Solved

How to stop SPAM mails from hinet.net domain

Posted on 2010-08-31
16
7,959 Views
Last Modified: 2013-12-09
I am receiving a lot of SPAM mails from hinet.net domain to my mail server.
The mails are targetted to yahoo.co.tw. I am not sure why my mail server is receiving it.
When I checked the postfix logs there is no source IP address from where the mails are being sent from.

How this happens. Any one has similar experience.
Any idea how to block these.
0
Comment
Question by:SrikantRajeev
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:Armenio
Comment Utility
Actually i had a similar thing happen to my client this week took me all day to figure out what was going on.
My symptoms seemed as if the mail was using my exchange server as a relay except this is not possible as im not an open relay. to cut a long story short one of my users account had been breached and they were using his credentials to authenticate and send mail through his server.
the final solution was to i only had 20 users so i just disabled all the accounts and monitored exchange as i enabled them one at a time till i found the culprit. once i had the breached account i made sure the users p.c. was clean from viruses and malware. Then i reset his password and problem gone. hope this helps

the mail was mostly destined for yahoo.co.tw but was being received from a few different hosts. also i had a fair amount of NDR coming in
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
I am using Postfix as my SMTP server where i am receiving these mail.
Still can it be because of the exchange server
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
Hi,
I suggest you install and configure postgrey as a greylisting tool for postfix (read it if you don't know what it is : http://www.greylisting.org/)
+ spamassassin and some accurate rules from http://www.rulesemporium.com/rules.htm + plugins.htm

postgrey will probably reduce by 90% your amount of spams received mostly from "zombies" (infected PC sending spams from dirty-configured smtp servers, dynamic IPs and so on). You just won't see these spams, they won't reach postfix.
In a few words, greylisting just refuses every email and ask the sender to send it back in a few time. That a standard reaction in the SMTP protocol. If the sender is unreachable, it must be a dirty spammer. Job's done.. If not, you accept the email when it comes back. After a few times, this sender/IP/destination will be allowed directly. So in the beginning, you just create some delay in your incoming emails.
If an email is accepted, then spamassassin will finally detect 99% of your spam, I'd say.

I can help you set all this up if you need help

Notice: greylisting must be running on all your MX. Spammers will often use the lowest priority MX because, usually, that's an MX you don't control, like the one provided by your ISP or something. If this lowest MX server accepts everything, it'll just shortcut your greylisting process :)

regards
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
my main concern is in the postfix logs I am not able to see the sending serve IP Address.
The logs shows it is sending form the local host <127.0.0.1>
i want to find who is sending these mails.

Sample log.

postfix/qmgr[5472]: EC3A1AB6E0E: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=6234, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtpd[7774]: connect from localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7782]: 7B34DAB6E58: client=localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7774]: 7F3CCAB6E5A: client=localhost[127.0.0.1]
postfix/smtp[8121]: EC3A1AB6E0E: to=<dna123123@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/qmgr[5472]: 7F3CCAB6E5A: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=4959, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<donna60325@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<dpu108@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 500 total points
Comment Utility
I think you don't care as spammers fake the sender and that kind of stuff (hinet.net) comes from multiple dynamic IPs. You can't block them one by one.

By the way, your SMTP shouldn't relay e-mails "to" a domain you're not hosting. That should say:

Sep  1 06:33:16 myserver postfix/smtpd[32745]: connect from 118-168-114-211.dynamic.hinet.net[118.168.114.211]
Sep  1 06:33:17 myserver  postfix/smtpd[32745]: NOQUEUE: reject: RCPT from 118-168-114-211.dynamic.hinet.net[118.168.114.211]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<88.191.40.240>



And, if the targetted mailbox exists on your domain, with greylisting, it should say:

Sep  1 07:26:05 myserver postfix/smtpd[739]: connect from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
Sep  1 07:26:09 myserver postgrey[5028]: action=greylist, reason=new, client_name=59-116-10-111.dynamic.hinet.net, client_address=59.116.10.111, sender=bradacrimonious@mydomain.com, recipient=bradacrimonious@mydomain.com
Sep  1 07:26:09 myserver postfix/smtpd[739]: NOQUEUE: reject: RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]: 450 4.2.0 <bradacrimonious@mydomain.com>: Sender address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mydomain.com.html; from=<bradacrimonious@mydomain.com> to=<bradacrimonious@mydomain.com> proto=SMTP helo=<59-116-10-111.dynamic.hinet.net>
Sep  1 07:26:10 michauko postfix/smtpd[739]: lost connection after RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
By the way if you try to telnet to 59.116.10.111 port 25, it won't reply => zombie => spammer.

In your "main.cf" configuration file, are you sure of your basic settings, like :
mydestination = yourdomain.com
mynetworks = 127.0.0.0/8 # nothing more except if this SMTP relays e-mails from a LAN
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination,  reject_unknown_sender_domain

(and when you have postgrey running, you'll add "check_policy_service inet:127.0.0.1:60000" in smtpd_sender_restrictions
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
The mails were coming from internet. Once i closed my firewall the mails were not received in my postfix.
The mails were generated from dynamic.hynet.net

But I am stil not clear with the below 2 points.

1. How come my post fix logs does not shows any of the source IP address.
2.How come my mail server has accepted mails with recipient as yahoo.com.tw . My mail server is not a open relay.
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
1. Maybe faked I don't know
2. double-check "smtpd_sender_restrictions" in your "main.cf" as I mentionned above
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
relay_domains = $mydestination
unknown_address_reject_code = 553
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

I have the following.
What is the meaning of the above $mydestination
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
$mydestination means what is defined in "mydestination", probably above in the file.

What do you have in smtpd_recipient_restrictions ? this one checks the recipients allowed. And as I said, your server should not allow to accept an e-mail to a domain you don't host.
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

Where my networks I have my private IP address of my internal servers
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
That's weird because it sounds correct.
Test your server here: http://www.checkor.com/
To see if something seems wrong (reopen your firewall as you said you closed it).
If your server is said to be clean, then I would suggest, again, to install postgrey to get rid of a useless amount of spam
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
Thanks I tested my server. Only the following test failed.

RSET
250 2.0.0 Ok
MAIL FROM: spam@server.abc.com
250 2.1.0 Ok
RCPT TO: test1@server.abc.com
Test Failed, 250 2.1.5 Ok

How can I overcome this.

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 500 total points
Comment Utility
THIS means you accept an e-mail to a domain you're not hosting. That's what we saw in the logs I guess.

Can you attach your full main.cf file? if needed, just change your domains with names like dom1.com dom2.com
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
Sorry to mention few points
abc.com domain belongs to me
other domain relay is not allowed it shows
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
anyway, send the main.cf we'll see if there is something wrong
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
Comment Utility
I got it cleared
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
There was an incident about the POP3 issue for the double read receipts and delivery receipts in Exchange 2013.  There was huge research been done and found solution for the duplicate mails. Especially when the user gets  duplicate mails.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now