[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to stop SPAM mails from hinet.net domain

Posted on 2010-08-31
16
Medium Priority
?
8,654 Views
Last Modified: 2013-12-09
I am receiving a lot of SPAM mails from hinet.net domain to my mail server.
The mails are targetted to yahoo.co.tw. I am not sure why my mail server is receiving it.
When I checked the postfix logs there is no source IP address from where the mails are being sent from.

How this happens. Any one has similar experience.
Any idea how to block these.
0
Comment
Question by:SrikantRajeev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 33573782
Actually i had a similar thing happen to my client this week took me all day to figure out what was going on.
My symptoms seemed as if the mail was using my exchange server as a relay except this is not possible as im not an open relay. to cut a long story short one of my users account had been breached and they were using his credentials to authenticate and send mail through his server.
the final solution was to i only had 20 users so i just disabled all the accounts and monitored exchange as i enabled them one at a time till i found the culprit. once i had the breached account i made sure the users p.c. was clean from viruses and malware. Then i reset his password and problem gone. hope this helps

the mail was mostly destined for yahoo.co.tw but was being received from a few different hosts. also i had a fair amount of NDR coming in
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33573810
I am using Postfix as my SMTP server where i am receiving these mail.
Still can it be because of the exchange server
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33574406
Hi,
I suggest you install and configure postgrey as a greylisting tool for postfix (read it if you don't know what it is : http://www.greylisting.org/)
+ spamassassin and some accurate rules from http://www.rulesemporium.com/rules.htm + plugins.htm

postgrey will probably reduce by 90% your amount of spams received mostly from "zombies" (infected PC sending spams from dirty-configured smtp servers, dynamic IPs and so on). You just won't see these spams, they won't reach postfix.
In a few words, greylisting just refuses every email and ask the sender to send it back in a few time. That a standard reaction in the SMTP protocol. If the sender is unreachable, it must be a dirty spammer. Job's done.. If not, you accept the email when it comes back. After a few times, this sender/IP/destination will be allowed directly. So in the beginning, you just create some delay in your incoming emails.
If an email is accepted, then spamassassin will finally detect 99% of your spam, I'd say.

I can help you set all this up if you need help

Notice: greylisting must be running on all your MX. Spammers will often use the lowest priority MX because, usually, that's an MX you don't control, like the one provided by your ISP or something. If this lowest MX server accepts everything, it'll just shortcut your greylisting process :)

regards
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33574472
my main concern is in the postfix logs I am not able to see the sending serve IP Address.
The logs shows it is sending form the local host <127.0.0.1>
i want to find who is sending these mails.

Sample log.

postfix/qmgr[5472]: EC3A1AB6E0E: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=6234, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtpd[7774]: connect from localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7782]: 7B34DAB6E58: client=localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7774]: 7F3CCAB6E5A: client=localhost[127.0.0.1]
postfix/smtp[8121]: EC3A1AB6E0E: to=<dna123123@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/qmgr[5472]: 7F3CCAB6E5A: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=4959, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<donna60325@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<dpu108@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 2000 total points
ID: 33574570
I think you don't care as spammers fake the sender and that kind of stuff (hinet.net) comes from multiple dynamic IPs. You can't block them one by one.

By the way, your SMTP shouldn't relay e-mails "to" a domain you're not hosting. That should say:

Sep  1 06:33:16 myserver postfix/smtpd[32745]: connect from 118-168-114-211.dynamic.hinet.net[118.168.114.211]
Sep  1 06:33:17 myserver  postfix/smtpd[32745]: NOQUEUE: reject: RCPT from 118-168-114-211.dynamic.hinet.net[118.168.114.211]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<88.191.40.240>



And, if the targetted mailbox exists on your domain, with greylisting, it should say:

Sep  1 07:26:05 myserver postfix/smtpd[739]: connect from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
Sep  1 07:26:09 myserver postgrey[5028]: action=greylist, reason=new, client_name=59-116-10-111.dynamic.hinet.net, client_address=59.116.10.111, sender=bradacrimonious@mydomain.com, recipient=bradacrimonious@mydomain.com
Sep  1 07:26:09 myserver postfix/smtpd[739]: NOQUEUE: reject: RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]: 450 4.2.0 <bradacrimonious@mydomain.com>: Sender address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mydomain.com.html; from=<bradacrimonious@mydomain.com> to=<bradacrimonious@mydomain.com> proto=SMTP helo=<59-116-10-111.dynamic.hinet.net>
Sep  1 07:26:10 michauko postfix/smtpd[739]: lost connection after RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
By the way if you try to telnet to 59.116.10.111 port 25, it won't reply => zombie => spammer.

In your "main.cf" configuration file, are you sure of your basic settings, like :
mydestination = yourdomain.com
mynetworks = 127.0.0.0/8 # nothing more except if this SMTP relays e-mails from a LAN
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination,  reject_unknown_sender_domain

(and when you have postgrey running, you'll add "check_policy_service inet:127.0.0.1:60000" in smtpd_sender_restrictions
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33576030
The mails were coming from internet. Once i closed my firewall the mails were not received in my postfix.
The mails were generated from dynamic.hynet.net

But I am stil not clear with the below 2 points.

1. How come my post fix logs does not shows any of the source IP address.
2.How come my mail server has accepted mails with recipient as yahoo.com.tw . My mail server is not a open relay.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33576339
1. Maybe faked I don't know
2. double-check "smtpd_sender_restrictions" in your "main.cf" as I mentionned above
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33584097
relay_domains = $mydestination
unknown_address_reject_code = 553
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

I have the following.
What is the meaning of the above $mydestination
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33584482
$mydestination means what is defined in "mydestination", probably above in the file.

What do you have in smtpd_recipient_restrictions ? this one checks the recipients allowed. And as I said, your server should not allow to accept an e-mail to a domain you don't host.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594223
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

Where my networks I have my private IP address of my internal servers
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594269
That's weird because it sounds correct.
Test your server here: http://www.checkor.com/
To see if something seems wrong (reopen your firewall as you said you closed it).
If your server is said to be clean, then I would suggest, again, to install postgrey to get rid of a useless amount of spam
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594337
Thanks I tested my server. Only the following test failed.

RSET
250 2.0.0 Ok
MAIL FROM: spam@server.abc.com
250 2.1.0 Ok
RCPT TO: test1@server.abc.com
Test Failed, 250 2.1.5 Ok

How can I overcome this.

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 2000 total points
ID: 33594455
THIS means you accept an e-mail to a domain you're not hosting. That's what we saw in the logs I guess.

Can you attach your full main.cf file? if needed, just change your domains with names like dom1.com dom2.com
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594484
Sorry to mention few points
abc.com domain belongs to me
other domain relay is not allowed it shows
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594491
anyway, send the main.cf we'll see if there is something wrong
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 33741216
I got it cleared
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question