Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1072
  • Last Modified:

hMail Server Apparently Spamming

I have been running hMail server on Windows 2003 for a couple years for several client domains. I have been getting complaints recently from clients they can no longer send email to Yahoo, for example, getting a response of 421 4.7.1 [TS03] , in other words my email server is sending a fair amount of spam. I checked my server at Multi-RBL Check from Anti-Abuse Project, and it is listed in about 4. When I check my logs on hMail, it does in fact show that my server is almost constantly having an SMTP session open, and a lot of specific non-authorized SMTP sessions are opened. I am not the absolute best at reading these logs, but I'm sure it has to do with something in my settings. Before I start trying to post a lot of settings, is there a specific set of settings that would be helpful in determining if they are correct to avoid spammers? Is there a setting elsewhere than hMail that I could look?
0
Jeremy Patrick
Asked:
Jeremy Patrick
  • 21
  • 14
1 Solution
 
MikeIT ManagerCommented:
You should have SMTP Authentication turned on.

You are allowing anonymous sessions to connect and have free reign to send whatever garbage they want using your server.
0
 
Jeremy PatrickAuthor Commented:
An update: I looked at the server, it has 100% CPU utilization from 2-3 instances of php-cgi.exe. I had issues with PHP mail script hijacking, and disabled it. But, if I didn't disable it properly, wouldn't the PHP script be a trusted mail source, and then hMail would route it properly? Or, I have SpamAssassin installed, would that be the issue?
0
 
Jeremy PatrickAuthor Commented:
Not sure if you have used hMail, but authentication permissions are set in the IP Ranges section. I have one for my Webmail, one for My Computer, and one for Internet. When things originate from the Internet, I require SMTP authentication for: Local to local e-mail addresses, Local to external e-mail addresses, and External to external e-mail addresses. When things originate from Webmail, I require SMTP authentication for: Local to local e-mail addresses, Local to external e-mail addresses, and External to external e-mail addresses. When things originate from My Computer, I require SMTP authentication for: External to external e-mail addresses. I figure the My Computer would be thru PHP scripts, Perl scripts, etc.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
MikeIT ManagerCommented:
If you have SMTP on the other points are moot.
0
 
Jeremy PatrickAuthor Commented:
dont understand.
0
 
Jeremy PatrickAuthor Commented:
I did my homework setting this thing up, I knew about setting up SMTP authentication. I know I'm not a total open relay, I may have just overlooked something. Clearly I have some authentication set up, this leads me to believe it may not be a hMail issue, but perhaps a PHP or Perl issue. Some type of script or method being hijacked and exploited. Please completely review my SMTP auth settings above, and see if this makes sense.
0
 
MikeIT ManagerCommented:
I apologize, my second post was made prior to seeing your post explaining your SMTP auth settings (was on my iphone).

Do you have journaling/archive enabled on your domains??  I'd use that to see if the SPAM is originating from any of the users you are hosting.

Is this server behind a decent firewall?
0
 
Jeremy PatrickAuthor Commented:
I am re-activating logging, and will leave it active for a little while and reply with exactly where. I know it's not my users, it's all outside users.

I have Norton Endpoint. It has worked well thus far...
0
 
Jeremy PatrickAuthor Commented:
I let my logs run overnight. The way hMail logs SMTP is that it creates a log entry whenever it is the sender or receiver of mail. I am having a heck of a time decyphering these logs, is there a way I can copy/paste some portions or attach my log file here? Would that help you determine where these emails are originating from?
0
 
Jeremy PatrickAuthor Commented:
As of this morning, I have just found out thaty server has now been banned from gmail, yahoo, hotmail, and several other "big names." The situation is desperate. My clients can no longer readily use their email. This is a NEW problem; the servers have been running for two years with very minor spam issues. I use Norton Endpoint Protection, and have a version of SpamAssassin running. I simply not a big enough expert with email servers to understand how it is being abused. I have had PHP email scripts get abused in the past, and for now, I have disabled emailing from PHP.
0
 
MikeIT ManagerCommented:
Attach a log file and i'll see if i can read it.
0
 
Jeremy PatrickAuthor Commented:
0
 
MikeIT ManagerCommented:
Right off the bat I see there's an issue with hmail and spamassasin.  Looks like hmail is having issues communicating with spamassasin.

Pittroff.net looks to be the domain thats getting absolutely slammed with spam and what not.

I'd suggest switching to a more robust email solution.  I suggest Alt-N's MDaemon.  It's fairly simply to setup and manage. http://www.altn.com/Products/MDaemon-Email-Server-Windows/
0
 
Jeremy PatrickAuthor Commented:
Question, even if that domain is getting slammed, why would my server's IP be getting banned for receiving spam? Wouldn't I only be gettting banned for sending it?
0
 
MikeIT ManagerCommented:
one of your users could have an infected machine which may have hijacked their email username and password and is using it to send out mail, the domain resolves back to your server, and you are marked as spam.

If you have other available IP's I'd switch to one of those, update all MX records, and have all users change their passwords.
0
 
Jeremy PatrickAuthor Commented:
in the logs that i sent, are you able to see WHO is sending the spam? it would be helpful to know. switching the IP would be a large undertaking, as website are also hosted on this IP... I do have others available, but i want to make it a last resort.

If for some reason this isn't a hijacked user account, it would be a waste of time to switch IPs, because the problem will continue to happen. does this appear to be a PHP issue, unsolicited emails being sent thru PHP? I've heard of it happening...
0
 
MikeIT ManagerCommented:
is this your IP 64.58.114.25 ?
0
 
Jeremy PatrickAuthor Commented:
no. 24.142.152.163
0
 
MikeIT ManagerCommented:
michael@pittroff.net is the email address a lot of SPAM is originating from with IP addresses that have been marked as SPAM.
0
 
Jeremy PatrickAuthor Commented:
ahh so that particular user is SENDING a lot of spam...I always thought it was RECEIVING it?

I have received complaints from this user in the past that he was bombarded with 50+ msgs a day taht were all spam, so I stepped up my spam protection with SPF check, host checks, DKIM signature checker, some form of SpamAssassin, SURBL server, DNS blacklists (spamhaus.org and spamcop.net).

additionally, I added DKIM and SPF to all outgoing emails (added for each hosted domain).
0
 
MikeIT ManagerCommented:
it looks like both.

Change his password and see if that lingering SMTP session disappears.
0
 
Jeremy PatrickAuthor Commented:
changed, will update in a few hours.
0
 
Jeremy PatrickAuthor Commented:
Sorry about the delay, had a crazy weekend. Anyway, what I've found is that, I'm not any better at reading the logs (in terms of which are being sent, and which are being received). Additionally, I found that I moved from a 4xx bounceback from gmail to a 550 bounceback (permanate, I believe?). I changed the michael password, but I guess I'm worse off than I was before, any suggestions?
0
 
MikeIT ManagerCommented:
What SMTP port are you currently using?
0
 
Jeremy PatrickAuthor Commented:
25
0
 
MikeIT ManagerCommented:
I would consider switching to another port like 587.

Also, can you post a recent log?
0
 
MikeIT ManagerCommented:
Also, please see these

First check the hMailServer delivery queue. If the queue contains a lot of messages from external to other external addresses, it's pretty safe to say that someone is abusing your server to send spam. So if you do not recgonize either the senders address or the recipients address, it's probabily spam.

Another method is to telnet relay-test.mail-abuse.org from the computer running hMailServer. The remote server will automatically connect back to the mail server running on your computer and execute some tests to check whether your computer can be used for spamming.

Also check your data-folder. If this folder (not the sub folders) contains a lot of .ema files, say, more than 250, even though no one is currently sending email through your server, it's likely that someone is using your server to send spam.
0
 
Jeremy PatrickAuthor Commented:
Attached is yesterday's log

Delivery queue is clear, and doesn't seem to fill up. Once in a blue moon I'll catch one in there. I haven't restarted the server since Sept 7th, and in that time, I have had 922 successfully processed messages, and 2024 classified as spam (some delivered, some deleted), classified as spam thru SpamCop, SpamHaus, SURBL, SpamAssassin, and general spam testing such as using SPF, host in HELO, and verification of DKIM-Signature  (all of these, on all processed messages). The last spam tests and SpamAssassin all just add up totals in a 5-point Spam-mark threshold (just marks it as probable spam), and a 20-point delete threshold (i.e. Lack of SPF adds 3 points, no host in HELO adds 2 points, no DKIM-Signature adds 5 points, SpamAssassin adds its own score)

According to the online manual:

hMailServer scans all messages which are delivered to user accounts, assuming the following is met:

The message is delivered to hMailServer by SMTP, or downloaded from an external account using POP3.

At least one spam protection method is enabled in the Anti-spam setting

The sender IP address or domain is not white listed using a white listing record.

The senders IP address matches an IP range where Anti-spam is enabled.

This leads me to believe it does NOT check outgoing messages. Additionally, I am now permanately banned on RoadRunner accounts.

Regarding my data folder, I have thousands (maybe tens of thousands) in non-sub directories, but, looking at their dates, they are all almost a year old or older. Most recent one is 1/3/2012.

I'm not sure how to do the Telnet thing. I've used Telnet (for various things) but nothing email related.
hmailserver-2012-09-11.log
0
 
Jeremy PatrickAuthor Commented:
Now discovered I am banned from Comcast as well...
0
 
Jeremy PatrickAuthor Commented:
Any more help? I can keep posting logs...
0
 
MikeIT ManagerCommented:
At this point i would switch to a different solution, different IP and go from there.  Check out MDaemon and Mailenable
0
 
Jeremy PatrickAuthor Commented:
That's a big decision to make without even knowing the root cause of my problems. Not to mention the expense, but if I am having an internal system exploit going on, changing mail servers may not fix the problems. Changing the IP, in my opinion, may fix some problems initially, but if the root cause isn't determined/fixed, it will become an issue all over again. Changing the IP is a huge deal as I am hosting websites, and this means that many people's websites and emails would be completely down while the new DNS propagates.

I have posted a recent log, after having changed the michael email account. Are emails ORIGINATING from his account still? I know he receives a lot, but that's not my problem right now. I am rebanned from Yahoo again. If I am continuing to get banned from places, that means the problem is still in full swing. The email server shouldn't matter, if the exploits can be applied anywhere.
0
 
Jeremy PatrickAuthor Commented:
Any insight please? Could the exploits be coming on my email server OUTSIDE hMail? How about thru IIS virtual SMTP server? I see an awful lot of action on hMail, so I feel like it is a good starting point...
0
 
Jeremy PatrickAuthor Commented:
It has been 4 days...any way that anyone could respond?
0
 
MikeIT ManagerCommented:
This is no longer an issue that can be solved in this question. Id suggest contacting a local consultant to help you.  This warrants a site visit/survey
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 21
  • 14
Tackle projects and never again get stuck behind a technical roadblock.
Join Now