[qmailtoaster] Backscatter Block Listing
Can someone on the list please give me a little guidance? Our mail server has been under attack today. Our normal email load is between 30 and 50 thousand emails per day; today we've processed close to 200 thousand. If I'm reading the bounce messages right, it looks like one of our users emails is being forged, and backscatter is spewing from our server causing us to be black listed repeatedly. Can someone explain to me how to verify this theory, or determine if our server is actually sending all of this mail? I recently implemented Spamdyke, and it has been doing a great job. Should I have our local domains in the blacklist-senders file? What do I need to implement before I do that? Is there some info I can post to help determine the cause of this PITA? Thanks in advance Robert Van Dresar Airplexus, Inc. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] (UNAUTHENTICATED SENDER) Still
I was looking at our logs today to make sure everything is kosher with our mailserver. Since we've been blacklisted lately I really want to make sure my configuration is OK. I noticed that we are getting some 'remote emailaddr...@domain.com -> local localaddr...@localdomain.com (UNAUTHENTICATED SENDER)' entries in the smtp log. I looked on the wiki and did change Squirellmail to authenticate, added our local domains to the spamdyke blacklist_senders file, commented out the 127. line in the tcp.smtp file, issued qmailctl cdb (and I also restarted qmail), yet I still see the entries in the log. Can someone tell me where else I need to look to see what's going on?? Robert - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: (UNAUTHENTICATED SENDER) Still
> On 02/18/2012 09:42 AM, rvandre...@airplexus.com wrote: >> I noticed that we are getting some 'remote emailaddr...@domain.com -> local >> localaddr...@localdomain.com >> (UNAUTHENTICATED SENDER)' entries in the smtp log. >> > > Don't fret, Robert. You've done well. > > These (UNAUTHENTICATED SENDER) messages are simply for emails being > received from outside domains. When you see these messages destined to > local domains, this is normal. Inter-domain messages from domains which > are not local on your QMT do not (can not, really) authenticate. :) > > -- > -Eric 'shubes' > > Thanks Eric that makes me feel a little better. Since the "incident" I'm determined to give myself a crash course in Qmail mailserver administration. I'm certainly not at the level you and most others on the list are but I'm going to get better. I'm determined not to have this happen again since we are still fighting the ridiculousness of a "poor" rating at senderbase.org. Since our server is pretty low volume, it could take a while for that to clear itself up. Although, I could always take the Cisco support rep's advice and contact all 206 (at last count) Ironport domains that are blocking our email and have them whitelist us temporarily :) Do you have any configurations is place to prevent this type of thing? Such as limiting the rate/amount of email being sent from an account? How do you monitor your server to tell if something is even taking place? I did look back at our Cacti graphs of the mailserver, and of course it's obvious now and I'll monitor that more closely, however, I was just wondering if you use something in "real-time" to check on things? Thanks, as always, for your help Robert > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: (UNAUTHENTICATED SENDER) Still
> On 02/18/2012 02:22 PM, rvandre...@airplexus.com wrote:
>> Thanks Eric that makes me feel a little better.
>>
>> Since the "incident" I'm determined to give myself a crash course in Qmail
>> mailserver administration. I'm certainly not at the level you and most
>> others on the list are but I'm going to get better. I'm determined not to
>> have this happen again since we are still fighting the ridiculousness
>> of
>> a "poor" rating at senderbase.org. Since our server is pretty low volume,
>> it could take a while for that to clear itself up. Although, I could
>> always take the Cisco support rep's advice and contact all 206 (at last
>> count) Ironport domains that are blocking our email and have them
>> whitelist
>> us temporarily :)
>>
>> Do you have any configurations is place to prevent this type of thing? Such
>> as limiting the rate/amount of email being sent from an account? How
>> do you monitor your server to tell if something is even taking place? I did
>> look back at our Cacti graphs of the mailserver, and of course it's
>> obvious now and I'll monitor that more closely, however, I was just
>> wondering if you use something in "real-time" to check on things?
>>
>> Thanks, as always, for your help
>>
>> Robert
>
> I guess I don't need to mention passwords being compromised. ;) Along
> those lines, be sure that your webmail is configured to always use
> https. These lines in /etc/httpd/conf/squirrelmail.conf help:
> RewriteEngine on
> RewriteCond %{SERVER_PORT} !^443$
> RewriteRule ^/(webmail.*)$ https://%{SERVER_NAME}/$1 [R=301,L]
> This should probably be in the stock configuration, although ssl needs
> to be configured properly as well.
>
> Likewise, all clients should be configured to use secure transports,
> like TLS. This is enforced in dovecot by default. There is no way to
> enforce this with smtp/submission yet, but a request has been made to
> add the feature to spamdyke. Hopefully that will be coming soon.
>
> If your QMT host shares a public address with other hosts, especially
> windoze machines, this can be a source of spam that doesn't originate
> from QMT. When QMT is not the sole host on a public IP address, a
> firewall should be in place (I use IPCop myself) which blocks all
> traffic destined to port 25 that does not originate from the QMT (or
> other mail server) host.
>
> SPF and DKIM can improve deliverability, but I don't think they help
> regarding blacklisting. You should set up SPF records for your domains
> though, as it's pretty simply. I'm not sure that DKIM is worth the
> effort at this point. The DK (which is different than DKIM)
> implementation in QMT is slightly broken, and I think it's best simply
> to disable that.
>
> Throttling outbound messages is a great feature, and I intend to create
> an enhancement ticket for this feature as soon as our new ticket system
> is available (I'd do it on the old system, but I'd only have to re-do it
> with the new system). I think this will be a great preventative measure.
>
> That's all that comes to mind regarding QMT. There might be more on the
> wiki - I'm not sure. If any of this isn't on the wiki, would someone
> care to add it? Thanks.
>
> I'm not familiar at all with Ironport. It might be a good idea to do a
> little investigation into how one goes about getting delisted from that.
> Also, check online blacklist checkers to see if you're still listed and
> where, and contact those resources individually.
>
> --
> -Eric 'shubes'
>
>
Eric,
That's a ton of great information, especially the https in squirellmail. I do
have SPF records in place for all of our domains, I guess it "helps",
it was easy enough to do. I'm not using dovecot, is that something I should
consider?
Just FYI, Ironport is a filtering device developed by a company called
Ironport. They use a proprietary algorithm to calculate your mail server's
"reputation". That company purchased Spamcop. Cisco then purchased Ironport.
There is no removal process AT ALL. They barely acknowledge emails
to the support address unless you psycho email them.
Then you receive a "canned" response saying that you mailserver's volume
determines how quickly your reputation returns to "normal" and there is
really no "manual intervention". A low volume mailserver can take a week or
more to recover to a neutral rating which is one step above "dirt".
Meanwhile everyone with an Ironport mail filter is looking at this "reputation"
score and, basically, blocks email from anyone with a "poor"
reputation. You can look at your server's reputation at www.senderbase.org.
There you will see all of the statistics compiled regarding your
servers IP address: volume, rDNS blocklist listings, and, most importantly,
your SBRS rating, over which you have no control.
I know McAfee has a reputation score, and I think Trendmicro as well.
All is a day's work for an email administrator. If we weren't having fun doing
this, what else would we be doing, right
Re: [qmailtoaster] Re: (UNAUTHENTICATED SENDER) Still
> On 02/18/2012 07:11 PM, rvandre...@airplexus.com wrote: >> I'm not using dovecot, is that something I should consider? > > I would. Not only does it allow you to enforce encrypted passwords, but > it is much more efficient with IMAP, especially large mailboxes. If > you're not doing IMAP, there's not much difference though. But who's not > using IMAP these days? It's the cat's meow. ;) Dovecot will be the stock > QMT MUA at some point, but I'd hate to give a timeframe. Converting to > dovecot is pretty easy. See the wiki for details. > >> Just FYI, Ironport is a filtering device developed by a company called >> Ironport. They use a proprietary algorithm to calculate your mail server's >> "reputation". That company purchased Spamcop. Cisco then purchased >> Ironport. There is no removal process AT ALL. They barely acknowledge >> emails >> to the support address unless you psycho email them. > > >> Then you receive a "canned" response saying that you mailserver's volume >> determines how quickly your reputation returns to "normal" and there is >> really no "manual intervention". A low volume mailserver can take a week or >> more to recover to a neutral rating which is one step above "dirt". >> Meanwhile everyone with an Ironport mail filter is looking at this >> "reputation" score and, basically, blocks email from anyone with a "poor" >> reputation. You can look at your server's reputation atwww.senderbase.org. >> There you will see all of the statistics compiled regarding your >> servers IP address: volume, rDNS blocklist listings, and, most importantly, >> your SBRS rating, over which you have no control. > > Interesting info. FWIW, I see in my logs that spamcop is still rejecting > quite a few messages. I hope their not FPs. I only use spamcopy and > zen.spamhaus at this point. > > If you have a spare IP address available, it might be wise to have a > spare QMT relay server sitting there for relaying. Simple to route > outbound email there via smtproutes file (see wiki). If you have a VM > host, this should be pretty trivial to set up. > >> I know McAfee has a reputation score, and I think Trendmicro as well. > > The one I despise is Barracuda. I've seen a couple of these that were > (mis)configured to check the originator's IP address (not the sending > server's address), which is totally insane. > >> All is a day's work for an email administrator. If we weren't having fun >> doing this, what else would we be doing, right? > > Perhaps. I figure email's important and not going anywhere soon, so it's > worthwhile. > >> QMT has been great for me. Let me know how I can help, I feel I need to >> contribute in some way. > > Hop on over to the devel list. We'll be ramping up some exciting > developments very soon. There will be plenty to do so I expect everyone > can do something to contribute, from writing wiki content, to testing, > to answering emails. And if you care to do some php/web development, > your talents will be cherished. :) > > Thanks to everyone for their participation. This is entirely a community > project at this point, and without your participation, there is no project. > > -- > -Eric 'shubes' > > Eric, A bit off topic, but I sent an email to the spamdyke list, got a response from Sam, and when I replied I got a bounce saying my domain was blocked. Do you know what lists he uses so I can chase that down?? Robert > - > Qmailtoaster is sponsored by Vickers Consulting Group > (www.vickersconsulting.com) > Vickers Consulting Group offers Qmailtoaster support and installations. > If you need professional help with your setup, contact them today! > - > Please visit qmailtoaster.com for the latest news, updates, and packages. > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
