Trace spam activity on mail server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Trace spam activity on mail server

Matteo Cazzador-2
Hi, i need an help.  A Trend micro QIL list re-include Continuously my
mail server (Linux Centos).

All other list not include my ip.

TrendMicro don't give me specific motivation.

I don't see in postfix log any meaningful spam activities.

There is a method to trace eventually spam activity don't logged?

Or a web application or local to monitor my mail server activities?

Examples: connections on 25/587 port that are not logged by postfix?

I trace all php mail function script but, i don't see any activities for
now.

I dont see any NDR o backscatter activities.

I do not know what to do....

Thanks

--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


******************************************
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: [hidden email]
Web: http://www.netlite.it
******************************************

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

lists@lazygranch.com
I did a whois on your domain, checked the Trend Micro list, and it was not found. 

Replies to this email will be no different than your previous email. Basically all you can do is request the block be removed. These RBLs have little sympathy for those they block. 

My best solution for non-reposnse RBLs is to get them removed from any email server that I care about. When you contact an administrator and show that you pass a hundred RBLs, they will either drop the offending RBL that has false positives or whitelist your domain. 

Out of three problem RBLs, only one admitted they were the problem and cleared me.

When I first set up my email server, I thought the more RBLs the better. Eventually I learned less is more.
  Original Message  
From: Matteo Cazzador
Sent: Monday, May 1, 2017 3:36 AM
To: postfix users
Subject: Trace spam activity on mail server

Hi, i need an help. A Trend micro QIL list re-include Continuously my
mail server (Linux Centos).

All other list not include my ip.

TrendMicro don't give me specific motivation.

I don't see in postfix log any meaningful spam activities.

There is a method to trace eventually spam activity don't logged?

Or a web application or local to monitor my mail server activities?

Examples: connections on 25/587 port that are not logged by postfix?

I trace all php mail function script but, i don't see any activities for
now.

I dont see any NDR o backscatter activities.

I do not know what to do....

Thanks

--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare, inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


******************************************
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: [hidden email]
Web: http://www.netlite.it
******************************************

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Michael Segel
Ok,
This is a little bit off topic for the mail list.

Assuming as you say, you don’t spam…

You may be included in a RBL if you reside on a net block that has a spammer on it.
So while your domain isn’t  spamming, if your next door virtual neighbor is… you’re SOL (Shit Out of Luck) until you ask your ISP to move you to another net block, or you find a different Provider.

You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.


Now, if you have a spammer on your server…

1) Are you an open relay? (Check with one of the MX sites to validate your configuration)

2) Do you host other domains?  Anyone of those domains could be listed which means your IP addresses are listed.

3) You said you have a mailing list.
   a) How do people subscribe to the list?
   b) What’s the purpose of the list?
   c) How do you let people unsubscribe?
   d) Do you comply with the ‘CAN-SPAM’ law (which isn’t much or that good of a law)


The reason you will find those who run the RBLs to be less than responsive is that Spam has been an ongoing problem for almost 30 years. (Wasn’t the Cantor-Siegel green card spam in ’88 or was it ’89?)
Spamhaus has been around for roughly 20 years. (I met Steve in Madison WI, 19 years ago at a dinner meeting)  

I’m sure that every RBL list maintainer has heard every excuse in book including pink contracts from ISPs, which resulted in the IDP (Internet Death Penalty) being created.


While I’ve since moved on and have forgotten what little I knew of Mail Servers, there are things that you should be able to do.

In theory, you can track your outbound email and run a simple counter based on the sender’s info.  If you have a spammer on your network, you would be able to see how many emails they send, and how many bcc’s are on each email.  

Another thing you can do is to check the domain registration of your clients.
If the domain registration information is bogus, its a good sign you have a spammer.  
If the domain registration is blocked, then you should look a little deeper since you’re hosting the domain.
(If you’re in country A, and the person buying access is in country B, that’s another ‘red’ flag. )

That’s pretty much common sense.

Most of the RBLs implement an auto aging policy. Meaning if they don’t get a report that you’re spamming, they will automatically remove your IP from the list unless of course someone else in your netblock is spamming. Then you need to move, maybe even to a new ISP.


HTH

-Mike

> On May 1, 2017, at 3:44 PM, [hidden email] wrote:
>
> I did a whois on your domain, checked the Trend Micro list, and it was not found.
>
> Replies to this email will be no different than your previous email. Basically all you can do is request the block be removed. These RBLs have little sympathy for those they block.
>
> My best solution for non-reposnse RBLs is to get them removed from any email server that I care about. When you contact an administrator and show that you pass a hundred RBLs, they will either drop the offending RBL that has false positives or whitelist your domain.
>
> Out of three problem RBLs, only one admitted they were the problem and cleared me.
>
> When I first set up my email server, I thought the more RBLs the better. Eventually I learned less is more.
>   Original Message  
> From: Matteo Cazzador
> Sent: Monday, May 1, 2017 3:36 AM
> To: postfix users
> Subject: Trace spam activity on mail server
>
> Hi, i need an help. A Trend micro QIL list re-include Continuously my
> mail server (Linux Centos).
>
> All other list not include my ip.
>
> TrendMicro don't give me specific motivation.
>
> I don't see in postfix log any meaningful spam activities.
>
> There is a method to trace eventually spam activity don't logged?
>
> Or a web application or local to monitor my mail server activities?
>
> Examples: connections on 25/587 port that are not logged by postfix?
>
> I trace all php mail function script but, i don't see any activities for
> now.
>
> I dont see any NDR o backscatter activities.
>
> I do not know what to do....
>
> Thanks
>
> --
> Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
>
> Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e
> sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare, inoltrare a terzi e diffondere il contenuto della presente
> senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete
> pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.
>
>
> ******************************************
> Ing. Matteo Cazzador
> NetLite snc di Cazzador Gagliardi
> Corso Vittorio Emanuele II, 188 37069
> Villafranca di Verona VR
> Tel 0454856656
> Fax 0454856655
> Email: [hidden email]
> Web: http://www.netlite.it
> ******************************************
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Kevin A. McGrail
On 5/2/2017 9:51 AM, Michael Segel wrote:
> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
One trick I use a lot when I have an infected machine on a network or a
customer with a problem is that I setup a smarthost running a milter
that runs the email through a spam checker, logs the answer and then
tempfails the emails.

Then I can analyze if there is an issue and do a silent discard by
subject or internal IP if we find a compromised machine while letting
everything else go through.

Regards,
KAM
Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Michael Segel
Just to follow up…
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/

Pretty clean, maybe a few things to fix, but he’s not on any black list.

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.  

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.

Its not Matteo’s server and I suspect its Trend Micro.

HTH

-Mike

> On May 2, 2017, at 8:56 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 9:51 AM, Michael Segel wrote:
>> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
> One trick I use a lot when I have an infected machine on a network or a customer with a problem is that I setup a smarthost running a milter that runs the email through a spam checker, logs the answer and then tempfails the emails.
>
> Then I can analyze if there is an issue and do a silent discard by subject or internal IP if we find a compromised machine while letting everything else go through.
>
> Regards,
> KAM

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Kevin A. McGrail
On 5/2/2017 10:02 AM, Michael Segel wrote:
Just to follow up… 
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/

Pretty clean, maybe a few things to fix, but he’s not on any black list. 

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off. 

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.  

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else. 

Its not Matteo’s server and I suspect its Trend Micro. 

Yes, I'm a big fan of MXToolBox.  Great tool!  I agree, you might be looking for a ghost in the machine that doesn't exist and it's a FP from TrendMicro.


Regards,
KAM

--
Kevin A. McGrail
CEO

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Matteo Cazzador-2

Hi, everybody,  yes is the first thing i try, i use mxtoolbox always before every investigation (from 1 year).

For me the problem is related only at spam activity that my server don't trace or a somthing compromise, like an user account.

But on my server there are no trace of spam.

Or it is a false positive alert, that cause a lot of problem to my customer.

The domain implicated is not my mail domain but mail server is the same.

Thanks.

Il 02/05/2017 16:40, Kevin A. McGrail ha scritto:
On 5/2/2017 10:02 AM, Michael Segel wrote:
Just to follow up… 
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/

Pretty clean, maybe a few things to fix, but he’s not on any black list. 

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off. 

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.  

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else. 

Its not Matteo’s server and I suspect its Trend Micro. 

Yes, I'm a big fan of MXToolBox.  Great tool!  I agree, you might be looking for a ghost in the machine that doesn't exist and it's a FP from TrendMicro.


Regards,
KAM

--
Kevin A. McGrail
CEO

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]


-- 
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e 
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere il contenuto della presente 
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete 
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


******************************************
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: [hidden email]
Web: http://www.netlite.it
******************************************
Reply | Threaded
Open this post in threaded view
|

RE: Trace spam activity on mail server

L.P.H. van Belle
In reply to this post by Michael Segel
So far i can see, is your web site the target not you mail server.

I personaly use : http://multirbl.valli.org/lookup/netlite.it.html 
About the same as mx toolbox, but i did notice that the list of multirbl is much shorted when the domainname is used.
If i check with this hostname:  mail.netlite.it (212.29.157.98)
http://multirbl.valli.org/lookup/212.29.157.98.html 

DNSBL Blacklist Test Summary
Ip based:  231 of 231 tests done.
Domain base: 49 of 49 tests done.
Result, not listed anywere.

You are running with out of date wordpress plugins. Checked a few.
Thats asking for problems. Check you webserver logs for strange/out of the order things.

If you dont use mod security, get it, learn it, install it and stop the wordpress abuse.

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: [hidden email]
> [mailto:[hidden email]] Namens Michael Segel
> Verzonden: dinsdag 2 mei 2017 16:02
> Aan: Kevin A. McGrail
> CC: [hidden email]; Matteo Cazzador; postfix users
> Onderwerp: Re: Trace spam activity on mail server
>
> Just to follow up…
> I ran the check on his domain:
> https://mxtoolbox.com/domain/netlite.it/
>
> Pretty clean, maybe a few things to fix, but he’s not on any
> black list.
>
> I don’t know when he set up his domain, it could be that
> Trend Micro blocked the IP block due to a previous tenant and
> never took them off.
>
> Truthfully, I don’t use much more than Spamhaus these days.
> in terms of RBLs.  
>
> He’s not running an open relay and if there was a spammer on
> his network, Spamhaus would have caught it too. Or someone else.
>
> Its not Matteo’s server and I suspect its Trend Micro.
>
> HTH
>
> -Mike
>
> > On May 2, 2017, at 8:56 AM, Kevin A. McGrail
> <[hidden email]> wrote:
> >
> > On 5/2/2017 9:51 AM, Michael Segel wrote:
> >> You can run a check on your MX Server… there are a couple
> of web sites that do this… and I think one or two will
> identify the RBLs that include you.
> > One trick I use a lot when I have an infected machine on a
> network or a customer with a problem is that I setup a
> smarthost running a milter that runs the email through a spam
> checker, logs the answer and then tempfails the emails.
> >
> > Then I can analyze if there is an issue and do a silent
> discard by subject or internal IP if we find a compromised
> machine while letting everything else go through.
> >
> > Regards,
> > KAM
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

lists@lazygranch.com
In reply to this post by Michael Segel
Would a spammy email server only trigger one RBL?

While mxtoolbox looks complete, there are more RBLs than on their list. I never knew Trend Micro had a RBL. ‎

‎Spamrl.com is one I can't stay off of. They do honor their one week reprieve. Like I said, I managed to get them removed from servers that I communicate with. There are over a hundred RBLs. If one is a problem child, dump it.

Pulled right from their website.
"Unfortunately, we cannot disclose any details about WHY your IP has a bad reputation.‎"

This thread is about spamrl.com, and no, I'm not a participant in the thread. 
http://www.webhostingtalk.com/showthread.php?t=1598238‎

Supposedly spamrl.com uses honeypots, which makes me wonder if a prankster can spoof headers and spam the honeypots just to drum up customers for commercial white lists. 

  Original Message  
From: Michael Segel
Sent: Tuesday, May 2, 2017 7:02 AM
To: Kevin A. McGrail
Cc: [hidden email]; Matteo Cazzador; postfix users
Subject: Re: Trace spam activity on mail server

Just to follow up…
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/

Pretty clean, maybe a few things to fix, but he’s not on any black list.

I don’t know when he set up his domain, it could be that Trend Micro blocked the IP block due to a previous tenant and never took them off.

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.

He’s not running an open relay and if there was a spammer on his network, Spamhaus would have caught it too. Or someone else.

Its not Matteo’s server and I suspect its Trend Micro.

HTH

-Mike

> On May 2, 2017, at 8:56 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 9:51 AM, Michael Segel wrote:
>> You can run a check on your MX Server… there are a couple of web sites that do this… and I think one or two will identify the RBLs that include you.
> One trick I use a lot when I have an infected machine on a network or a customer with a problem is that I setup a smarthost running a milter that runs the email through a spam checker, logs the answer and then tempfails the emails.
>
> Then I can analyze if there is an issue and do a silent discard by subject or internal IP if we find a compromised machine while letting everything else go through.
>
> Regards,
> KAM

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Kevin A. McGrail
On 5/2/2017 10:56 AM, [hidden email] wrote:
> Would a spammy email server only trigger one RBL?

Sure.

Spam is often in the eye of the beholder, people use different feeds,
different policies, purposes, etc.

I wouldn't discount it that it's an issue just because it's only on one
RBL.  I'm a public mirror for quite a few and the overlap is not as high
as one might think.

Regards,
KAM

Reply | Threaded
Open this post in threaded view
|

RE: Trace spam activity on mail server

L.P.H. van Belle
In reply to this post by Matteo Cazzador-2
Maybe its handy to tell us the real domainname and ip involving this problem?
 
 
Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Matteo Cazzador-2
In reply to this post by L.P.H. van Belle
This i s very interesting thanks i follow this suggest.

I was moving on wrog way.

Thanks


Il 02/05/2017 16:52, L.P.H. van Belle ha scritto:

> So far i can see, is your web site the target not you mail server.
>
> I personaly use : http://multirbl.valli.org/lookup/netlite.it.html
> About the same as mx toolbox, but i did notice that the list of multirbl is much shorted when the domainname is used.
> If i check with this hostname:  mail.netlite.it (212.29.157.98)
> http://multirbl.valli.org/lookup/212.29.157.98.html
>
> DNSBL Blacklist Test Summary
> Ip based:  231 of 231 tests done.
> Domain base: 49 of 49 tests done.
> Result, not listed anywere.
>
> You are running with out of date wordpress plugins. Checked a few.
> Thats asking for problems. Check you webserver logs for strange/out of the order things.
>
> If you dont use mod security, get it, learn it, install it and stop the wordpress abuse.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: [hidden email]
>> [mailto:[hidden email]] Namens Michael Segel
>> Verzonden: dinsdag 2 mei 2017 16:02
>> Aan: Kevin A. McGrail
>> CC: [hidden email]; Matteo Cazzador; postfix users
>> Onderwerp: Re: Trace spam activity on mail server
>>
>> Just to follow up…
>> I ran the check on his domain:
>> https://mxtoolbox.com/domain/netlite.it/
>>
>> Pretty clean, maybe a few things to fix, but he’s not on any
>> black list.
>>
>> I don’t know when he set up his domain, it could be that
>> Trend Micro blocked the IP block due to a previous tenant and
>> never took them off.
>>
>> Truthfully, I don’t use much more than Spamhaus these days.
>> in terms of RBLs.
>>
>> He’s not running an open relay and if there was a spammer on
>> his network, Spamhaus would have caught it too. Or someone else.
>>
>> Its not Matteo’s server and I suspect its Trend Micro.
>>
>> HTH
>>
>> -Mike
>>
>>> On May 2, 2017, at 8:56 AM, Kevin A. McGrail
>> <[hidden email]> wrote:
>>> On 5/2/2017 9:51 AM, Michael Segel wrote:
>>>> You can run a check on your MX Server… there are a couple
>> of web sites that do this… and I think one or two will
>> identify the RBLs that include you.
>>> One trick I use a lot when I have an infected machine on a
>> network or a customer with a problem is that I setup a
>> smarthost running a milter that runs the email through a spam
>> checker, logs the answer and then tempfails the emails.
>>> Then I can analyze if there is an issue and do a silent
>> discard by subject or internal IP if we find a compromised
>> machine while letting everything else go through.
>>> Regards,
>>> KAM
>>

--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


******************************************
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: [hidden email]
Web: http://www.netlite.it
******************************************

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Matteo Cazzador-2
I don't find any site compromise, i try to write

to Trend Micro for the third time......

Thanks everybody.


Il 02/05/2017 17:03, Matteo Cazzador ha scritto:

> This i s very interesting thanks i follow this suggest.
>
> I was moving on wrog way.
>
> Thanks
>
>
> Il 02/05/2017 16:52, L.P.H. van Belle ha scritto:
>> So far i can see, is your web site the target not you mail server.
>>
>> I personaly use : http://multirbl.valli.org/lookup/netlite.it.html
>> About the same as mx toolbox, but i did notice that the list of
>> multirbl is much shorted when the domainname is used.
>> If i check with this hostname:  mail.netlite.it (212.29.157.98)
>> http://multirbl.valli.org/lookup/212.29.157.98.html
>>
>> DNSBL Blacklist Test Summary
>> Ip based:  231 of 231 tests done.
>> Domain base: 49 of 49 tests done.
>> Result, not listed anywere.
>>
>> You are running with out of date wordpress plugins. Checked a few.
>> Thats asking for problems. Check you webserver logs for strange/out
>> of the order things.
>>
>> If you dont use mod security, get it, learn it, install it and stop
>> the wordpress abuse.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: [hidden email]
>>> [mailto:[hidden email]] Namens Michael Segel
>>> Verzonden: dinsdag 2 mei 2017 16:02
>>> Aan: Kevin A. McGrail
>>> CC: [hidden email]; Matteo Cazzador; postfix users
>>> Onderwerp: Re: Trace spam activity on mail server
>>>
>>> Just to follow up…
>>> I ran the check on his domain:
>>> https://mxtoolbox.com/domain/netlite.it/
>>>
>>> Pretty clean, maybe a few things to fix, but he’s not on any
>>> black list.
>>>
>>> I don’t know when he set up his domain, it could be that
>>> Trend Micro blocked the IP block due to a previous tenant and
>>> never took them off.
>>>
>>> Truthfully, I don’t use much more than Spamhaus these days.
>>> in terms of RBLs.
>>>
>>> He’s not running an open relay and if there was a spammer on
>>> his network, Spamhaus would have caught it too. Or someone else.
>>>
>>> Its not Matteo’s server and I suspect its Trend Micro.
>>>
>>> HTH
>>>
>>> -Mike
>>>
>>>> On May 2, 2017, at 8:56 AM, Kevin A. McGrail
>>> <[hidden email]> wrote:
>>>> On 5/2/2017 9:51 AM, Michael Segel wrote:
>>>>> You can run a check on your MX Server… there are a couple
>>> of web sites that do this… and I think one or two will
>>> identify the RBLs that include you.
>>>> One trick I use a lot when I have an infected machine on a
>>> network or a customer with a problem is that I setup a
>>> smarthost running a milter that runs the email through a spam
>>> checker, logs the answer and then tempfails the emails.
>>>> Then I can analyze if there is an issue and do a silent
>>> discard by subject or internal IP if we find a compromised
>>> machine while letting everything else go through.
>>>> Regards,
>>>> KAM
>>>
>

--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


******************************************
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: [hidden email]
Web: http://www.netlite.it
******************************************

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Michael Segel
In reply to this post by Kevin A. McGrail
First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.

As to spam is in the eye of the beholder, if you go back to my questions…

You’ll see that I asked about the OP’s mail list.

Free clue… if you purchased a list of potential customers… you’re a spammer.
If you scraped email addresses. You’re a spammer.


If you just moved the the IP block, request a new block.  Or a new ISP.

But I’d also make sure you’re running a clean shop too.

> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 10:56 AM, [hidden email] wrote:
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>
> I wouldn't discount it that it's an issue just because it's only on one RBL.  I'm a public mirror for quite a few and the overlap is not as high as one might think.
>
> Regards,
> KAM
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

lists@lazygranch.com
My point was some prankster and/or whitelist service  could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers. 

Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later. 

Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints. 

Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that. 

I never used any customer list nor scraped email addresses. 

The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.

Two easy things to harden your server:
1) no web mail
2) all accounts use TLS



  Original Message  
From: Michael Segel
Sent: Tuesday, May 2, 2017 9:02 AM
To: Kevin A. McGrail
Cc: [hidden email]; Matteo Cazzador; postfix users
Subject: Re: Trace spam activity on mail server

First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.

As to spam is in the eye of the beholder, if you go back to my questions…

You’ll see that I asked about the OP’s mail list.

Free clue… if you purchased a list of potential customers… you’re a spammer.
If you scraped email addresses. You’re a spammer.


If you just moved the the IP block, request a new block. Or a new ISP.

But I’d also make sure you’re running a clean shop too.

> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>
> On 5/2/2017 10:56 AM, [hidden email] wrote:
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>
> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>
> Regards,
> KAM
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Michael Segel
I got what you were saying.

What you’re talking about is known as a Joe Job.
And its harder to do because its easier to spot fake headers these days.
So while its possible, its highly improbable and if it were done, it wouldn’t be on a single RBL.

As to RBL services… yes, over time, some get dropped because they become stale and aren’t being maintained.  Some have nut jobs running them.

Trend Micro doesn’t fit in to those categories.

I agree to using TLS as a way to harden the security, but depending on the web mail server … YMMV.

There’s a reason why the RBLs don’t provide the ‘evidence’. Spammers are cockroaches, but they also learn from their mistakes.
Right now I’m working on my new server and its set up as my secondary MX. Already I have spammers hitting this machine and it looks like they are bypassing my primary server altogether.

You are correct, the owner of the Netblock is ultimately responsible. So you should be able to get a new net block and let Digital Ocean worry.  


> On May 2, 2017, at 3:07 PM, [hidden email] wrote:
>
> My point was some prankster and/or whitelist service  could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers.
>
> Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later.
>
> Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints.
>
> Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that.
>
> I never used any customer list nor scraped email addresses.
>
> The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.
>
> Two easy things to harden your server:
> 1) no web mail
> 2) all accounts use TLS
>
>
>
>   Original Message  
> From: Michael Segel
> Sent: Tuesday, May 2, 2017 9:02 AM
> To: Kevin A. McGrail
> Cc: [hidden email]; Matteo Cazzador; postfix users
> Subject: Re: Trace spam activity on mail server
>
> First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.
>
> As to spam is in the eye of the beholder, if you go back to my questions…
>
> You’ll see that I asked about the OP’s mail list.
>
> Free clue… if you purchased a list of potential customers… you’re a spammer.
> If you scraped email addresses. You’re a spammer.
>
>
> If you just moved the the IP block, request a new block. Or a new ISP.
>
> But I’d also make sure you’re running a clean shop too.
>
>> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>>
>> On 5/2/2017 10:56 AM, [hidden email] wrote:
>>> Would a spammy email server only trigger one RBL?
>>
>> Sure.
>>
>> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>>
>> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>>
>> Regards,
>> KAM
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

lists@lazygranch.com
‎From the wiki:
"Joe job victims may lose website hosting or network connectivity due to complaints to their Internet service providers, and even face increased bandwidth costs (or server overload) due to increased website traffic. The victim may also find his or her email blacklisted by spam filters."
  Original Message  
From: Michael Segel
Sent: Tuesday, May 2, 2017 1:36 PM
To: [hidden email]
Cc: Kevin A. McGrail; Matteo Cazzador; postfix users
Subject: Re: Trace spam activity on mail server

I got what you were saying.

What you’re talking about is known as a Joe Job.
And its harder to do because its easier to spot fake headers these days.
So while its possible, its highly improbable and if it were done, it wouldn’t be on a single RBL.

As to RBL services… yes, over time, some get dropped because they become stale and aren’t being maintained. Some have nut jobs running them.

Trend Micro doesn’t fit in to those categories.

I agree to using TLS as a way to harden the security, but depending on the web mail server … YMMV.

There’s a reason why the RBLs don’t provide the ‘evidence’. Spammers are cockroaches, but they also learn from their mistakes.
Right now I’m working on my new server and its set up as my secondary MX. Already I have spammers hitting this machine and it looks like they are bypassing my primary server altogether.

You are correct, the owner of the Netblock is ultimately responsible. So you should be able to get a new net block and let Digital Ocean worry.


> On May 2, 2017, at 3:07 PM, [hidden email] wrote:
>
> My point was some prankster and/or whitelist service could ‎spam the honeypot with your credentials forged. That is a great way for a white list service to get customers.
>
> Without knowing the setup of the honeypot, it could be spoofed. These RBLs shoot first and ask questions later.
>
> Anyway, destroying the spamrl.com customer base one customer at a time works for me. A google search will find plenty of false positive complaints.
>
> Requesting a new IP just leaves the problem for the next owner. I managed to free up a block of Digital Ocean IP space by convincing one RBL that they were wrong regarding the IP space. Granted Digital Ocean should have done that.
>
> I never used any customer list nor scraped email addresses.
>
> The reality is these RBLs aren't bug free, and they never provide evidence of spamming. They prefer you go on a wild goose chase. Mind you any time I report a hack, I provide log data. That is how it should be done.
>
> Two easy things to harden your server:
> 1) no web mail
> 2) all accounts use TLS
>
>
>
> Original Message
> From: Michael Segel
> Sent: Tuesday, May 2, 2017 9:02 AM
> To: Kevin A. McGrail
> Cc: [hidden email]; Matteo Cazzador; postfix users
> Subject: Re: Trace spam activity on mail server
>
> First, honey pots aren’t an issue and spoofing an IP address is fairly easy to pickup.
>
> As to spam is in the eye of the beholder, if you go back to my questions…
>
> You’ll see that I asked about the OP’s mail list.
>
> Free clue… if you purchased a list of potential customers… you’re a spammer.
> If you scraped email addresses. You’re a spammer.
>
>
> If you just moved the the IP block, request a new block. Or a new ISP.
>
> But I’d also make sure you’re running a clean shop too.
>
>> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <[hidden email]> wrote:
>>
>> On 5/2/2017 10:56 AM, [hidden email] wrote:
>>> Would a spammy email server only trigger one RBL?
>>
>> Sure.
>>
>> Spam is often in the eye of the beholder, people use different feeds, different policies, purposes, etc.
>>
>> I wouldn't discount it that it's an issue just because it's only on one RBL. I'm a public mirror for quite a few and the overlap is not as high as one might think.
>>
>> Regards,
>> KAM
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Bill Cole-3
In reply to this post by lists@lazygranch.com
On 2 May 2017, at 10:56, [hidden email] wrote:

> Would a spammy email server only trigger one RBL?

Sure.

> While mxtoolbox looks complete, there are more RBLs than on their
> list. I never knew Trend Micro had a RBL. ‎

Funny story: technically Trend Micro has the ONLY "RBL" because that's a
registered trademark. They bought that trademark along with all of the
other intellectual property and ongoing operations of Mail Abuse
Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit
founded by Paul Vixie, who invented the DNSBL mechanism and ran the
first DNSBL: the Realtime Blackhole List, a.k.a. RBL.

As far as I can tell, the active defense of that trademark has been
almost invisible for over a decade, so while DNSBL is the formally
correct generic term, RBL may not even be legally defensible as a
trademark any more but one of the Trend Micro DNSBL's is actually named
RBL.

> ‎Spamrl.com is one I can't stay off of. They do honor their one week
> reprieve. Like I said, I managed to get them removed from servers that
> I communicate with. There are over a hundred RBLs. If one is a problem
> child, dump it.
>
> Pulled right from their website.
> "Unfortunately, we cannot disclose any details about WHY your IP has a
> bad reputation.‎"
>
> This thread is about spamrl.com, and no, I'm not a participant in the
> thread. 
> http://www.webhostingtalk.com/showthread.php?t=1598238‎
>
> Supposedly spamrl.com uses honeypots, which makes me wonder if a
> prankster can spoof headers and spam the honeypots just to drum up
> customers for commercial white lists. 

The spamrl.com operation is just an alternative face for spamexperts.com
and one of their inputs is feedback from customers, who can report
errors in their filtering to spamrl.com addresses for mitigation.
Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

Michael Segel
Now thats a name from the past.

Bill, you’d probably know some of the spammer domains where they complained about spamhaus and other RBLs…

Its been a while since I followed all of this stuff from Usenet days…

> On May 3, 2017, at 10:25 AM, Bill Cole <[hidden email]> wrote:
>
> On 2 May 2017, at 10:56, [hidden email] wrote:
>
>> Would a spammy email server only trigger one RBL?
>
> Sure.
>
>> While mxtoolbox looks complete, there are more RBLs than on their list. I never knew Trend Micro had a RBL. ‎
>
> Funny story: technically Trend Micro has the ONLY "RBL" because that's a registered trademark. They bought that trademark along with all of the other intellectual property and ongoing operations of Mail Abuse Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit founded by Paul Vixie, who invented the DNSBL mechanism and ran the first DNSBL: the Realtime Blackhole List, a.k.a. RBL.
>
> As far as I can tell, the active defense of that trademark has been almost invisible for over a decade, so while DNSBL is the formally correct generic term, RBL may not even be legally defensible as a trademark any more but one of the Trend Micro DNSBL's is actually named RBL.
>
>> ‎Spamrl.com is one I can't stay off of. They do honor their one week reprieve. Like I said, I managed to get them removed from servers that I communicate with. There are over a hundred RBLs. If one is a problem child, dump it.
>>
>> Pulled right from their website.
>> "Unfortunately, we cannot disclose any details about WHY your IP has a bad reputation.‎"
>>
>> This thread is about spamrl.com, and no, I'm not a participant in the thread.
>> http://www.webhostingtalk.com/showthread.php?t=1598238‎
>>
>> Supposedly spamrl.com uses honeypots, which makes me wonder if a prankster can spoof headers and spam the honeypots just to drum up customers for commercial white lists.
>
> The spamrl.com operation is just an alternative face for spamexperts.com and one of their inputs is feedback from customers, who can report errors in their filtering to spamrl.com addresses for mitigation.

Reply | Threaded
Open this post in threaded view
|

Re: Trace spam activity on mail server

lists@lazygranch.com
In reply to this post by Bill Cole-3
Regarding spamrl.com / spamexperts, their customer tools don't work. The only solution is to drop them. On and off, months were wasted with those clowns.

I'm assuming the customer never sees the dictionary search attempts, so the problem is their crappy software. Now I have caught snow shoe type dictionary searches coming from Digital Ocean IP space. The hackers buy three to as many as eight "droplets". I report them and DO does shut them down. It is possible spamrl.com just seems the entire DO IP space toxic, but then again they should provide a functional whitelist procedure.

This VPS race to the bottom is a problem. With OVH under $5, it looks like there is no floor, and you can't police your customers with pocket change revenue. 

  Original Message  
From: Bill Cole
Sent: Wednesday, May 3, 2017 8:26 AM
To: Postfix users
Reply To: Postfix users
Subject: Re: Trace spam activity on mail server

On 2 May 2017, at 10:56, [hidden email] wrote:

> Would a spammy email server only trigger one RBL?

Sure.

> While mxtoolbox looks complete, there are more RBLs than on their
> list. I never knew Trend Micro had a RBL. ‎

Funny story: technically Trend Micro has the ONLY "RBL" because that's a
registered trademark. They bought that trademark along with all of the
other intellectual property and ongoing operations of Mail Abuse
Prevention Systems, L.L.C. ~15 years ago. MAPS was a not-for-profit
founded by Paul Vixie, who invented the DNSBL mechanism and ran the
first DNSBL: the Realtime Blackhole List, a.k.a. RBL.

As far as I can tell, the active defense of that trademark has been
almost invisible for over a decade, so while DNSBL is the formally
correct generic term, RBL may not even be legally defensible as a
trademark any more but one of the Trend Micro DNSBL's is actually named
RBL.

> ‎Spamrl.com is one I can't stay off of. They do honor their one week
> reprieve. Like I said, I managed to get them removed from servers that
> I communicate with. There are over a hundred RBLs. If one is a problem
> child, dump it.
>
> Pulled right from their website.
> "Unfortunately, we cannot disclose any details about WHY your IP has a
> bad reputation.‎"
>
> This thread is about spamrl.com, and no, I'm not a participant in the
> thread. 
> http://www.webhostingtalk.com/showthread.php?t=1598238‎
>
> Supposedly spamrl.com uses honeypots, which makes me wonder if a
> prankster can spoof headers and spam the honeypots just to drum up
> customers for commercial white lists. 

The spamrl.com operation is just an alternative face for spamexperts.com
and one of their inputs is feedback from customers, who can report
errors in their filtering to spamrl.com addresses for mitigation.