Spam Detection and Abuse
Question asked by Francis Gibbons - February 15, 2017 at 9:04 AM
Unanswered
Hello All,
 
I am running Smartermail 15.5 on a Windows 2012 machine. My question to you is I was just black listed on Protected Sky but not sure how to tell where or who its coming from. I will post the email headers and stuff below. But when I search for gunda_swanhilde@joycevanlines.com or claus@marxmeier.de between Feb 7 and 15 both for delivery and smtp nothing is found. mail.gdishosting.com is my hosting domain I have smartermail using. Also what is funny is joycevanlines.com I don't host there email on my server just there website.
 
I tested my server to see if it is an open relay and it passed that it isn't. I took a look in the Spool to see if I see any large amount of mail but nothing is there.
 
I also setup Abuse Detection for  Internal Spammer with Time Frame of 5 mins, Count 25 and Block Time 30 mins. But I have not gotten any notifications regarding it.
 
I don't know what/where else to look or do to see where spam is coming out of my server. Can someone please help me provide me a step by step on things/sugestions I could do? I want to catch and stop the spam so I can get off the blacklist.
 
My Server IP is: 198.49.69.18 and 198.49.69.19
 
Email Headers of One Spam Complaint that went to my data center:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
X-Mail-Scanner: Scanned by qSheff-II-2.1-r3 [clamav 0.99.1]
X-Complaints-To: support@netsecdb.de
Received: from mail.gdishosting.com (HELO [4]www.joycevanlines.com)
(198.49.69.18)
by rettesichwerkann.org with SMTP; 13 Feb 2017 18:23:34 +0100
Date: Mon, 13 Feb 2017 17:22:09 +0000
To: claus@marxmeier.de
From: Gunda Swanhilde <gunda_swanhilde@joycevanlines.com>
Subject: Erfahre die Methode, um reich zu werden: 100% Wirkungsvoll!
Message-ID: <aaa80886338192747216b5a74ca75548@www.joycevanlines.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_aaa80886338192747
216b5a74ca75548"
Content-Transfer-Encoding: 8bit

--b1_aaa80886338192747216b5a74ca75548
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Es ist nichts Schlechtes daran, davon zu träumen, zu unerwartetem Geld
aus dem
Nichts zu kommen. Niemand würde auf solches Glück verzichten. Abe
r niemand
schafft es, so einen Traum zu verwirklichen… bis vor kurzem.
 
Thank you,

Frank G.

5 Replies

Reply to Thread
0
Id check joycevanlines.com website. There maybe a bot or compromised form. I'd block all port 25 traffic from it until you figure it out.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Hello Matthew,

I went into the website structure and found code uploaded to upload folder. I deleted that and removed write permissions to the area. But what is odd is in the past that email used to show up in my Smartermail spool. When I would look it would just be a ton of joycevanlines or anything else for that matter. Why do you think it didn't show up in the spool?

Thanks for the help,

Frank G.
0
Glad you found it. When this happened to us we changed the rules. All Port 25 traffic is routed to our mail server and Authentication is required.
One other thing, remove execute permissions on the upload folder.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Hello Matthew, its hard to do that as some of my customers manage the site themselves and by doing so wont allow them to upload images or do other things. How do you route the traffic to port 25 and set authentication permissions? Thanks again!
0
Francis,
In our firewall (we use a external one) we route all outgoing port 25 traffic to our mail server. You can google changing permissions on a folder for your version of OS. Disabling the ability to execute a file protects you and your reputation.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Reply to Thread