Blacklisted on Verizon

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Blacklisted on Verizon

Chris Arnold
Blacklisted on Verizon Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server?
I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment.
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Justin's Mailing Lists
Chris Arnold wrote:
Blacklisted on Verizon Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server?
I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment.
Once you do get on, how about loading pflogsumm from http://jimsun.linxnet.com/postfix_contrib.html

This will assist you in determining who is sending the most messages.

Note: there is a problem of messages being counted twice if you are running Amavis-New spamassassin.


Ciao

Justin
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Chris Arnold
Re: Blacklisted on Verizon OK, I have gotten access to the mail server and have downloaded pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy the man page. Run perl pflogsumm.pl and nothing happens; it just sits there. I untar’ed the gz file that was downloaded and that made a dir pflogsumm-1.1.1 and I am running pflogsumm.pl inside of that dir. Does it need to be moved to the mail log dir? It doesn’t seem so as the readme says to copy to path/to/bin folder.


On 11/10/09 6:33 PM, "Justin C. Le Grice" <mailinglists@...> wrote:

Chris Arnold wrote:
Blacklisted on Verizon Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server?
I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment.
Once you do get on, how about loading pflogsumm from http://jimsun.linxnet.com/postfix_contrib.html

This will assist you in determining who is sending the most messages.

Note: there is a problem of messages being counted twice if you are running Amavis-New spamassassin.


Ciao

Justin

Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

d.hill
Quoting Chris Arnold <[hidden email]>:

> OK, I have gotten access to the mail server and have downloaded
> pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy
> the man page.

The man page does state if no file(s) are specified, it reads from  
stdin. Therefore, you need to specify the file or log file to perform  
the operation on.


Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Miles Fidelman
[hidden email] wrote:

> Quoting Chris Arnold <[hidden email]>:
>
>> OK, I have gotten access to the mail server and have downloaded
>> pflogsumm.pl. I have followed the readme and chown and chmod. Did not
>> copy
>> the man page.
>
> The man page does state if no file(s) are specified, it reads from
> stdin. Therefore, you need to specify the file or log file to perform
> the operation on.
>
man pages are your friend!

--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra


Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

d.hill
Quoting Miles Fidelman <[hidden email]>:

> [hidden email] wrote:
>> Quoting Chris Arnold <[hidden email]>:
>>
>>> OK, I have gotten access to the mail server and have downloaded
>>> pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy
>>> the man page.
>>
>> The man page does state if no file(s) are specified, it reads from  
>> stdin. Therefore, you need to specify the file or log file to  
>> perform the operation on.
>>
> man pages are your friend!

Yeah. And I forgot to include the OP's part where he/she stated the  
command just sat there and did nothing. That is what eluded me to the  
fact the filename/logname wasn't specified. Sorry I snipped that out.

Reply | Threaded
Open this post in threaded view
|

Blacklisted on Verizon

Stan Hoeppner
In reply to this post by Chris Arnold
Chris Arnold put forth on 11/10/2009 6:47 PM:
> OK, I have gotten access to the mail server and have downloaded
> pflogsumm.pl. I have followed the readme and chown and chmod. Did not
> copy the man page. Run perl pflogsumm.pl and nothing happens; it just
> sits there. I untar’ed the gz file that was downloaded and that made a
> dir pflogsumm-1.1.1 and I am running pflogsumm.pl inside of that dir.
> Does it need to be moved to the mail log dir? It doesn’t seem so as the
> readme says to copy to path/to/bin folder.

Example usage:

pflogsumm.pl /var/log/mail.log
**outputs statistics for the current log file

pflogsumm.pl -d today /var/log/mail.log
**outputs statistics for today only

pflogsumm.pl -d yesterday /var/log/mail.log
**outputs statistic for yesterday only

pflogsumm.pl /var/log/mail.log /var/log/mail.log.0 /var/log/mail.log.1
**you can specify multiple logs files, but not the rotated (zipped)
files.  pflogsumm.pl doesn't call gunzip or anything fancy.  The input
files must be text only.

You should put pflogsumm.pl in /usr/sbin/.  Don't move it to the mail
log dir, that's silly.  You should also install the manual.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Chris Arnold
In reply to this post by d.hill
OK, nothing stands out from pflogsumm.pl:
Grand Totals
------------
messages

  15607   received
  15755   delivered
      0   forwarded
     40   deferred  (391  deferrals)
    128   bounced
   1115   rejected (6%)
      0   reject warnings
      0   held
      0   discarded (0%)

    685m  bytes received
    763m  bytes delivered
   6438   senders
   5481   sending hosts/domains
    441   recipients
    182   recipient hosts/domains


Per-Day Traffic Summary
    date          received  delivered   deferred    bounced     rejected
    --------------------------------------------------------------------
    Nov  9 2009         1          3          1
    Nov 10 2009     15328      15475        390        127       1115
    Nov 11 2009       278        277          0          1

Per-Hour Traffic Daily Average
    time          received  delivered   deferred    bounced     rejected
    --------------------------------------------------------------------
    0000-0100           0          0          0          0          0
    0100-0200           0          0          0          0          0
    0200-0300           0          0          0          0          0
    0300-0400           0          0          0          0          0
    0400-0500           0          0          0          0          0
    0500-0600           0          0          0          0          0
    0600-0700           0          0          0          0          0
    0700-0800           0          0          0          0          0
    0800-0900           1          1          0          0          0
    0900-1000           1          1          0          0          0
    1000-1100           1          1          0          0          0
    1100-1200           1          1          0          0          0
    1200-1300           1          1          0          0          0
    1300-1400           1          1          0          0          0
    1400-1500           1          1          0          0          0
    1500-1600           1          1          0          0          0
    1600-1700           1          1          0          0          0
    1700-1800           1          1          0          0          0
    1800-1900           1          1          0          0          0
    1900-2000           1          1          0          0          0
    2000-2100           0          0          0          0          0
    2100-2200           0          0          0          0          0
    2200-2300           0          0          0          0          0
    2300-2400           0          0          0          0          0

Don't want to post the whole pflogsumm file as 1 it is very long and 2 there
are somethings that don't need to be shared on a mailinglist :)
What are some things I should be looking for in the pflogsumm.pl report?


On 11/10/09 8:00 PM, "[hidden email]" <[hidden email]>
wrote:

> Quoting Chris Arnold <[hidden email]>:
>
>> OK, I have gotten access to the mail server and have downloaded
>> pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy
>> the man page.
>
> The man page does state if no file(s) are specified, it reads from
> stdin. Therefore, you need to specify the file or log file to perform
> the operation on.
>
>


Reply | Threaded
Open this post in threaded view
|

Blacklisted on Verizon

Stan Hoeppner
Chris Arnold put forth on 11/10/2009 7:21 PM:

> Don't want to post the whole pflogsumm file as 1 it is very long and 2 there
> are somethings that don't need to be shared on a mailinglist :)
> What are some things I should be looking for in the pflogsumm.pl report?

You should be concentrating your focus on the "Senders by message count"
section.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Chris Arnold

On 11/10/09 8:36 PM, "Stan Hoeppner" <[hidden email]> wrote:

> Chris Arnold put forth on 11/10/2009 7:21 PM:
>
>> Don't want to post the whole pflogsumm file as 1 it is very long and 2 there
>> are somethings that don't need to be shared on a mailinglist :)
>> What are some things I should be looking for in the pflogsumm.pl report?
>
> You should be concentrating your focus on the "Senders by message count"
> section.
That is what I thought (just wanted to make sure) and the high count is 166
so I think I need to move on from someone sending spam from the mail server.


Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

/dev/rob0
In reply to this post by Chris Arnold
On Tuesday 10 November 2009 19:21:04 Chris Arnold wrote:
> OK, nothing stands out from pflogsumm.pl:

Nothing?

> Per-Day Traffic Summary
>     date          received  delivered   deferred    bounced     rejected
>     --------------------------------------------------------------------
>     Nov  9 2009         1          3          1
>     Nov 10 2009     15328      15475        390        127       1115

Wouldn't you say that's a bit of an increase from the previous day?
Perhaps significant?

> What are some things I should be looking for in the pflogsumm.pl
> report?

0. Not the summary, look at the actual logs.
1. Find a suspected spam. This will be easy if you start with one
   that was rejected by Verizon or other operator.
2. Trace that back to where it entered the queue.
3. Apply LART as necessary.
4. Review DEBUG_README.html#mail if questions still exist at this
   point. You can mung a specific email address if desired, but
   domain names and IP addresses might be very important.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Blacklisted on Verizon

Stan Hoeppner
In reply to this post by Chris Arnold
Chris Arnold put forth on 11/10/2009 7:56 PM:

> On 11/10/09 8:36 PM, "Stan Hoeppner" <[hidden email]> wrote:
>
>> Chris Arnold put forth on 11/10/2009 7:21 PM:
>>
>>> Don't want to post the whole pflogsumm file as 1 it is very long and 2 there
>>> are somethings that don't need to be shared on a mailinglist :)
>>> What are some things I should be looking for in the pflogsumm.pl report?
>> You should be concentrating your focus on the "Senders by message count"
>> section.
> That is what I thought (just wanted to make sure) and the high count is 166
> so I think I need to move on from someone sending spam from the mail server.

Do you have any PCs NAT/PAT'd behind the same IP as the mail server?  Do
you perform egress blocking of TCP 25 on all internal IPs cept the mail
server?  This is a common way to get blacklisted--mail server and PCs
behind the same NAT'd public address, and a PC gets infected with botware.

--
Stan

Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Chris Arnold
In reply to this post by /dev/rob0

On 11/10/09 8:58 PM, "/dev/rob0" <[hidden email]> wrote:

> On Tuesday 10 November 2009 19:21:04 Chris Arnold wrote:
>> OK, nothing stands out from pflogsumm.pl:
>
> Nothing?
>
>> Per-Day Traffic Summary
>>     date          received  delivered   deferred    bounced     rejected
>>     --------------------------------------------------------------------
>>     Nov  9 2009         1          3          1
>>     Nov 10 2009     15328      15475        390        127       1115
>
> Wouldn't you say that's a bit of an increase from the previous day?
> Perhaps significant?
That is not a "true" reading. Must be where the log got logrotated.

>> What are some things I should be looking for in the pflogsumm.pl
>> report?
>
> 0. Not the summary, look at the actual logs.
> 1. Find a suspected spam. This will be easy if you start with one
>    that was rejected by Verizon or other operator.
> 2. Trace that back to where it entered the queue.
> 3. Apply LART as necessary.
> 4. Review DEBUG_README.html#mail if questions still exist at this
>    point. You can mung a specific email address if desired, but
>    domain names and IP addresses might be very important.
Trying to get one of those rejected emails now.


Reply | Threaded
Open this post in threaded view
|

Blacklisted on Verizon

Stan Hoeppner
In reply to this post by /dev/rob0
/dev/rob0 put forth on 11/10/2009 7:58 PM:

> On Tuesday 10 November 2009 19:21:04 Chris Arnold wrote:
>> OK, nothing stands out from pflogsumm.pl:
>
> Nothing?
>
>> Per-Day Traffic Summary
>>     date          received  delivered   deferred    bounced     rejected
>>     --------------------------------------------------------------------
>>     Nov  9 2009         1          3          1
>>     Nov 10 2009     15328      15475        390        127       1115
>
> Wouldn't you say that's a bit of an increase from the previous day?
> Perhaps significant?

Rob, I think that's likely the result of log rotation timing.  If you've
not seen this before, or often, you probably haven't been using
pflogsumm 'enough'. ;)

Doing something like this usually prevents the anomaly above:
pflogsumm.pl /var/log/mail.log /var/log/mail.log.0 /var/log/mail.log.1

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Aaron Wolfe
On Tue, Nov 10, 2009 at 9:14 PM, Stan Hoeppner <[hidden email]> wrote:

> /dev/rob0 put forth on 11/10/2009 7:58 PM:
>> On Tuesday 10 November 2009 19:21:04 Chris Arnold wrote:
>>> OK, nothing stands out from pflogsumm.pl:
>>
>> Nothing?
>>
>>> Per-Day Traffic Summary
>>>     date          received  delivered   deferred    bounced     rejected
>>>     --------------------------------------------------------------------
>>>     Nov  9 2009         1          3          1
>>>     Nov 10 2009     15328      15475        390        127       1115
>>
>> Wouldn't you say that's a bit of an increase from the previous day?
>> Perhaps significant?
>
> Rob, I think that's likely the result of log rotation timing.  If you've
> not seen this before, or often, you probably haven't been using
> pflogsumm 'enough'. ;)
>
> Doing something like this usually prevents the anomaly above:
> pflogsumm.pl /var/log/mail.log /var/log/mail.log.0 /var/log/mail.log.1
>

If spam from this server is the cause of trouble, it may have happened
some days ago.
The OP needs to look at a few days past.  Depending on log rotation,
this may involve several files, some of which may be gzipped.

> --
> Stan
>
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Olivier Nicole-2
In reply to this post by Chris Arnold
Hi,

> Hello list! We are being blacklisted every few days from verizon. This is
> less important right now as I need to find out if/who is sending spam from
> the email server or if the server is an open relay. I am less inclined to
> think postfix (which is what we use) is an open relay. More inclined to
> think someone has gotten an account is sending spam out using the server.
> What is the best way to find out who/if an account is sending spam from the
> server?

At same time you can try to talk to Verizon, asking them what message
caused the blacklisting. Having the message ID of the spam may help
identifying your spammer.

Good luck,

Olivier
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Ramprasad-5
In reply to this post by Chris Arnold
Blacklisted on Verizon
On Tue, 2009-11-10 at 17:07 -0500, Chris Arnold wrote:
Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server?
I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment.

Watch the abuse address and Enable feedback loops

AOL, HOTMAIL etc provide feedback loops
The spammer will surely be hitting some aol accounts.
If someone at AOL marks mail as spam you get the abuse complaint.


Thats the easiest way of tracing the compromised account.


Thanks
Ram


Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

dhottinger
In reply to this post by Stan Hoeppner
Quoting Stan Hoeppner <[hidden email]>:

> Chris Arnold put forth on 11/10/2009 7:21 PM:
>
>> Don't want to post the whole pflogsumm file as 1 it is very long and 2 there
>> are somethings that don't need to be shared on a mailinglist :)
>> What are some things I should be looking for in the pflogsumm.pl report?
>
> You should be concentrating your focus on the "Senders by message count"
> section.
>
> --
> Stan
>

Wouldnt the logwatch from the server list top users by emails?

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

/dev/rob0
On Wednesday 11 November 2009 06:14:08
   [hidden email] wrote:
> Quoting Stan Hoeppner <[hidden email]>:
> > You should be concentrating your focus on the "Senders by
> > message count" section.
>
> Wouldnt the logwatch from the server list top users by emails?

Perhaps, but I missed the part where the OP mentioned that he was
using logwatch. Nevertheless I fail to see the relevance. Possibly
the OP's system is spewing spam, and all the helpful advice given in
this thread has gotten the OP not one bit closer to finding the
perpetrator and fixing the problem.

"Senders by message count" is ENVELOPE SENDER, in the case of spam,
completely useless. If the OP has, as I might guess, a compromised
httpd + PHP script, for example, the envelope sender will probably
change for EACH spam it sends.

Absolute rubbish. I will say that pflogsumm.pl is a fine tool, but
the suggestion thereof, and this entire thread, has been nothing but
a distraction from the work that the OP needs to do immediately.

I wrote:

> > What are some things I should be looking for in the pflogsumm.pl
> > report?
>
> 0. Not the summary, look at the actual logs.
> 1. Find a suspected spam. This will be easy if you start with one
>    that was rejected by Verizon or other operator.
> 2. Trace that back to where it entered the queue.
> 3. Apply LART as necessary.
> 4. Review DEBUG_README.html#mail if questions still exist at this
>    point. You can mung a specific email address if desired, but
>    domain names and IP addresses might be very important.

One step I neglected to mention in my previous post: "postfix stop".
Your damage increases with every spam you send.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Blacklisted on Verizon

Chris Arnold
On 11/11/09 7:55 AM, "/dev/rob0" <[hidden email]> wrote:

> On Wednesday 11 November 2009 06:14:08
>    [hidden email] wrote:
>> Quoting Stan Hoeppner <[hidden email]>:
>>> You should be concentrating your focus on the "Senders by
>>> message count" section.
>>
>> Wouldnt the logwatch from the server list top users by emails?
>
> Perhaps, but I missed the part where the OP mentioned that he was
> using logwatch.
Not using logwatch that I know of.

> Nevertheless I fail to see the relevance. Possibly
> the OP's system is spewing spam, and all the helpful advice given in
> this thread has gotten the OP not one bit closer to finding the
> perpetrator and fixing the problem.
No, the advice here has helped with troubleshooting where the spam is coming
from or finding the compromised system/script

> "Senders by message count" is ENVELOPE SENDER, in the case of spam,
> completely useless. If the OP has, as I might guess, a compromised
> httpd + PHP script, for example, the envelope sender will probably
> change for EACH spam it sends.
Looking into this now

>
> Absolute rubbish. I will say that pflogsumm.pl is a fine tool, but
> the suggestion thereof, and this entire thread, has been nothing but
> a distraction from the work that the OP needs to do immediately.
>
> I wrote:
>>> What are some things I should be looking for in the pflogsumm.pl
>>> report?
>>
>> 0. Not the summary, look at the actual logs.
>> 1. Find a suspected spam. This will be easy if you start with one
>>    that was rejected by Verizon or other operator.
>> 2. Trace that back to where it entered the queue.
>> 3. Apply LART as necessary.
>> 4. Review DEBUG_README.html#mail if questions still exist at this
>>    point. You can mung a specific email address if desired, but
>>    domain names and IP addresses might be very important.
>
> One step I neglected to mention in my previous post: "postfix stop".
> Your damage increases with every spam you send.
I don't believe this hosting service will want to kill email but will bring
it to their attention


12