat
asked on
Email Spam on Mdaemon Server
Hi
I am using MDaemon having approximate 4000 accounts rest my configuration are as following.
My domain is hosted on my ISP they recieve all my mails and dump them in an account from where with the help of MDaemon i download thoes mails to my server and distribute between my users similarly my users sends mail to my server which forwards trhem to my ISP server and from where they are in the cyberspace.
Now i am recieveing a very big spam approximate 9 to 10K mails with in 10 minutes. I explore the headers of different mails and unable to find any similarity to block this attack please if any one can guide me in this regard.
Some sample headers are attached
I am using MDaemon having approximate 4000 accounts rest my configuration are as following.
My domain is hosted on my ISP they recieve all my mails and dump them in an account from where with the help of MDaemon i download thoes mails to my server and distribute between my users similarly my users sends mail to my server which forwards trhem to my ISP server and from where they are in the cyberspace.
Now i am recieveing a very big spam approximate 9 to 10K mails with in 10 minutes. I explore the headers of different mails and unable to find any similarity to block this attack please if any one can guide me in this regard.
Some sample headers are attached
Return-Path: <dean.sbe@umt.edu.pk>
Received: from 213.154.204.230 ([213.154.204.230])
by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGiAWx025104
for <dean.sbe@umt.edu.pk>; Mon, 26 Nov 2007 21:44:11 +0500
Date: Tue, 27 Nov 2007 00:41:39 +0400
From: " J. Thomas" <wmcpveolcrx@swocai.swoca.net>
X-Mailer: The Bat! (v1.52f) Business
X-Priority: 3
Message-ID: <118024753.20071127004139015506@swocai.swoca.net>
To: dean.sbe@umt.edu.pk
Subject: Dont feel left out
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<br>
==This is MEDFEST==<br>
<br>
All your favourite stuff Cures are finally on zale<br>
<br>
<a href="http://cpgjqp.writebalesom.info/?70518619">BuyRightNow</a><br>
<br>
<br>
From<br>
Cures for Sure .com
</body>
</html>
--------------------------------------------
eturn-Path: <jianping@neste.com>
Received: from ppp85-141-138-250.pppoe.mtu-net.ru (ppp85-141-138-250.pppoe.mtu-net.ru [85.141.138.250])
by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGihXw025174
for <amiee18v1vsqdo3qeaaaaa@umt.edu.pk>; Mon, 26 Nov 2007 21:44:43 +0500
Received: from [85.141.138.250] by ns1.nesteoil.com; Mon, 26 Nov 2007 22:07:19 +0000
Message-ID: <000501c83078$06553ff7$1c0e5fb0@dsrtqa>
From: "Breitling Watches" <jianping@neste.com>
To: "Replica Watches" <amiee18v1vsqdo3qeaaaaa@umt.edu.pk>
Subject: Officine Panerai Watches
Date: Mon, 26 Nov 2007 20:19:57 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0002_01C83078.0650005D"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
-----------------------------------------------------
Return-Path: <soumitra@stswithuns.com>
Received: from ip-66-254-34-32.mqdsl.megaquebec.net (ip-66-254-34-32.mqdsl.megaquebec.net [66.254.34.32])
by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGh196025015
for <dous@umt.edu.pk>; Mon, 26 Nov 2007 21:43:02 +0500
Received: from [66.254.34.32] by dns02e.hants.gov.uk; Mon, 26 Nov 2007 22:05:35 +0000
Message-ID: <000b01c83078$0269965f$db8c2694@swaosr>
From: "der onstad" <soumitra@stswithuns.com>
To: <dous@umt.edu.pk>
Subject: Fw:
Date: Mon, 26 Nov 2007 20:18:13 +0000
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0005_01C83078.026940CF"
ASKER
yes very true
same critaria, and i am using Mdaemon spam filter.
but my version for MDaemon is 7
same critaria, and i am using Mdaemon spam filter.
but my version for MDaemon is 7
Ok, so you are using DomainPOP. This makes spam filtering a bit harder, as your ISP accepts all mail on your behalf. You can only apply spam filtering once the POP email has been downloaded. Therefore, you can filter out spam once it has been received, but you cannot reject spam mail outright (because it has already been accepted by your ISP).
Mdaemon has an excellent spam filtering system based on SpamAssassin, only available in Pro version. I can't remember if it was already available in version 7 or not. There was a rudimentary spam filtering system before that, relying on RBL lookups, but the effects of that were small compared to the SpamAssassin based filter that came afterwards.
Are you running Mdaemon Pro or Standard?
There are several things you can do:
- talk to your ISP to see if they offer spam filtering. That way, all your emails will be spam-filtered when they are received by your ISP. That should substantially reduce the amount of spam that hits your Mdaemon mailserver.
- change your setup so that emails are delivered directly to your server (instead of using DomainPOP). That way, you can apply spam filtering to incoming emails and reject them if they look like spam. Before you do this, I would upgrade to the latest Mdaemon Pro.
- Upgrade to Mdaemon Pro and apply spam filtering to DomainPOP emails. This will not reduce the amount of spam you receive, but it will block spam from reaching your users.
- get a third-party spam filtering gateway (or build your own SpamAssassin box) and pass your emails through it. I'm not sure if any support DomainPOP though.
The bottom line is:
- if you want to reduce the amount of spam you receive, you should really get rid of DomainPOP.
- if you want to reduce the amount of spam that reaches your users (and keep DomainPOP), consider upgrading to Mdaemon Pro and use their spam filtering system.
Mdaemon has an excellent spam filtering system based on SpamAssassin, only available in Pro version. I can't remember if it was already available in version 7 or not. There was a rudimentary spam filtering system before that, relying on RBL lookups, but the effects of that were small compared to the SpamAssassin based filter that came afterwards.
Are you running Mdaemon Pro or Standard?
There are several things you can do:
- talk to your ISP to see if they offer spam filtering. That way, all your emails will be spam-filtered when they are received by your ISP. That should substantially reduce the amount of spam that hits your Mdaemon mailserver.
- change your setup so that emails are delivered directly to your server (instead of using DomainPOP). That way, you can apply spam filtering to incoming emails and reject them if they look like spam. Before you do this, I would upgrade to the latest Mdaemon Pro.
- Upgrade to Mdaemon Pro and apply spam filtering to DomainPOP emails. This will not reduce the amount of spam you receive, but it will block spam from reaching your users.
- get a third-party spam filtering gateway (or build your own SpamAssassin box) and pass your emails through it. I'm not sure if any support DomainPOP though.
The bottom line is:
- if you want to reduce the amount of spam you receive, you should really get rid of DomainPOP.
- if you want to reduce the amount of spam that reaches your users (and keep DomainPOP), consider upgrading to Mdaemon Pro and use their spam filtering system.
One more thing:
An extension of the suggetsion to get spam filtering done by your ISP is to use a hosted spam filter service. You redirect all your email to them, they filter them, then deliver it to your DomainPOP mailbox.
An extension of the suggetsion to get spam filtering done by your ISP is to use a hosted spam filter service. You redirect all your email to them, they filter them, then deliver it to your DomainPOP mailbox.
Just google 'hosted spam filter' and you'll get lots of hits...
ASKER
The current situation is that isp denies spam filtering facility.
They threaten us to close our account because we choke all there bandwidth.
and yes we use pro version
now if according to you at one point i plane to directly import mail then my bandwidth will be choke
i currently have a 1 mb pipe but i dont think it will shake the situation.
one guess that i have is that some how my mail server has become infected or compromised but i still am unablee to find out how?
They threaten us to close our account because we choke all there bandwidth.
and yes we use pro version
now if according to you at one point i plane to directly import mail then my bandwidth will be choke
i currently have a 1 mb pipe but i dont think it will shake the situation.
one guess that i have is that some how my mail server has become infected or compromised but i still am unablee to find out how?
A server with 4000 accounts would attract quite a lot of spam. It also depends on the behaviour of your users. If they all publish their email addresses on the internet or reister for mailing lists etc, that would increase the amount of spam you receive.
If your server was compromised, it would most likely send spam, not receive.
So you are at a point when your ISP can't handle your email. Consequently, handling the emails yourself would be even more difficult. Therefore, I suggest you let someone else deal with the problem - have a look at hosted spam filters:
http://www.spamhelp.org/services/listings/managed-anti-spam/
If your server was compromised, it would most likely send spam, not receive.
So you are at a point when your ISP can't handle your email. Consequently, handling the emails yourself would be even more difficult. Therefore, I suggest you let someone else deal with the problem - have a look at hosted spam filters:
http://www.spamhelp.org/services/listings/managed-anti-spam/
ASKER
Can we trace the email back and block relevant IP addresses? The school of thought was why change senarios if there would or could be a solution in the current situation.
What you say will be followed definately sir if no other solution for current situation is available but i think some effort can be put into this aspect as well.
What you say will be followed definately sir if no other solution for current situation is available but i think some effort can be put into this aspect as well.
ASKER
I look in to your solution sir you please consider my request :)
ASKER
Major spam is of three types
1, Viagra
2. Rolex Watches
3. Enlargement etc
i have build up content filter at my Mdeamon server but they trick me every time by by changing case and spacing, besides the content filter works on my end. so if some how we could block some ip addresses at the ISP's end that might help the situation.
1, Viagra
2. Rolex Watches
3. Enlargement etc
i have build up content filter at my Mdeamon server but they trick me every time by by changing case and spacing, besides the content filter works on my end. so if some how we could block some ip addresses at the ISP's end that might help the situation.
Blocking the spam on Mdeamon is not going to fix the problem, as the spam has already been received by your ISP.
Spam comes from many sources (botnets, etc.) and you won't be able to keep up with blocking IP addresses.
Spam comes from many sources (botnets, etc.) and you won't be able to keep up with blocking IP addresses.
ASKER
hmmmmm i was not refering to blocking at my end the ISP offered the service if i provided them with some data, this is the latest developement as they have also shut down my email service :)
ASKER
As my mail recieve time is one minute which is local by which ratio would it increase if i put in a spam filter hosting service. Would still like to know any possible solution for current situation
The reason why your email takes 1 minute to deliver is most likely because your MDaemon checks the DomainPOP mailbox every minute (that is the most frequent interval).
Adding a hosted spam filter to the setup will increase the delivery time, however it may be that it will still fit into 1 minute. It really depends on the provider.
Adding a hosted spam filter to the setup will increase the delivery time, however it may be that it will still fit into 1 minute. It really depends on the provider.
ASKER
hmmmmmm So what bout ip blocking at the isp's end or any solution that can be suggested to them.
ASKER
latest senario is for the time bieng i have closed domain pop and have droped all the mail directly to my server thats how the isp agreed.
further the number of spam is no seen from multiple ips can i please be told sir how to back track an email and block orignal spamming servers.
further the number of spam is no seen from multiple ips can i please be told sir how to back track an email and block orignal spamming servers.
ASKER
Still waiting for a reply
kindly suggest best solution for this spam filter hosting facillity and
still thinking how can it be that a reverse path be identified for an email.
kindly suggest best solution for this spam filter hosting facillity and
still thinking how can it be that a reverse path be identified for an email.
I am unable to assist you with step-by-step instructions as I do not have any Mdaemon 7 installations.
On the general note, do the following:
- enable spam filter including Bayesian filtering
- eploree Dynamic Screening options. These allow you to dynamically block senders by IP address based on various criteria, such as number of unknown users, invalid password attempts, etc.
- ensure that your server is not an open relay (use tools like http://www.abuse.net/relay.html or http://www.spamhelp.org/shopenrelay/)
On the general note, do the following:
- enable spam filter including Bayesian filtering
- eploree Dynamic Screening options. These allow you to dynamically block senders by IP address based on various criteria, such as number of unknown users, invalid password attempts, etc.
- ensure that your server is not an open relay (use tools like http://www.abuse.net/relay.html or http://www.spamhelp.org/shopenrelay/)
ASKER
Ok i understand and i will follow suite
hmmm
well i have done some of your recomendation and a little spam reduction has resulted but the progress is there
all the mail is routing properly but now hotmail is blocked all the rest of the mail is ok.
hmmm
well i have done some of your recomendation and a little spam reduction has resulted but the progress is there
all the mail is routing properly but now hotmail is blocked all the rest of the mail is ok.
Wild_cat: any feedback on this case? Is your spam problem under control now?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From your description it sounds like you are using DomainPOP to collect email (all emails for your domain go to 1 POP mailbox at your ISP, then Mdaemon downloads them and parses recipients out of the email files). Can you please confirm whether this is true, as DomainPOP heavily influences the smap filtering options that are available to you.
Also, are you suing Mdaemon's spam filter feature (available in Pro version)?