Back to Community Threads
2
HELP! getting spam bombed for pass few days...cannot find source
Question asked by js.chui - 11/30/2015 at 1:02 AM
Unanswered
Our smartermail is version 14.2. Fews days ago during the weekend, our server suddenly is sending massive amount of spam. The spam is showing being masked as random username with correct domain names being hosted in smartermail.
 
For eg, we have domain1.com, domain2.com, domain3.com and so on. Spammer is using randomnames@domain.com, randomnames@domain2.com, randomnames@domain3.com and so on.
 
Even the IP is connecting from all around the world. Like brazil, europe, asia and so on.
 
We search and search but was unable to find where is the spam coming from or how the spammer is doing it. So bad that our IP got blacklisted and we get complains from ISP.
 
We have posted a support ticket to smartermail but still waiting for their reply. In the meantime, would really appreciate if someone can shed some light into resolving this issue. This is really crazy and we have never seen this kind of high level spamming before.
 
Thanks.

12 Replies

Reply to Thread
0
Paul Blank Replied
11/30/2015 at 9:17 AM
Sometimes even a small error in configuration can cause you to become an open relay for your mail server's domain(s) or even foreign domain names. And the spammers are constantly scanning the Internet for these servers, so it can happen very quickly (it has happened to me as well).
 
Here is Bruce Barnes' info on this from Sept. 2014 - should still be valid today (Thanks Bruce!)...
 
September 24, 2014 at 9:49 PM
Are you forcing all of your users to SMTP AUTHENTICATE on your SmarterMail server?
 
This error is typical of what can happen when you do not enforce SMTP authentication and the receiving MX server is running antispam protection.  There are also other reasons as well.
 
Make certain you have ALLOW RELAY on SMTP IN set to NOBODY:
 
Set Allow Relay to NOBODY
Then, make certain you have ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH for LOCAL DELIVERIES checked (in the same tab):
 
ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH
 
You will also have to make certain you have REQUIRE SMTP AUTHENTICATION check in the DOMAIN EDIT ====> TECHNICAL tab on each hosted domain.
 
Require SMTP Authentication checked in DOMAIN EDIT TECHNICAL tab
 
Note that this will require all of the user's accounts to be set for SMTP AUTHENTICATION to SEND messages, but will ensure that you are not an open relay and are not blocked by other MX servers.
 
0
js.chui Replied
11/30/2015 at 8:55 PM
Yes, we forcing all domain to use smtp authentication.

We already have all this rules implemented. Which is why we are so confused now.
0
Bruce Barnes Replied
11/30/2015 at 9:28 PM
Did you implement DKIM and DMARC? Do you ENFORCE GREYLISTING FOR ALL DOMAINS? If not, you're not properly configured Doyou allow users to override spam settings? If so, you're fighting a loosing battle.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
js.chui Replied
12/1/2015 at 12:14 AM
We have enforced greylisting for all the domain name and doesnt allow user to override spam settings.
we didnt implement DKIM and DMARC. Whats the best way to configure DKIM and DMARC in smarternail?
0
js.chui Replied
12/1/2015 at 2:13 AM
I have created the DKIM and mail signing in the smartermail server as per this thread
http ://forum.hostek.com/showthread.php?680-Smartermail-Mail-Signing-Domain-Keys-DKIM

Still same.
0
js.chui Replied
12/1/2015 at 3:00 AM
ran malwarebytes found nothing.
0
Paul Blank Replied
12/1/2015 at 5:40 AM
Are your logs set to detailed?  Is it possible that someone is "properly" authenticating as one of your users (in other words, they have the password for that user) and then using fake addresses as return addresses?
0
js.chui Replied
12/1/2015 at 8:10 AM
initially we were guessing this as well. what we did is change all the admin password and even change all the domain users password. Of course is not helping.
0
Paul Blank Replied
12/2/2015 at 9:42 AM
Interested to know how this was resolved (or if it was).  Thanks!
0
js.chui Replied
12/2/2015 at 8:41 PM
not resolved. Submitting ticket to smartermail support is no help at all. We submitted on Monday and until now only 1 reply from them that does not help at all.

If anyone can help, we do not mind paying a little fee.

Please contact us at support at fatservers dot my.

Thanks.
2
David Fisher Replied
12/3/2015 at 5:44 PM
Hi,
 
  Make sure your logs are set to detailed, then look at the header of one of the emails, get the IP address from the header, and search your SMTP logs for that IP and date range.  You should see how the are authenticating from the logs, usually authenticated and authenticating are key words.
 
  Make sure you do not white list smtp IPs much, and it isn't opened for a large range.
 
  SmarterMail is up to v14.4 now, you might want to install the latest updates, to have other fixes.
 
  Check SMTP Authentication bypass, make sure you do not have a big range in there too.
 
   Besides of course checking under Protocol Settings -> SMTP IN -> Allow Relay = Nobody
 
Good Luck
-dave
0
Paul Blank Replied
12/11/2015 at 5:26 AM
Would like to know how this was resolved.  Thanks!
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
My spool is full of pending messages. What do I do?SmarterMail > Troubleshooting
Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
Backup and Restore SmarterMailSmarterMail > Server Configuration and Management