[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1150
  • Last Modified:

SPAM problem

I'm receiving thousands of emails like that in my email acount, I don't know what are them.

¿How can I solve this?

I'm the server admin.

Thanks in advance
> The attached message had PERMANENT fatal delivery errors!
>
> After one or more unsuccessful delivery attempts the attached message has
> been removed from the mail queue on this server.  The number and frequency
> of delivery attempts are determined by local configuration parameters.
>
> YOUR MESSAGE WAS NOT DELIVERED TO ONE OR MORE RECIPIENTS!
>
> Failed address: liveclub2000@nate.com
>
> --- Session Transcript ---
> Thu 2008-02-07 20:32:55: Parsing message
> <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\pd90000006273.msg>
> Thu 2008-02-07 20:32:55: *  From: info@my_domain_name_goes_here.com
> Thu 2008-02-07 20:32:55: *  To: liveclub2000@nate.com
> Thu 2008-02-07 20:32:55: *  Subject: ¶à©Ì<\ à©Card/Ô	Ý\
> <È(D7.5~12%)55305
> Thu 2008-02-07 20:32:55: *  Message-ID:
> Thu 2008-02-07 20:32:55: Attempting SMTP connection to [nate.com]
> Thu 2008-02-07 20:32:55: Resolving MX records for [nate.com] (DNS Server:
> 217.76.128.4)...
> Thu 2008-02-07 20:32:55: *  P=010 S=000 D=nate.com TTL=(7)
> MX=[smtp.nate.com] {203.226.255.61}
> Thu 2008-02-07 20:32:55: Attempting SMTP connection to [203.226.255.61:25]
> Thu 2008-02-07 20:32:55: Waiting for socket connection...
> Thu 2008-02-07 20:32:55: *  Connection established (82.223.177.41:12780 ->
> 203.226.255.61:25)
> Thu 2008-02-07 20:32:55: Waiting for protocol to start...
> Thu 2008-02-07 20:32:56: <-- 541 5.6.0 Your message was rejected.
> Thu 2008-02-07 20:32:56: --> QUIT
> --- End Transcript ---
>

Open in new window

0
robertosantana
Asked:
robertosantana
  • 6
  • 5
1 Solution
 
hbustanCommented:
Most likely, your emails are seen as spoof

In line 14, you have the following "From: info@my_domain_name_goes_here.com"

You are probably sending an email with a from: address that does not match your real registered domain name. So this mismatch is seen as Spoof and some anti-spam systems reject your emails.

Is this the case for you?
0
 
robertosantanaAuthor Commented:
That's not my case, the following "From: info@my_domain_name_goes_here.com" is just an example, to hide the real email address on this post.

And I'm not sending these emails, btw most of them has their subject in Japanese.
0
 
hbustanCommented:
OK then, you need to also make sure that the domain address you are sending from (for ex.  me@domain.com) also matches your SMTP address (ex. mail.domain.com) and that MX records in DNS are pointing to this SMTP address (mail.domain.com) and Reverse DNS resolves the IP of the MX to the actual domain (mail.domain.com).

You may check the MX, and reverse by doing the following from command prompt:

>nslookup -q=ns domain.com

This should give you address of MX, such as mail1.domain.com

>nslookup mail1.domain.com

This should give you the IP of your MX such as a.b.c.d

>nslookup a.b.c.d

This should give you back something like mail1.domain.com or mail2.domain.com
Any other domain this gives you back means your Reverse DNS is not set correctly
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
robertosantanaAuthor Commented:
That's correct, and is set correct but this email server has more than 100 domains and I can't solve the reverse DNS to all of them, all I can do is set 1 reverse DNS to the main domain on the server. What about SPF? http://es.wikipedia.org/wiki/Sender_Policy_Framework
0
 
hbustanCommented:
I assume the addresses you are sending out as your email addresses do not match the main domain.

I am not that familiar with SPF, but thanks, I checked the site you referred me to (but had to change es. to en.).

It seems, according to the site, that some antispam systems are aware of SPF; but this also means other antispam systems are not aware. So, perhaps the domains that are giving you this error are related to those systems that are not SPF-aware.

This is my opinion on this matter.
0
 
robertosantanaAuthor Commented:
Sorry about the link, this is the english version http://en.wikipedia.org/wiki/Sender_Policy_Framework 

I share your opinion but I can't understand why I'm receiving thousand of errors of emails that I haven't sent...
0
 
hbustanCommented:
Ohhh.... that changes everything

You are asking "why emails are being sent out without your knowledge?" -  I was understanding your question to be "why emails are getting rejected?"

My 1st guess is that you might have infected machines in your network that are sending spam; you can block internal machines from accessing outgoing ports 25 through your firewall and only allow your mail server to do that.
0
 
robertosantanaAuthor Commented:
Sorry about my explanation, but my english is not perfect :)

I've attached some captures, I think that everything is OK on the server, I've tested it and isn't an open relay.
1.PNG
2.PNG
3.PNG
4.PNG
5.PNG
6.PNG
0
 
hbustanCommented:
Thanks.

My suggestion was not related to your server acting as a relay server but rather your clients acting as their own SMTP servers.

If one of your clients has a virus or any sort of SPAM generating software, it can send emails directly to the Internet without using your server as an SMTP relay; as such you should have some rule in the firewall to block such clients from accessing port 25 to the outside world to avoid such situations.
0
 
robertosantanaAuthor Commented:
It seems to be logic, I'll try to study some returned emails to know who are infected.

Thanks for your help
0
 
robertosantanaAuthor Commented:
¡Thanks for your help!
0
 
rex73Commented:
Few suggestions if I may.
1)1.png remove the exclusion unless sent from trusted IP. You are using 127.0.0.1 as trusted IP which means that your server is allowed to relay since the 127.0.0.1 will translate this into a server address. This effectively negates first rule that instructs "DO NOT RELAY".

I am not that familliar with MDeamon so I would confirm but there is something funny in the way the bove is set, it would appear that the second statement negates the first one.

2)Check if you have "catch all enabled". If you do and someone has spoofed a message to appear as it is coming from you and is using it to launch a massive spam broadcast, chances are that there will be plenty of receiving servers that will be misconfigured to be dumb enough not to recognize the message was spoofed and therefore returning the NDR report.

I had a case few days ago with client reciving 80K + messages an hour from a massive spam attack using his e-mail address in a spoofed message. He effectively shut his mail server (small company) by himslef (brought it to a stand still chewing all bandwidth).

Just a suggestion.

0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now