Solved

How to stop SPAM mails from hinet.net domain

Posted on 2010-08-31
16
8,083 Views
Last Modified: 2013-12-09
I am receiving a lot of SPAM mails from hinet.net domain to my mail server.
The mails are targetted to yahoo.co.tw. I am not sure why my mail server is receiving it.
When I checked the postfix logs there is no source IP address from where the mails are being sent from.

How this happens. Any one has similar experience.
Any idea how to block these.
0
Comment
Question by:SrikantRajeev
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 33573782
Actually i had a similar thing happen to my client this week took me all day to figure out what was going on.
My symptoms seemed as if the mail was using my exchange server as a relay except this is not possible as im not an open relay. to cut a long story short one of my users account had been breached and they were using his credentials to authenticate and send mail through his server.
the final solution was to i only had 20 users so i just disabled all the accounts and monitored exchange as i enabled them one at a time till i found the culprit. once i had the breached account i made sure the users p.c. was clean from viruses and malware. Then i reset his password and problem gone. hope this helps

the mail was mostly destined for yahoo.co.tw but was being received from a few different hosts. also i had a fair amount of NDR coming in
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33573810
I am using Postfix as my SMTP server where i am receiving these mail.
Still can it be because of the exchange server
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33574406
Hi,
I suggest you install and configure postgrey as a greylisting tool for postfix (read it if you don't know what it is : http://www.greylisting.org/)
+ spamassassin and some accurate rules from http://www.rulesemporium.com/rules.htm + plugins.htm

postgrey will probably reduce by 90% your amount of spams received mostly from "zombies" (infected PC sending spams from dirty-configured smtp servers, dynamic IPs and so on). You just won't see these spams, they won't reach postfix.
In a few words, greylisting just refuses every email and ask the sender to send it back in a few time. That a standard reaction in the SMTP protocol. If the sender is unreachable, it must be a dirty spammer. Job's done.. If not, you accept the email when it comes back. After a few times, this sender/IP/destination will be allowed directly. So in the beginning, you just create some delay in your incoming emails.
If an email is accepted, then spamassassin will finally detect 99% of your spam, I'd say.

I can help you set all this up if you need help

Notice: greylisting must be running on all your MX. Spammers will often use the lowest priority MX because, usually, that's an MX you don't control, like the one provided by your ISP or something. If this lowest MX server accepts everything, it'll just shortcut your greylisting process :)

regards
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33574472
my main concern is in the postfix logs I am not able to see the sending serve IP Address.
The logs shows it is sending form the local host <127.0.0.1>
i want to find who is sending these mails.

Sample log.

postfix/qmgr[5472]: EC3A1AB6E0E: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=6234, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtpd[7774]: connect from localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7782]: 7B34DAB6E58: client=localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7774]: 7F3CCAB6E5A: client=localhost[127.0.0.1]
postfix/smtp[8121]: EC3A1AB6E0E: to=<dna123123@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/qmgr[5472]: 7F3CCAB6E5A: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=4959, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<donna60325@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<dpu108@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 500 total points
ID: 33574570
I think you don't care as spammers fake the sender and that kind of stuff (hinet.net) comes from multiple dynamic IPs. You can't block them one by one.

By the way, your SMTP shouldn't relay e-mails "to" a domain you're not hosting. That should say:

Sep  1 06:33:16 myserver postfix/smtpd[32745]: connect from 118-168-114-211.dynamic.hinet.net[118.168.114.211]
Sep  1 06:33:17 myserver  postfix/smtpd[32745]: NOQUEUE: reject: RCPT from 118-168-114-211.dynamic.hinet.net[118.168.114.211]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<88.191.40.240>



And, if the targetted mailbox exists on your domain, with greylisting, it should say:

Sep  1 07:26:05 myserver postfix/smtpd[739]: connect from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
Sep  1 07:26:09 myserver postgrey[5028]: action=greylist, reason=new, client_name=59-116-10-111.dynamic.hinet.net, client_address=59.116.10.111, sender=bradacrimonious@mydomain.com, recipient=bradacrimonious@mydomain.com
Sep  1 07:26:09 myserver postfix/smtpd[739]: NOQUEUE: reject: RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]: 450 4.2.0 <bradacrimonious@mydomain.com>: Sender address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mydomain.com.html; from=<bradacrimonious@mydomain.com> to=<bradacrimonious@mydomain.com> proto=SMTP helo=<59-116-10-111.dynamic.hinet.net>
Sep  1 07:26:10 michauko postfix/smtpd[739]: lost connection after RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
By the way if you try to telnet to 59.116.10.111 port 25, it won't reply => zombie => spammer.

In your "main.cf" configuration file, are you sure of your basic settings, like :
mydestination = yourdomain.com
mynetworks = 127.0.0.0/8 # nothing more except if this SMTP relays e-mails from a LAN
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination,  reject_unknown_sender_domain

(and when you have postgrey running, you'll add "check_policy_service inet:127.0.0.1:60000" in smtpd_sender_restrictions
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33576030
The mails were coming from internet. Once i closed my firewall the mails were not received in my postfix.
The mails were generated from dynamic.hynet.net

But I am stil not clear with the below 2 points.

1. How come my post fix logs does not shows any of the source IP address.
2.How come my mail server has accepted mails with recipient as yahoo.com.tw . My mail server is not a open relay.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33576339
1. Maybe faked I don't know
2. double-check "smtpd_sender_restrictions" in your "main.cf" as I mentionned above
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33584097
relay_domains = $mydestination
unknown_address_reject_code = 553
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

I have the following.
What is the meaning of the above $mydestination
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:mchkorg
ID: 33584482
$mydestination means what is defined in "mydestination", probably above in the file.

What do you have in smtpd_recipient_restrictions ? this one checks the recipients allowed. And as I said, your server should not allow to accept an e-mail to a domain you don't host.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594223
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

Where my networks I have my private IP address of my internal servers
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594269
That's weird because it sounds correct.
Test your server here: http://www.checkor.com/
To see if something seems wrong (reopen your firewall as you said you closed it).
If your server is said to be clean, then I would suggest, again, to install postgrey to get rid of a useless amount of spam
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594337
Thanks I tested my server. Only the following test failed.

RSET
250 2.0.0 Ok
MAIL FROM: spam@server.abc.com
250 2.1.0 Ok
RCPT TO: test1@server.abc.com
Test Failed, 250 2.1.5 Ok

How can I overcome this.

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 500 total points
ID: 33594455
THIS means you accept an e-mail to a domain you're not hosting. That's what we saw in the logs I guess.

Can you attach your full main.cf file? if needed, just change your domains with names like dom1.com dom2.com
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594484
Sorry to mention few points
abc.com domain belongs to me
other domain relay is not allowed it shows
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594491
anyway, send the main.cf we'll see if there is something wrong
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 33741216
I got it cleared
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now