?
Solved

How to stop SPAM mails from hinet.net domain

Posted on 2010-08-31
16
Medium Priority
?
8,539 Views
Last Modified: 2013-12-09
I am receiving a lot of SPAM mails from hinet.net domain to my mail server.
The mails are targetted to yahoo.co.tw. I am not sure why my mail server is receiving it.
When I checked the postfix logs there is no source IP address from where the mails are being sent from.

How this happens. Any one has similar experience.
Any idea how to block these.
0
Comment
Question by:SrikantRajeev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 33573782
Actually i had a similar thing happen to my client this week took me all day to figure out what was going on.
My symptoms seemed as if the mail was using my exchange server as a relay except this is not possible as im not an open relay. to cut a long story short one of my users account had been breached and they were using his credentials to authenticate and send mail through his server.
the final solution was to i only had 20 users so i just disabled all the accounts and monitored exchange as i enabled them one at a time till i found the culprit. once i had the breached account i made sure the users p.c. was clean from viruses and malware. Then i reset his password and problem gone. hope this helps

the mail was mostly destined for yahoo.co.tw but was being received from a few different hosts. also i had a fair amount of NDR coming in
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33573810
I am using Postfix as my SMTP server where i am receiving these mail.
Still can it be because of the exchange server
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33574406
Hi,
I suggest you install and configure postgrey as a greylisting tool for postfix (read it if you don't know what it is : http://www.greylisting.org/)
+ spamassassin and some accurate rules from http://www.rulesemporium.com/rules.htm + plugins.htm

postgrey will probably reduce by 90% your amount of spams received mostly from "zombies" (infected PC sending spams from dirty-configured smtp servers, dynamic IPs and so on). You just won't see these spams, they won't reach postfix.
In a few words, greylisting just refuses every email and ask the sender to send it back in a few time. That a standard reaction in the SMTP protocol. If the sender is unreachable, it must be a dirty spammer. Job's done.. If not, you accept the email when it comes back. After a few times, this sender/IP/destination will be allowed directly. So in the beginning, you just create some delay in your incoming emails.
If an email is accepted, then spamassassin will finally detect 99% of your spam, I'd say.

I can help you set all this up if you need help

Notice: greylisting must be running on all your MX. Spammers will often use the lowest priority MX because, usually, that's an MX you don't control, like the one provided by your ISP or something. If this lowest MX server accepts everything, it'll just shortcut your greylisting process :)

regards
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33574472
my main concern is in the postfix logs I am not able to see the sending serve IP Address.
The logs shows it is sending form the local host <127.0.0.1>
i want to find who is sending these mails.

Sample log.

postfix/qmgr[5472]: EC3A1AB6E0E: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=6234, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtpd[7774]: connect from localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7782]: 7B34DAB6E58: client=localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7774]: 7F3CCAB6E5A: client=localhost[127.0.0.1]
postfix/smtp[8121]: EC3A1AB6E0E: to=<dna123123@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/qmgr[5472]: 7F3CCAB6E5A: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=4959, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<donna60325@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<dpu108@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 2000 total points
ID: 33574570
I think you don't care as spammers fake the sender and that kind of stuff (hinet.net) comes from multiple dynamic IPs. You can't block them one by one.

By the way, your SMTP shouldn't relay e-mails "to" a domain you're not hosting. That should say:

Sep  1 06:33:16 myserver postfix/smtpd[32745]: connect from 118-168-114-211.dynamic.hinet.net[118.168.114.211]
Sep  1 06:33:17 myserver  postfix/smtpd[32745]: NOQUEUE: reject: RCPT from 118-168-114-211.dynamic.hinet.net[118.168.114.211]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<88.191.40.240>



And, if the targetted mailbox exists on your domain, with greylisting, it should say:

Sep  1 07:26:05 myserver postfix/smtpd[739]: connect from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
Sep  1 07:26:09 myserver postgrey[5028]: action=greylist, reason=new, client_name=59-116-10-111.dynamic.hinet.net, client_address=59.116.10.111, sender=bradacrimonious@mydomain.com, recipient=bradacrimonious@mydomain.com
Sep  1 07:26:09 myserver postfix/smtpd[739]: NOQUEUE: reject: RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]: 450 4.2.0 <bradacrimonious@mydomain.com>: Sender address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mydomain.com.html; from=<bradacrimonious@mydomain.com> to=<bradacrimonious@mydomain.com> proto=SMTP helo=<59-116-10-111.dynamic.hinet.net>
Sep  1 07:26:10 michauko postfix/smtpd[739]: lost connection after RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
By the way if you try to telnet to 59.116.10.111 port 25, it won't reply => zombie => spammer.

In your "main.cf" configuration file, are you sure of your basic settings, like :
mydestination = yourdomain.com
mynetworks = 127.0.0.0/8 # nothing more except if this SMTP relays e-mails from a LAN
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination,  reject_unknown_sender_domain

(and when you have postgrey running, you'll add "check_policy_service inet:127.0.0.1:60000" in smtpd_sender_restrictions
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33576030
The mails were coming from internet. Once i closed my firewall the mails were not received in my postfix.
The mails were generated from dynamic.hynet.net

But I am stil not clear with the below 2 points.

1. How come my post fix logs does not shows any of the source IP address.
2.How come my mail server has accepted mails with recipient as yahoo.com.tw . My mail server is not a open relay.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33576339
1. Maybe faked I don't know
2. double-check "smtpd_sender_restrictions" in your "main.cf" as I mentionned above
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33584097
relay_domains = $mydestination
unknown_address_reject_code = 553
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

I have the following.
What is the meaning of the above $mydestination
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33584482
$mydestination means what is defined in "mydestination", probably above in the file.

What do you have in smtpd_recipient_restrictions ? this one checks the recipients allowed. And as I said, your server should not allow to accept an e-mail to a domain you don't host.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594223
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

Where my networks I have my private IP address of my internal servers
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594269
That's weird because it sounds correct.
Test your server here: http://www.checkor.com/
To see if something seems wrong (reopen your firewall as you said you closed it).
If your server is said to be clean, then I would suggest, again, to install postgrey to get rid of a useless amount of spam
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594337
Thanks I tested my server. Only the following test failed.

RSET
250 2.0.0 Ok
MAIL FROM: spam@server.abc.com
250 2.1.0 Ok
RCPT TO: test1@server.abc.com
Test Failed, 250 2.1.5 Ok

How can I overcome this.

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 2000 total points
ID: 33594455
THIS means you accept an e-mail to a domain you're not hosting. That's what we saw in the logs I guess.

Can you attach your full main.cf file? if needed, just change your domains with names like dom1.com dom2.com
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594484
Sorry to mention few points
abc.com domain belongs to me
other domain relay is not allowed it shows
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594491
anyway, send the main.cf we'll see if there is something wrong
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 33741216
I got it cleared
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses
Course of the Month11 days, 21 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question