Solved

Email Spam on Mdaemon Server

Posted on 2007-11-26
22
2,487 Views
Last Modified: 2013-12-09
Hi
I am using  MDaemon having approximate 4000 accounts  rest my configuration are as following.
My domain is hosted on my ISP they recieve all my mails and dump them in an account from where with the help of MDaemon i download thoes mails to my server and distribute between my users similarly my users sends mail to my server which forwards trhem to my ISP server and from where they are in the cyberspace.
Now i am recieveing a very big spam approximate 9 to 10K mails with in 10 minutes. I explore the headers of different mails and unable to find any similarity to block this attack please if any one can guide me in this regard.  
Some sample headers are attached

Return-Path: <dean.sbe@umt.edu.pk>

Received: from 213.154.204.230 ([213.154.204.230])

	by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGiAWx025104

	for <dean.sbe@umt.edu.pk>; Mon, 26 Nov 2007 21:44:11 +0500

Date: Tue, 27 Nov 2007 00:41:39 +0400

From: " J. Thomas" <wmcpveolcrx@swocai.swoca.net>

X-Mailer: The Bat! (v1.52f) Business

X-Priority: 3

Message-ID: <118024753.20071127004139015506@swocai.swoca.net>

To: dean.sbe@umt.edu.pk

Subject: Dont feel left out

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit
 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<body>

<br>

==This is MEDFEST==<br>

<br>

All your favourite stuff  Cures are finally on zale<br>

<br>

<a href="http://cpgjqp.writebalesom.info/?70518619">BuyRightNow</a><br>

<br>

<br>

From<br>

Cures for Sure .com

</body>

</html>
 

--------------------------------------------

eturn-Path: <jianping@neste.com>

Received: from ppp85-141-138-250.pppoe.mtu-net.ru (ppp85-141-138-250.pppoe.mtu-net.ru [85.141.138.250])

	by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGihXw025174

	for <amiee18v1vsqdo3qeaaaaa@umt.edu.pk>; Mon, 26 Nov 2007 21:44:43 +0500

Received: from [85.141.138.250] by ns1.nesteoil.com; Mon, 26 Nov 2007 22:07:19 +0000

Message-ID: <000501c83078$06553ff7$1c0e5fb0@dsrtqa>

From: "Breitling Watches" <jianping@neste.com>

To: "Replica Watches" <amiee18v1vsqdo3qeaaaaa@umt.edu.pk>

Subject: Officine Panerai Watches

Date: Mon, 26 Nov 2007 20:19:57 +0000

MIME-Version: 1.0

Content-Type: multipart/alternative;

	boundary="----=_NextPart_000_0002_01C83078.0650005D"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.3790.2663

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
 

-----------------------------------------------------

Return-Path: <soumitra@stswithuns.com>

Received: from ip-66-254-34-32.mqdsl.megaquebec.net (ip-66-254-34-32.mqdsl.megaquebec.net [66.254.34.32])

	by virtual.magic.net.pk (8.13.8/8.13.8) with ESMTP id lAQGh196025015

	for <dous@umt.edu.pk>; Mon, 26 Nov 2007 21:43:02 +0500

Received: from [66.254.34.32] by dns02e.hants.gov.uk; Mon, 26 Nov 2007 22:05:35 +0000

Message-ID: <000b01c83078$0269965f$db8c2694@swaosr>

From: "der onstad" <soumitra@stswithuns.com>

To: <dous@umt.edu.pk>

Subject: Fw:

Date: Mon, 26 Nov 2007 20:18:13 +0000

MIME-Version: 1.0

Content-Type: multipart/related;

	type="multipart/alternative";

	boundary="----=_NextPart_000_0005_01C83078.026940CF"

Open in new window

0
Comment
Question by:Wild_Cat
  • 11
  • 10
22 Comments
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20354206
I have Mdaemon deployed with about 200 users and I spend a lot of time tweaking the spam filtering system.

From your description it sounds like you are using DomainPOP to collect email (all emails for your domain go to 1 POP mailbox at your ISP, then Mdaemon downloads them and parses recipients out of the email files). Can you please confirm whether this is true, as DomainPOP heavily influences the smap filtering options that are available to you.

Also, are you suing Mdaemon's spam filter feature (available in Pro version)?
0
 

Author Comment

by:Wild_Cat
ID: 20354496
yes very true
same critaria, and i am using Mdaemon spam filter.
but my version for  MDaemon is  7
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20354709
Ok, so you are using DomainPOP. This makes spam filtering a bit harder, as your ISP accepts all mail on your behalf. You can only apply spam filtering once the POP email has been downloaded. Therefore, you can filter out spam once it has been received, but you cannot reject spam mail outright (because it has already been accepted by your ISP).

Mdaemon has an excellent spam filtering system based on SpamAssassin, only available in Pro version. I can't remember if it was already available in version 7 or not. There was a rudimentary spam filtering system before that, relying on RBL lookups, but the effects of that were small compared to the SpamAssassin based filter that came afterwards.

Are you running Mdaemon Pro or Standard?

There are several things you can do:
- talk to your ISP to see if they offer spam filtering. That way, all your emails will be spam-filtered when they are received by your ISP. That should substantially reduce the amount of spam that hits your Mdaemon mailserver.
- change your setup so that emails are delivered directly to your server (instead of using DomainPOP). That way, you can apply spam filtering to incoming emails and reject them if they look like spam. Before you do this, I would upgrade to the latest Mdaemon Pro.
- Upgrade to Mdaemon Pro and apply spam filtering to DomainPOP emails. This will not reduce the amount of spam you receive, but it will block spam from reaching your users.
- get a third-party spam filtering gateway (or build your own SpamAssassin box) and pass your emails through it. I'm not sure if any support DomainPOP though.

The bottom line is:
- if you want to reduce the amount of spam you receive, you should really get rid of DomainPOP.
- if you want to reduce the amount of spam that reaches your users (and keep DomainPOP), consider upgrading to Mdaemon Pro and use their spam filtering system.
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20354718
One more thing:
An extension of the suggetsion to get spam filtering done by your ISP is to use a hosted spam filter service. You redirect all your email to them, they filter them, then deliver it to your DomainPOP mailbox.
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20354720
Just google 'hosted spam filter' and you'll get lots of hits...
0
 

Author Comment

by:Wild_Cat
ID: 20354943
The current situation is that isp denies spam filtering facility.
They threaten us to close our account because we choke all there bandwidth.
and yes we use pro version
now if according to you at one point i plane to directly import mail then my bandwidth will be choke
i currently have a 1 mb pipe but i dont think it will shake the situation.
one guess that i have is that some how my mail server has become infected or compromised but i still am unablee to find out how?
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20355301
A server with 4000 accounts would attract quite a lot of spam. It also depends on the behaviour of your users. If they all publish their email addresses on the internet or reister for mailing lists etc, that would increase the amount of spam you receive.

If your server was compromised, it would most likely send spam, not receive.

So you are at a point when your ISP can't handle your email. Consequently, handling the emails yourself would be even more difficult. Therefore, I suggest you let someone else deal with the problem - have a look at hosted spam filters:
http://www.spamhelp.org/services/listings/managed-anti-spam/
0
 

Author Comment

by:Wild_Cat
ID: 20355424
Can we trace the email back and block relevant IP addresses?  The school of thought was why change senarios if there would or could be a solution in the current situation.
What you say will be followed definately sir if no other solution for current situation is available but i think some effort can be put into this aspect as well.
0
 

Author Comment

by:Wild_Cat
ID: 20355428
I look in to your solution sir you please consider my request :)
0
 

Author Comment

by:Wild_Cat
ID: 20355451
Major spam is of three types
1, Viagra
2. Rolex Watches
3. Enlargement etc
i have build up content filter at my Mdeamon server but they trick me every time by by changing case and spacing, besides the content filter works on my end. so if some how we could block some ip addresses at the ISP's end that might help the situation.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20355484
Blocking the spam on Mdeamon is not going to fix the problem, as the spam has already been received by your ISP.
Spam comes from many sources (botnets, etc.) and you won't be able to keep up with blocking IP addresses.
0
 

Author Comment

by:Wild_Cat
ID: 20355488
hmmmmm i was not refering to blocking at my end the ISP offered the service if i provided them with some data, this is the latest developement as they have also shut down my email service :)
0
 

Author Comment

by:Wild_Cat
ID: 20355503
As my mail recieve time is one minute which is local by which ratio would it increase if i put in a spam filter hosting service. Would still like to know any possible solution for current situation
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20355576
The reason why your email takes 1 minute to deliver is most likely because your MDaemon checks the DomainPOP mailbox every minute (that is the most frequent interval).

Adding a hosted spam filter to the setup will increase the delivery time, however it may be that it will still fit into 1 minute. It really depends on the provider.
0
 

Author Comment

by:Wild_Cat
ID: 20355615
hmmmmmm So what bout ip blocking at the isp's end or any solution that can be suggested to them.
0
 

Author Comment

by:Wild_Cat
ID: 20358124
latest senario is for the time bieng i have closed domain pop and have droped all the mail directly to my server thats how the isp agreed.
further the number of spam is no seen from multiple ips can i please be told sir how to back track an email and block orignal spamming servers.
0
 

Author Comment

by:Wild_Cat
ID: 20365035
Still waiting for a reply
kindly suggest best solution for this spam filter hosting facillity and
still thinking how can it be that a reverse path be identified for an email.
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20371021
I am unable to assist you with step-by-step instructions as I do not have any Mdaemon 7 installations.

On the general note, do the following:
- enable spam filter including Bayesian filtering
- eploree Dynamic Screening options. These allow you to dynamically block senders by IP address based on various criteria, such as number of unknown users, invalid password attempts, etc.
- ensure that your server is not an open relay (use tools like http://www.abuse.net/relay.html or http://www.spamhelp.org/shopenrelay/)
0
 

Author Comment

by:Wild_Cat
ID: 20372693
Ok i  understand and i will follow suite
hmmm
well i have done some of your recomendation and a little spam reduction has resulted but the progress is there
all the mail is routing properly but now hotmail is blocked all the rest of the mail is ok.
0
 
LVL 9

Expert Comment

by:FilipZahradnik
ID: 20549727
Wild_cat: any feedback on this case? Is your spam problem under control now?
0
 
LVL 9

Accepted Solution

by:
FilipZahradnik earned 250 total points
ID: 20549740
Venabili: this was quite a time-consuming case - I wrote 8 replies - so I would not mind getting the points ;-) But then again... Let's see if wild_cat is happy to award the points.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now