Account overrun with spam
Account overrun with spam
Hi,
I have a new client who has a major spam problem - which has gone on for years with their domain.
Recently, they have switched to my server and are responsible for around 8000 detected spam messages per day.
The company is fairly small and I'd estimate only recieve around 100 genuine emails per day.
Since having them hosted on my server, my server's reputation from www.senderscore.org has dropped drastically - with a sharp increase of the volume of mail originating from it.
I've also been listed on a few private blacklists - which I can only attribute to this client's spam problem.
MagicSpam and Plesk's SpamAssassin are doing a great job of keeping the spam from getting into the accounts, but should I be worried about all of these emails coming in?
I'm presuming MagicSpam is sending a bounce message back to each of these spam emails - which has caused the increase in mail volume?
Thanks
I have a new client who has a major spam problem - which has gone on for years with their domain.
Recently, they have switched to my server and are responsible for around 8000 detected spam messages per day.
The company is fairly small and I'd estimate only recieve around 100 genuine emails per day.
Since having them hosted on my server, my server's reputation from www.senderscore.org has dropped drastically - with a sharp increase of the volume of mail originating from it.
I've also been listed on a few private blacklists - which I can only attribute to this client's spam problem.
MagicSpam and Plesk's SpamAssassin are doing a great job of keeping the spam from getting into the accounts, but should I be worried about all of these emails coming in?
I'm presuming MagicSpam is sending a bounce message back to each of these spam emails - which has caused the increase in mail volume?
Thanks
Re: Account overrun with spam
Hi there,
It's unclear why your server's reputation has dropped from the information provided. MagicSpam doesn't send bounce messages for messages identified as Spam so this would not explain your increase in mail volume.
What do IP reputation sites such as www.senderscore say about your server's IP? Can you anonymize the reports and post them here?
Also you might want to analyze your outgoing mail - it's possible your new client or one of your existing ones has compromised machines which are sending out Spam through your server.
It's unclear why your server's reputation has dropped from the information provided. MagicSpam doesn't send bounce messages for messages identified as Spam so this would not explain your increase in mail volume.
What do IP reputation sites such as www.senderscore say about your server's IP? Can you anonymize the reports and post them here?
Also you might want to analyze your outgoing mail - it's possible your new client or one of your existing ones has compromised machines which are sending out Spam through your server.
Re: Account overrun with spam
Thanks.
Sorry, I was under the impression that bounce messages were generated - as I've had other clients ask me to whitelist domains as the sender server has a known issue at the moment - the sender got a message to let them know their message was rejected by MagicSpam.
SenderScore.org says:
I'm using Plesk and have not found an easy way to analyze outgoing mail - I had thought about either a compromised machine, but don't know where to start looking!
Your advice is greatly appreciated.
Sorry, I was under the impression that bounce messages were generated - as I've had other clients ask me to whitelist domains as the sender server has a known issue at the moment - the sender got a message to let them know their message was rejected by MagicSpam.
SenderScore.org says:
I'm using Plesk and have not found an easy way to analyze outgoing mail - I had thought about either a compromised machine, but don't know where to start looking!
Your advice is greatly appreciated.
Re: Account overrun with spam
You're welcome glad we can help out.
RE your clients getting a message to let them know their message was rejected by MagicSpam: rejections are different to bounces. Rejections occur during the conversation between sending and receiving mail servers. The receiving mail server rejects the message giving a reason which the sending mail server then (hopefully) relays to the user via local delivery. A bounce is a whole new email sent by a receiving server if a message cannot be delivered.
RE your IP reputation score on SenderScore.org it's pretty clear it's getting dragged down by the number of emails going out from your system for which no address exists ("Unknown users" score of 52). From the Sender Score FAQ:
Unknown Users: This score represents the rank of the IP address's unknown user rate compared to all other IP addresses seen by the Sender Score Reputation Network. Unknown user rates are taken directly from incoming SMTP logs of participating ISPs, tracking how often an IP address attempts to send a message to an address which does not exist.
This is a strong indication that either someone is using your system to relay spam or possibly sending out to a legitimate mailing list that isn't very well maintained.
We recommend taking a look in your mail queues for sending patterns that look like someone is trying to guess email addresses. For example if you see an email with recipients:
adam001@example.com
adam002@example.com
adam003@example.com
.....
eve001@example.com
eve002@example.com
eve003@example.com
.....
info@example.com
abuse@example.com
sales@example.com
support@example.com
etc...
this is likely Spam. You can then look at the sending IP to determine who is sending the Spam and take action.
RE your clients getting a message to let them know their message was rejected by MagicSpam: rejections are different to bounces. Rejections occur during the conversation between sending and receiving mail servers. The receiving mail server rejects the message giving a reason which the sending mail server then (hopefully) relays to the user via local delivery. A bounce is a whole new email sent by a receiving server if a message cannot be delivered.
RE your IP reputation score on SenderScore.org it's pretty clear it's getting dragged down by the number of emails going out from your system for which no address exists ("Unknown users" score of 52). From the Sender Score FAQ:
Unknown Users: This score represents the rank of the IP address's unknown user rate compared to all other IP addresses seen by the Sender Score Reputation Network. Unknown user rates are taken directly from incoming SMTP logs of participating ISPs, tracking how often an IP address attempts to send a message to an address which does not exist.
This is a strong indication that either someone is using your system to relay spam or possibly sending out to a legitimate mailing list that isn't very well maintained.
We recommend taking a look in your mail queues for sending patterns that look like someone is trying to guess email addresses. For example if you see an email with recipients:
adam001@example.com
adam002@example.com
adam003@example.com
.....
eve001@example.com
eve002@example.com
eve003@example.com
.....
info@example.com
abuse@example.com
sales@example.com
support@example.com
etc...
this is likely Spam. You can then look at the sending IP to determine who is sending the Spam and take action.
Re: Account overrun with spam
Thanks for that - I've been onto the Plesk forum to figure out how to analyse mail logs when using the Postfix MTA, but not had any joy.
Anything I've used so far gets confused with the mail logs, counting MagicSpam's entries too.
I'd ideally want a way to list all outgoing messages only.
Seems like everything has been made for Qmail.
As for bounce/rejection - I get it now, thanks - at least I know the increase in volume recoreded by senderscore.org is due to actual mail and not bounces.
I've sat with TCPDUMP on port 25 and manaully had a look through about 100 emails - all seeming genuine.
A broader range of data is required though.
Thanks again
Anything I've used so far gets confused with the mail logs, counting MagicSpam's entries too.
I'd ideally want a way to list all outgoing messages only.
Seems like everything has been made for Qmail.
As for bounce/rejection - I get it now, thanks - at least I know the increase in volume recoreded by senderscore.org is due to actual mail and not bounces.
I've sat with TCPDUMP on port 25 and manaully had a look through about 100 emails - all seeming genuine.
A broader range of data is required though.
Thanks again
Re: Account overrun with spam
What Operating System is your mail system running on?
For Postfix the mailq command should diplay your queue. You can then use tools such as less or grep (available for Windows also) to assist in reading, searching and to filter the output.
For Postfix the mailq command should diplay your queue. You can then use tools such as less or grep (available for Windows also) to assist in reading, searching and to filter the output.
Re: Account overrun with spam
The server is CentOS 5.2 with most recent updates.
I've used "mailq", but there are only 4 emails stuck in there - ones which look genunine.
The mail queue info is also avilable in the Plesk panel.
That sort of output, but live, would be great.
Does such a command exist?
I've used "mailq", but there are only 4 emails stuck in there - ones which look genunine.
The mail queue info is also avilable in the Plesk panel.
That sort of output, but live, would be great.
Does such a command exist?
Re: Account overrun with spam
When you say "4 emails stuck in there" do you mean that everytime you run mailq you only see the same 4 emails? If so what date are they from and what are their statuses ?
Mailq should be dynamic - it should be a snapshot of all emails currently queued for delivery.
Mailq should be dynamic - it should be a snapshot of all emails currently queued for delivery.
Re: Account overrun with spam
Yes, sorry - It's a snapshot of the current mail queue.
At that time, there were four emails which were being attempted to be sent from genuine users with genuine looking subjects.
I can only assume they were in there for longer than the amount of times I checked due to a problem at the recieving server.
Mailq is dynamic, but in my instance, it only runs once for the queue at that instant.
If it could run such as "tail -f" to get a live streaming output of the queue - and output to file - that would allow me to analyse easier.
Thanks
At that time, there were four emails which were being attempted to be sent from genuine users with genuine looking subjects.
I can only assume they were in there for longer than the amount of times I checked due to a problem at the recieving server.
Mailq is dynamic, but in my instance, it only runs once for the queue at that instant.
If it could run such as "tail -f" to get a live streaming output of the queue - and output to file - that would allow me to analyse easier.
Thanks
Re: Account overrun with spam
Hello Chris,
The art of Postfix server administration and all of the tips / tricks available are in the main outside of the scope of these forums .. however.... Some great resources exist at both www.postfix.org and many others. One item we can suggest may be worth the time to look into would be the qshape utility. More information can be found at:
http://www.postfix.org/QSHAPE_README.html
The art of Postfix server administration and all of the tips / tricks available are in the main outside of the scope of these forums .. however.... Some great resources exist at both www.postfix.org and many others. One item we can suggest may be worth the time to look into would be the qshape utility. More information can be found at:
http://www.postfix.org/QSHAPE_README.html
Who is online
Users browsing this forum: No registered users and 23 guests