Solved

How to stop SPAM mails from hinet.net domain

Posted on 2010-08-31
16
8,444 Views
Last Modified: 2013-12-09
I am receiving a lot of SPAM mails from hinet.net domain to my mail server.
The mails are targetted to yahoo.co.tw. I am not sure why my mail server is receiving it.
When I checked the postfix logs there is no source IP address from where the mails are being sent from.

How this happens. Any one has similar experience.
Any idea how to block these.
0
Comment
Question by:SrikantRajeev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 33573782
Actually i had a similar thing happen to my client this week took me all day to figure out what was going on.
My symptoms seemed as if the mail was using my exchange server as a relay except this is not possible as im not an open relay. to cut a long story short one of my users account had been breached and they were using his credentials to authenticate and send mail through his server.
the final solution was to i only had 20 users so i just disabled all the accounts and monitored exchange as i enabled them one at a time till i found the culprit. once i had the breached account i made sure the users p.c. was clean from viruses and malware. Then i reset his password and problem gone. hope this helps

the mail was mostly destined for yahoo.co.tw but was being received from a few different hosts. also i had a fair amount of NDR coming in
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33573810
I am using Postfix as my SMTP server where i am receiving these mail.
Still can it be because of the exchange server
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33574406
Hi,
I suggest you install and configure postgrey as a greylisting tool for postfix (read it if you don't know what it is : http://www.greylisting.org/)
+ spamassassin and some accurate rules from http://www.rulesemporium.com/rules.htm + plugins.htm

postgrey will probably reduce by 90% your amount of spams received mostly from "zombies" (infected PC sending spams from dirty-configured smtp servers, dynamic IPs and so on). You just won't see these spams, they won't reach postfix.
In a few words, greylisting just refuses every email and ask the sender to send it back in a few time. That a standard reaction in the SMTP protocol. If the sender is unreachable, it must be a dirty spammer. Job's done.. If not, you accept the email when it comes back. After a few times, this sender/IP/destination will be allowed directly. So in the beginning, you just create some delay in your incoming emails.
If an email is accepted, then spamassassin will finally detect 99% of your spam, I'd say.

I can help you set all this up if you need help

Notice: greylisting must be running on all your MX. Spammers will often use the lowest priority MX because, usually, that's an MX you don't control, like the one provided by your ISP or something. If this lowest MX server accepts everything, it'll just shortcut your greylisting process :)

regards
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33574472
my main concern is in the postfix logs I am not able to see the sending serve IP Address.
The logs shows it is sending form the local host <127.0.0.1>
i want to find who is sending these mails.

Sample log.

postfix/qmgr[5472]: EC3A1AB6E0E: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=6234, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtpd[7774]: connect from localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7782]: 7B34DAB6E58: client=localhost[127.0.0.1]
Sep  1 12:54:26  postfix/smtpd[7774]: 7F3CCAB6E5A: client=localhost[127.0.0.1]
postfix/smtp[8121]: EC3A1AB6E0E: to=<dna123123@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/qmgr[5472]: 7F3CCAB6E5A: from=<nzsnqkvmqxesmn@ms64.hinet.net>, size=4959, nrcpt=16 (queue active)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<donna60325@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4.8, delays=4.7/0/0.04/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7F3CCAB6E5A)
Sep  1 12:54:26  postfix/smtp[8121]: EC3A1AB6E0E: to=<dpu108@yahoo.com.tw>, relay=localhost[127.0.0.1]:10025, delay=4
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 500 total points
ID: 33574570
I think you don't care as spammers fake the sender and that kind of stuff (hinet.net) comes from multiple dynamic IPs. You can't block them one by one.

By the way, your SMTP shouldn't relay e-mails "to" a domain you're not hosting. That should say:

Sep  1 06:33:16 myserver postfix/smtpd[32745]: connect from 118-168-114-211.dynamic.hinet.net[118.168.114.211]
Sep  1 06:33:17 myserver  postfix/smtpd[32745]: NOQUEUE: reject: RCPT from 118-168-114-211.dynamic.hinet.net[118.168.114.211]: 554 5.7.1 <vkihwpdh@yahoo.com.tw>: Relay access denied; from=<z2007tw@yahoo.com.tw> to=<vkihwpdh@yahoo.com.tw> proto=SMTP helo=<88.191.40.240>



And, if the targetted mailbox exists on your domain, with greylisting, it should say:

Sep  1 07:26:05 myserver postfix/smtpd[739]: connect from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
Sep  1 07:26:09 myserver postgrey[5028]: action=greylist, reason=new, client_name=59-116-10-111.dynamic.hinet.net, client_address=59.116.10.111, sender=bradacrimonious@mydomain.com, recipient=bradacrimonious@mydomain.com
Sep  1 07:26:09 myserver postfix/smtpd[739]: NOQUEUE: reject: RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]: 450 4.2.0 <bradacrimonious@mydomain.com>: Sender address rejected: Greylisted, see http://postgrey.schweikert.ch/help/mydomain.com.html; from=<bradacrimonious@mydomain.com> to=<bradacrimonious@mydomain.com> proto=SMTP helo=<59-116-10-111.dynamic.hinet.net>
Sep  1 07:26:10 michauko postfix/smtpd[739]: lost connection after RCPT from 59-116-10-111.dynamic.hinet.net[59.116.10.111]
By the way if you try to telnet to 59.116.10.111 port 25, it won't reply => zombie => spammer.

In your "main.cf" configuration file, are you sure of your basic settings, like :
mydestination = yourdomain.com
mynetworks = 127.0.0.0/8 # nothing more except if this SMTP relays e-mails from a LAN
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination,  reject_unknown_sender_domain

(and when you have postgrey running, you'll add "check_policy_service inet:127.0.0.1:60000" in smtpd_sender_restrictions
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33576030
The mails were coming from internet. Once i closed my firewall the mails were not received in my postfix.
The mails were generated from dynamic.hynet.net

But I am stil not clear with the below 2 points.

1. How come my post fix logs does not shows any of the source IP address.
2.How come my mail server has accepted mails with recipient as yahoo.com.tw . My mail server is not a open relay.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33576339
1. Maybe faked I don't know
2. double-check "smtpd_sender_restrictions" in your "main.cf" as I mentionned above
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33584097
relay_domains = $mydestination
unknown_address_reject_code = 553
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

I have the following.
What is the meaning of the above $mydestination
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33584482
$mydestination means what is defined in "mydestination", probably above in the file.

What do you have in smtpd_recipient_restrictions ? this one checks the recipients allowed. And as I said, your server should not allow to accept an e-mail to a domain you don't host.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594223
smtpd_recipient_restrictions =
      permit_mynetworks,
      reject_unknown_sender_domain,
      reject_unauth_destination

Where my networks I have my private IP address of my internal servers
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594269
That's weird because it sounds correct.
Test your server here: http://www.checkor.com/
To see if something seems wrong (reopen your firewall as you said you closed it).
If your server is said to be clean, then I would suggest, again, to install postgrey to get rid of a useless amount of spam
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594337
Thanks I tested my server. Only the following test failed.

RSET
250 2.0.0 Ok
MAIL FROM: spam@server.abc.com
250 2.1.0 Ok
RCPT TO: test1@server.abc.com
Test Failed, 250 2.1.5 Ok

How can I overcome this.

0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 500 total points
ID: 33594455
THIS means you accept an e-mail to a domain you're not hosting. That's what we saw in the logs I guess.

Can you attach your full main.cf file? if needed, just change your domains with names like dom1.com dom2.com
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 33594484
Sorry to mention few points
abc.com domain belongs to me
other domain relay is not allowed it shows
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 33594491
anyway, send the main.cf we'll see if there is something wrong
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 33741216
I got it cleared
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question