HELP! getting spam bombed for pass few days...cannot find source
Question asked by js.chui - 11/30/2015 at 1:02 AM
Unanswered
Our smartermail is version 14.2. Fews days ago during the weekend, our server suddenly is sending massive amount of spam. The spam is showing being masked as random username with correct domain names being hosted in smartermail.
 
For eg, we have domain1.com, domain2.com, domain3.com and so on. Spammer is using randomnames@domain.com, randomnames@domain2.com, randomnames@domain3.com and so on.
 
Even the IP is connecting from all around the world. Like brazil, europe, asia and so on.
 
We search and search but was unable to find where is the spam coming from or how the spammer is doing it. So bad that our IP got blacklisted and we get complains from ISP.
 
We have posted a support ticket to smartermail but still waiting for their reply. In the meantime, would really appreciate if someone can shed some light into resolving this issue. This is really crazy and we have never seen this kind of high level spamming before.
 
Thanks.

12 Replies

Reply to Thread
0
Paul Blank Replied
Sometimes even a small error in configuration can cause you to become an open relay for your mail server's domain(s) or even foreign domain names. And the spammers are constantly scanning the Internet for these servers, so it can happen very quickly (it has happened to me as well).
 
Here is Bruce Barnes' info on this from Sept. 2014 - should still be valid today (Thanks Bruce!)...
 
September 24, 2014 at 9:49 PM
Are you forcing all of your users to SMTP AUTHENTICATE on your SmarterMail server?
 
This error is typical of what can happen when you do not enforce SMTP authentication and the receiving MX server is running antispam protection.  There are also other reasons as well.
 
Make certain you have ALLOW RELAY on SMTP IN set to NOBODY:
 
Set Allow Relay to NOBODY
Then, make certain you have ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH for LOCAL DELIVERIES checked (in the same tab):
 
ALLOW RELAY for authenticated users and ENABLE DOMAINS'S SMTP AUTH
 
You will also have to make certain you have REQUIRE SMTP AUTHENTICATION check in the DOMAIN EDIT ====> TECHNICAL tab on each hosted domain.
 
Require SMTP Authentication checked in DOMAIN EDIT TECHNICAL tab
 
Note that this will require all of the user's accounts to be set for SMTP AUTHENTICATION to SEND messages, but will ensure that you are not an open relay and are not blocked by other MX servers.
 
0
js.chui Replied
Yes, we forcing all domain to use smtp authentication.

We already have all this rules implemented. Which is why we are so confused now.
0
Bruce Barnes Replied
Did you implement DKIM and DMARC? Do you ENFORCE GREYLISTING FOR ALL DOMAINS? If not, you're not properly configured Doyou allow users to override spam settings? If so, you're fighting a loosing battle.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
js.chui Replied
We have enforced greylisting for all the domain name and doesnt allow user to override spam settings.
we didnt implement DKIM and DMARC. Whats the best way to configure DKIM and DMARC in smarternail?
0
js.chui Replied
I have created the DKIM and mail signing in the smartermail server as per this thread
http ://forum.hostek.com/showthread.php?680-Smartermail-Mail-Signing-Domain-Keys-DKIM

Still same.
0
js.chui Replied
ran malwarebytes found nothing.
0
Paul Blank Replied
Are your logs set to detailed?  Is it possible that someone is "properly" authenticating as one of your users (in other words, they have the password for that user) and then using fake addresses as return addresses?
0
js.chui Replied
initially we were guessing this as well. what we did is change all the admin password and even change all the domain users password. Of course is not helping.
0
Paul Blank Replied
Interested to know how this was resolved (or if it was).  Thanks!
0
js.chui Replied
not resolved. Submitting ticket to smartermail support is no help at all. We submitted on Monday and until now only 1 reply from them that does not help at all.

If anyone can help, we do not mind paying a little fee.

Please contact us at support at fatservers dot my.

Thanks.
2
David Fisher Replied
Hi,
 
  Make sure your logs are set to detailed, then look at the header of one of the emails, get the IP address from the header, and search your SMTP logs for that IP and date range.  You should see how the are authenticating from the logs, usually authenticated and authenticating are key words.
 
  Make sure you do not white list smtp IPs much, and it isn't opened for a large range.
 
  SmarterMail is up to v14.4 now, you might want to install the latest updates, to have other fixes.
 
  Check SMTP Authentication bypass, make sure you do not have a big range in there too.
 
   Besides of course checking under Protocol Settings -> SMTP IN -> Allow Relay = Nobody
 
Good Luck
-dave
0
Paul Blank Replied
Would like to know how this was resolved.  Thanks!

Reply to Thread