Topic: Thousands of Mail Delivery Failed in the span of a week. Pages that link to <a href="http://ozoneasylum.com/backlink?for=31950" title="Pages that link to Topic: Thousands of Mail Delivery Failed in the span of a week." rel="nofollow" >Topic: Thousands of Mail Delivery Failed in the span of a week.\

 
Author Thread
Red Ninja
Bipolar (III) Inmate

From: Detroit, MI US
Insane since: Mar 2001

IP logged posted posted 08-16-2010 18:38 Edit Quote

One of my client's on my server went over quota and couldn't get into their mail. The admin account had exceeded capacity. When I looked that the messages, they started on the 5th, and ended on the 9th, and there were 45k+ messages that were all scam spam returned because of an invalid email.

Let me just say that I already performed due diligence by looking through the forum. I found a thread that said such messages were fake failures and probably contained a virus attachment. However, the messages on the account contained no attachment and were addressed to different recipients in every single "returned message".

They also weren't returned to "admin@clientsdomain.com". They were returned to "admin6@nameserverdomain.com" (When I transferred from an Ensim server to cPanel, the usernames for all the accounts defaulted as admin, but cPanel doesn't allow the same username and automatically numbered them instead). Maybe I'm wrong, but I take this as an indication that these messages were actually sent out from my server.

I trust the client. They make a lot of money selling various products and parts to schools and other institutions. They do not need anyone's bank account number due to their husband dying. I do not have open-relay on my mail server or open-proxy on my proxy server. I have domainkeys enabled. The outgoing server requires authentication.

I can't think of any other reason there would be spam being sent from the server except for the oscommerce contact form. Does anyone know how I can check for vulnerability?

[edit]Fixed run on sentence[/edit]

(Edited by Red Ninja on 08-16-2010 18:40)

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

IP logged posted posted 08-16-2010 23:02 Edit Quote

well, an indirect and inconclusive test would be to see if your ip made it onto any black lists - if it has indeed been spamming, it would have a high probability.

What mail server are you using? does it keep detailed, or semi detailed logs?

Red Ninja
Bipolar (III) Inmate

From: Detroit, MI US
Insane since: Mar 2001

IP logged posted posted 08-17-2010 17:43 Edit Quote

We were only blacklisted on Yahoo. Everything else I saw was clean.

We're using Courier. It seems to keep logs, but I'll be damned if I know how to interpret them. Not even sure if I'm looking at them right. For instance, I used the command line: grep domainname /var/log/exim_mainlog. This returned a lot of stuff that I don't quite understand, but none of it was for the week in question. I tried using sftp under root to directly download the exim_mainlog.2 that is for the week in question, but I can't open it. Not sure if that's because it's 300 meg file or if it's because it isn't text.

[edit]Nevermind. It took forever, but it actually opened. Still can't seem to figure anything out from it though.[/edit]

(Edited by Red Ninja on 08-17-2010 18:21)

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

IP logged posted posted 08-18-2010 10:12 Edit Quote

Ok, I have no personal experience with courier - but why are you looking in the exim log files in the first place? that should be a completly different MTA...

Sow, how about grepping for the to adress of one of the bounces, what does this output?

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

IP logged posted posted 08-19-2010 02:56 Edit Quote

cPanel uses Exim as a MTA, so he's looking at the right log files (and Courier-IMAP is used for IMAP/POP3 access, but being replaced in cPanel by Dovecot nowadays). Anyway, back on topic, the easiest way to interpret exim log files is to use eximstats utility that comes with it. You can do that directly on your server by running it from shell, or you can download exim source code, locate eximstats script and run it on your local computer where you downloaded that big log file and look at the output (eximstats is a perl script, so you'll need to have perl on your local computer). You should also be able to access eximstats generated statistics from cPanel, by going to WHM -> Email -> View Mail Statistics.

And when you determinate whether those e-mails originated from your server or not, you can take appropriate measures. In case that they were not sent from your server, your client was probably a victim of a backscaterrer spam run (spam e-mails sent with his e-mail address as sender, so that broken spam scanners send rejections back to that address and overflow its mailbox). Bounce messages from such spam run, can be handled to a certain extent by using Spamassassin with its VBounce plugin enabled, and also by denying access to the MTA using a few of the backscaterrer block lists (just make sure not to apply such rbl to postmaster/abuse e-mail addresses, which should accept all e-mail).

On a side note, I prefer Postfix much more over exim, but I don't know if cPanel can use it (If I remember correctly, cPanel is setup for exim only). Also, I would suggest you to switch to Dovecot for IMAP/POP3 from Courier (Dovecot is supported by cPanel).


aaagul45
Obsessive-Compulsive (I) Inmate

From:
Insane since: Dec 2014

IP logged posted posted 12-19-2014 07:15 Edit Quote

I trust the client. They make a lot of money selling various products and parts to schools and other institutions. They do not need anyone's bank account number due to their husband dying. I do not have open-relay on my mail server or open-proxy on my proxy server. I have domainkeys enabled. The outgoing server requires authentication.???

GuL

rbronwen1
Obsessive-Compulsive (I) Inmate

From:
Insane since: Feb 2017

IP logged posted posted 02-14-2017 11:00 Edit Quote

sdfdsfdsffaf



Post Reply
 
Your User Name:
Your Password:
Login Options: Remember Me On This Computer
 
Your Text:
Loading...
Options: Show Signature
Enable Slimies
Enable Linkwords

« BackwardsOnwards »

Show Forum Drop Down Menu