Just one user recieving spam.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Just one user recieving spam.

Miguel Da Silva - URI
Dear users, today an user told me he was recieving too many spam in a
very short period of time. I took a look at the log files and what he
told me is true. :(

But... it just happens to him, nothing else is recieving spam. The
server is running Postfix + SpamAssassin + Clamav and the filters seems
to run fine. I can see many warnings about blocked spam.

The symptons are too many connections trying to send mail to this user.
Those connections come from all over the world.

Any suggestion?!

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Just one user recieving spam.

Noel Jones-2
Miguel Da Silva - Centro de Matemática wrote:

> Dear users, today an user told me he was recieving too many spam in a
> very short period of time. I took a look at the log files and what he
> told me is true. :(
>
> But... it just happens to him, nothing else is recieving spam. The
> server is running Postfix + SpamAssassin + Clamav and the filters seems
> to run fine. I can see many warnings about blocked spam.
>
> The symptons are too many connections trying to send mail to this user.
> Those connections come from all over the world.
>
> Any suggestion?!
>
> Greetings.

If these are non-delivery notices of mail he didn't send, see
the BACKSCATTER_README for suggestions on blocking it.
http://www.postfix.org/BACKSCATTER_README.html

--
Noel Jones


Reply | Threaded
Open this post in threaded view
|

Re: Just one user recieving spam.

Miguel Da Silva - URI
Noel Jones escribió:

> Miguel Da Silva - Centro de Matemática wrote:
>> Dear users, today an user told me he was recieving too many spam in a
>> very short period of time. I took a look at the log files and what he
>> told me is true. :(
>>
>> But... it just happens to him, nothing else is recieving spam. The
>> server is running Postfix + SpamAssassin + Clamav and the filters
>> seems to run fine. I can see many warnings about blocked spam.
>>
>> The symptons are too many connections trying to send mail to this
>> user. Those connections come from all over the world.
>>
>> Any suggestion?!
>>
>> Greetings.
>
> If these are non-delivery notices of mail he didn't send, see the
> BACKSCATTER_README for suggestions on blocking it.
> http://www.postfix.org/BACKSCATTER_README.html
>

I'll check this, thank you.

There's something in common between all these messages beeing sent to
the user; all of them has "from=<>" as sender. Here goes an example

Aug 21 11:28:45 mordred postfix/qmgr[32662]: 9DF4913105F: from=<>,
size=3267, nrcpt=1 (queue active)

Any help?

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Just one user recieving spam.

Miguel Da Silva - URI
In reply to this post by Noel Jones-2
Noel Jones escribió:

> Miguel Da Silva - Centro de Matemática wrote:
>> Dear users, today an user told me he was recieving too many spam in a
>> very short period of time. I took a look at the log files and what he
>> told me is true. :(
>>
>> But... it just happens to him, nothing else is recieving spam. The
>> server is running Postfix + SpamAssassin + Clamav and the filters
>> seems to run fine. I can see many warnings about blocked spam.
>>
>> The symptons are too many connections trying to send mail to this
>> user. Those connections come from all over the world.
>>
>> Any suggestion?!
>>
>> Greetings.
>
> If these are non-delivery notices of mail he didn't send, see the
> BACKSCATTER_README for suggestions on blocking it.
> http://www.postfix.org/BACKSCATTER_README.html
>

Thank you... it's really backscatter.

Let's work with it now.

Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
Reply | Threaded
Open this post in threaded view
|

Re: Just one user recieving spam.

Noel Jones-2
Miguel Da Silva - Centro de Matemática wrote:

> Noel Jones escribió:
>> Miguel Da Silva - Centro de Matemática wrote:
>>> Dear users, today an user told me he was recieving too many spam in a
>>> very short period of time. I took a look at the log files and what he
>>> told me is true. :(
>>>
>>> But... it just happens to him, nothing else is recieving spam. The
>>> server is running Postfix + SpamAssassin + Clamav and the filters
>>> seems to run fine. I can see many warnings about blocked spam.
>>>
>>> The symptons are too many connections trying to send mail to this
>>> user. Those connections come from all over the world.
>>>
>>> Any suggestion?!
>>>
>>> Greetings.
>>
>> If these are non-delivery notices of mail he didn't send, see the
>> BACKSCATTER_README for suggestions on blocking it.
>> http://www.postfix.org/BACKSCATTER_README.html
>>
>
> Thank you... it's really backscatter.
>
> Let's work with it now.
>
> Greetings.

Those usually do not get blocked by RBLs and other usual
tactics because they come from legit but poorly configured
mail servers.

ips.backscatterer.org is an RBL that targets backscatter
sources.  http://www.backscatterer.org/
To limit the false positives, only reject mail if it looks
like a bounce.

something like this:
# main.cf
smtpd_sender_restrictions =
   regexp:/etc/postfix/sender.regexp

# sender.regexp
# check null sender bounces
/^<>$/  reject_rbl_client ips.backscatterer.org

--
Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Just one user recieving spam.

mouss-2
Noel Jones wrote:

> Miguel Da Silva - Centro de Matemática wrote:
>> Noel Jones escribió:
>>> Miguel Da Silva - Centro de Matemática wrote:
>>>> Dear users, today an user told me he was recieving too many spam in
>>>> a very short period of time. I took a look at the log files and what
>>>> he told me is true. :(
>>>>
>>>> But... it just happens to him, nothing else is recieving spam. The
>>>> server is running Postfix + SpamAssassin + Clamav and the filters
>>>> seems to run fine. I can see many warnings about blocked spam.
>>>>
>>>> The symptons are too many connections trying to send mail to this
>>>> user. Those connections come from all over the world.
>>>>
>>>> Any suggestion?!
>>>>
>>>> Greetings.
>>>
>>> If these are non-delivery notices of mail he didn't send, see the
>>> BACKSCATTER_README for suggestions on blocking it.
>>> http://www.postfix.org/BACKSCATTER_README.html
>>>
>>
>> Thank you... it's really backscatter.
>>
>> Let's work with it now.
>>
>> Greetings.
>
> Those usually do not get blocked by RBLs and other usual tactics because
> they come from legit but poorly configured mail servers.
>
> ips.backscatterer.org is an RBL that targets backscatter sources.  
> http://www.backscatterer.org/
> To limit the false positives, only reject mail if it looks like a bounce.
>
> something like this:
> # main.cf
> smtpd_sender_restrictions =
>   regexp:/etc/postfix/sender.regexp
>
> # sender.regexp
> # check null sender bounces
> /^<>$/  reject_rbl_client ips.backscatterer.org
>

better do this in data restrictions to avoid blocking SAV sources.

$ host lists.sourceforge.net
lists.sourceforge.net has address 66.35.250.206
$ host 206.250.35.66.ips.backscatterer.org
206.250.35.66.ips.backscatterer.org has address 127.0.0.2