2
HELP! getting spam bombed for pass few days...cannot find source
Question asked by js.chui - November 30, 2015 at 1:02 AM
Unanswered
Our smartermail is version 14.2. Fews days ago during the weekend, our server suddenly is sending massive amount of spam. The spam is showing being masked as random username with correct domain names being hosted in smartermail.
 
For eg, we have domain1.com, domain2.com, domain3.com and so on. Spammer is using randomnames@domain.com, randomnames@domain2.com, randomnames@domain3.com and so on.
 
Even the IP is connecting from all around the world. Like brazil, europe, asia and so on.
 
We search and search but was unable to find where is the spam coming from or how the spammer is doing it. So bad that our IP got blacklisted and we get complains from ISP.
 
We have posted a support ticket to smartermail but still waiting for their reply. In the meantime, would really appreciate if someone can shed some light into resolving this issue. This is really crazy and we have never seen this kind of high level spamming before.
 
Thanks.

6 Replies

Reply to Thread
0
Paul Blank Replied
November 30, 2015 at 9:17 AM
Sometimes even a small error in configuration can cause you to become an open relay for your mail server's domain(s) or even foreign domain names. And the spammers are constantly scanning the Internet for these servers, so it can happen very quickly (it has happened to me as well).
 
Here is Bruce Barnes' info on this from Sept. 2014 - should still be valid today (Thanks Bruce!)...
 
September 24, 2014 at 9:49 PM
Are you forcing all of your users to SMTP AUTHENTICATE on your SmarterMail server?
 
This error is typical of what can happen when you do not enforce SMTP authentication and the receiving MX server is running antispam protection.  There are also other reasons as well.
 
Make certain you have ALLOW RELAY on SMTP IN set to NOBODY:
 
Set Allow Relay to NOBODY
Then, make certain you have ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH for LOCAL DELIVERIES checked (in the same tab):
 
ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH
 
You will also have to make certain you have REQUIRE SMTP AUTHENTICATION check in the DOMAIN EDIT ====> TECHNICAL tab on each hosted domain.
 
Require SMTP Authentication checked in DOMAIN EDIT TECHNICAL tab
 
Note that this will require all of the user's accounts to be set for SMTP AUTHENTICATION to SEND messages, but will ensure that you are not an open relay and are not blocked by other MX servers.
 
0
Bruce Barnes Replied
November 30, 2015 at 9:28 PM
Did you implement DKIM and DMARC? Do you ENFORCE GREYLISTING FOR ALL DOMAINS? If not, you're not properly configured Doyou allow users to override spam settings? If so, you're fighting a loosing battle.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Paul Blank Replied
December 1, 2015 at 5:40 AM
Are your logs set to detailed?  Is it possible that someone is "properly" authenticating as one of your users (in other words, they have the password for that user) and then using fake addresses as return addresses?
0
Paul Blank Replied
December 2, 2015 at 9:42 AM
Interested to know how this was resolved (or if it was).  Thanks!
2
David Fisher Replied
December 3, 2015 at 5:44 PM
Hi,
 
  Make sure your logs are set to detailed, then look at the header of one of the emails, get the IP address from the header, and search your SMTP logs for that IP and date range.  You should see how the are authenticating from the logs, usually authenticated and authenticating are key words.
 
  Make sure you do not white list smtp IPs much, and it isn't opened for a large range.
 
  SmarterMail is up to v14.4 now, you might want to install the latest updates, to have other fixes.
 
  Check SMTP Authentication bypass, make sure you do not have a big range in there too.
 
   Besides of course checking under Protocol Settings -> SMTP IN -> Allow Relay = Nobody
 
Good Luck
-dave
0
Paul Blank Replied
December 11, 2015 at 5:26 AM
Would like to know how this was resolved.  Thanks!

Reply to Thread