Results 1 to 15 of 15
  1. #1

    Big spam email problem

    I'm a novice at all of this so please be gentle.

    My host is in the process of looking at this, but I want to get other opinions/advice.

    I have 15 domains on a VPS. I am the only user (no clients). There is only one physical email account being used, on one of the domains. All other domains have aliases that forward to this one account.

    I also have some scripts that send out confirmation emails via sendmail.

    No mailing lists.

    I had a problem this morning with the VPS basically falling over, and it looks like it is getting choked with email (mail relay?). The volume of inbound and outbound mail is just horrendous.

    If you add the legitimate emails that I send and the script-based emails, that amount would be under 300 messages per day.

    Not sure how to go about fixing this.

    Statistics (some things redacted for privacy):

    Exim statistics from 2005-11-27 05:03:51 to 2005-11-29 18:32:48

    Grand total summary
    -------------------
    At least one address
    TOTAL Volume Messages Hosts Delayed Failed
    Received 87MB 17770 6461 47 0.3% 6 0.0%
    Delivered 345MB 56714 30

    Deliveries by transport
    -----------------------
    Volume Messages
    :blackhole: 333MB 55225
    remote_smtp 1650KB 56
    virtual_sa_userdelivery 4520KB 716
    virtual_userdelivery 2073KB 270
    virtual_userdelivery_spam 4300KB 447

    Messages received per hour (each dot is 39 messages)
    ----------------------------------------------------

    00-01 407 ..........
    01-02 637 ................
    02-03 1229 ...............................
    03-04 494 ............
    04-05 445 ...........
    05-06 477 ............
    06-07 677 .................
    07-08 717 ..................
    08-09 666 .................
    09-10 578 ..............
    10-11 793 ....................
    11-12 382 .........
    12-13 570 ..............
    13-14 1238 ...............................
    14-15 1345 ..................................
    15-16 1454 .....................................
    16-17 1945 .................................................
    17-18 601 ...............
    18-19 669 .................
    19-20 501 ............
    20-21 447 ...........
    21-22 617 ...............
    22-23 440 ...........
    23-24 441 ...........

    Deliveries per hour (each dot is 89 deliveries)
    -----------------------------------------------

    00-01 1404 ...............
    01-02 1930 .....................
    02-03 2282 .........................
    03-04 2170 ........................
    04-05 1522 .................
    05-06 1684 ..................
    06-07 1922 .....................
    07-08 2890 ................................
    08-09 2671 ..............................
    09-10 2172 ........................
    10-11 2669 .............................
    11-12 1661 ..................
    12-13 2272 .........................
    13-14 2911 ................................
    14-15 3498 .......................................
    15-16 4000 ............................................
    16-17 4450 ..................................................
    17-18 2268 .........................
    18-19 2938 .................................
    19-20 1935 .....................
    20-21 1724 ...................
    21-22 2092 .......................
    22-23 1928 .....................
    23-24 1721 ...................

    Time spent on the queue: all messages
    -------------------------------------

    Under 1m 16488 92.8% 92.8%
    5m 146 0.8% 93.7%
    15m 31 0.2% 93.8%
    30m 44 0.2% 94.1%
    1h 998 5.6% 99.7%
    3h 8 0.0% 99.8%
    6h 42 0.2% 100.0%
    1d 1 0.0% 100.0%

    Time spent on the queue: messages with at least one remote delivery
    -------------------------------------------------------------------

    Under 1m 42 75.0% 75.0%
    5m 11 19.6% 94.6%
    3h 2 3.6% 98.2%
    1d 1 1.8% 100.0%

    No relayed messages
    -------------------

    Top 50 sending hosts by message count
    -------------------------------------

    1431 12MB (***.***.***.***)
    782 8266KB local
    581 1403KB (lh)
    145 490KB (tpin.okcu.edu)
    111 5844KB (********.com)
    76 692KB (comcast.net)
    50 70KB (146192968)
    50 69KB (145118656)
    50 69KB (147143792)
    50 68KB (146632824)
    50 68KB (135172880)
    49 83KB (epatra.com)
    48 272KB (angelfire.com)
    48 66KB (145312848)
    47 261KB (bellsouth.net)
    46 257KB (lycos.com)
    46 63KB (147412280)
    46 63KB (146333456)
    44 82KB (-1223753408)
    44 78KB (uk2.net)
    44 60KB (148810472)
    43 78KB (asheville.com)
    42 57KB (143533600)
    40 54KB (145928648)
    39 63KB (freemail.nl)
    37 70KB (-1217931504)
    37 68KB (-1215659624)
    36 49KB (-187923464)
    35 59KB (yehey.com)
    35 48KB (144090544)
    34 61KB (mypersonalemail.com)
    34 58KB (go2.pl)
    34 47KB (144656864)
    34 46KB (147618200)
    33 73KB (****.com)
    32 45KB (147978408)
    32 44KB (144719304)
    31 51KB (o2.pl)
    30 188KB (execpc.com)
    30 181KB (mninter.net)
    30 56KB (-1219122248)
    30 49KB (email.ro)
    29 176KB (alltel.net)
    29 53KB (-1227631944)
    29 47KB (tlen.pl)
    29 39KB (145262968)
    28 247KB (verizon.net)
    28 180KB (moen.com)
    28 157KB (scala.net)
    28 52KB (-1222099456)

    Top 50 sending hosts by volume
    ------------------------------

    1431 12MB (***.***.***.***)
    782 8266KB local
    111 5844KB (**********.com)
    581 1403KB (lh)
    76 692KB (comcast.net)
    145 490KB (tpin.okcu.edu)
    6 457KB (omc3-s25.bay6.hotmail.com)
    15 316KB (66-214-179-109.dhcp.gldl.ca.charter.com)
    14 300KB (66-168-114-180.dhcp.oxfr.ma.charter.com)
    7 283KB (****.com)
    13 280KB (12-208-120-204.client.insightBB.com)
    5 278KB (fastintel.net)
    48 272KB (angelfire.com)
    47 261KB (bellsouth.net)
    46 257KB (lycos.com)
    12 247KB (pic33-1-82-237-168-200.fbx.proxad.net)
    28 247KB (verizon.net)
    11 236KB (host-24-225-154-184.patmedia.net)
    10 232KB (cp148898-a.tilbu1.nb.home.nl)
    9 225KB 69-169-91-170.lmdaca.adelphia.net
    9 224KB (i02v-62-34-62-40.d4.club-internet.fr)
    9 221KB (cm-207-192-195-12.stjoseph.mo.npgco.com)
    1 211KB (amme.myhostdns.com)
    8 201KB adsl-69-213-75-242.dsl.chcgil.ameritech.net
    10 196KB (p3033-ipad401osakakita.osaka.ocn.ne.jp)
    30 188KB (execpc.com)
    8 184KB (adsl-67-65-46-101.dsl.ksc2mo.swbell.net)
    9 183KB (wsip-68-15-52-251.ri.ri.cox.net)
    9 181KB (TSC-010)
    30 181KB (mninter.net)
    28 180KB (moen.com)
    7 176KB (adsl-208-191-222-179.dsl.kscymo.swbell.net)
    29 176KB (alltel.net)
    9 175KB (pool-70-23-48-212.ny325.east.verizon.net)
    18 172KB (proxad.net)
    8 165KB (s01060050bacd8215.wk.shawcable.net)
    8 165KB (nthygo091030.hygo.nt.adsl.ppp.infoweb.ne.jp)
    7 163KB (f59-156-110-230.fnj.ne.jp)
    8 163KB (dsl-201-135-151-229.prod-infinitum.com.mx)
    8 162KB (68-191-11-164.dhcp.plbg.ny.charter.com)
    8 161KB (701DFB2D57C643E)
    28 157KB (scala.net)
    6 157KB (c-24-91-61-74.hsd1.ma.comcast.net)
    8 154KB (81-208-32-152.ip.fastwebnet.it)
    9 154KB (66-146-173-200.skyriver.net)
    16 152KB (singnet.com.sg)
    7 150KB (adsl-216-63-160-12.dsl.elpstx.swbell.net)
    7 143KB (fla1aaa037.tky.mesh.ad.jp)
    7 142KB (pcp408058pcs.mtsano01.ga.comcast.net)
    7 140KB (XXX)


    Top 50 host destinations by message count
    -----------------------------------------

    56658 344MB local
    19 48KB gmail-smtp-in.l.google.com
    5 2542 mx2.mail.yahoo.com
    3 43KB mx3.mail.yahoo.com
    3 1520 mx1.hotmail.com
    2 2813 drjimmy.it.northwestern.edu
    1 1197KB hrndva-01.mgw.rr.com
    1 42KB mailin1.pacific.net.au
    1 41KB mx1.biz.mail.yahoo.com
    1 41KB smtpin.ntlworld.com
    1 41KB tommx.163.net
    1 35KB mail.lightyearmusic.com
    1 35KB mx3.mail2000.com.tw
    1 35KB ms26a.hinet.net
    1 25KB mx0.gmx.de
    1 25KB smtp.clinch.ch
    1 25KB afm-records.de
    1 1529 smtp-mx.mac.com
    1 1247 gateway-r.comcast.net
    1 1154 mailin-02.mx.aol.com
    1 836 mta1.grp.scd.yahoo.com
    1 831 mta3.grp.scd.yahoo.com
    1 661 relay8.cso.uiuc.edu
    1 518 ibmr.btconnect.com
    1 517 mx2.mail.tw.yahoo.com
    1 517 pamx1.hotmail.com
    1 500 mx3.hotmail.com
    1 495 mx1.seznam.cz
    1 493 bep.internode.on.net
    1 491 smtp.tin.it

    Top 50 host destinations by volume
    ----------------------------------

    56658 344MB local
    1 1197KB hrndva-01.mgw.rr.com
    19 48KB gmail-smtp-in.l.google.com
    3 43KB mx3.mail.yahoo.com
    1 42KB mailin1.pacific.net.au
    1 41KB mx1.biz.mail.yahoo.com
    1 41KB smtpin.ntlworld.com
    1 41KB tommx.163.net
    1 35KB mail.lightyearmusic.com
    1 35KB mx3.mail2000.com.tw
    1 35KB ms26a.hinet.net
    1 25KB mx0.gmx.de
    1 25KB smtp.clinch.ch
    1 25KB afm-records.de
    2 2813 drjimmy.it.northwestern.edu
    5 2542 mx2.mail.yahoo.com
    1 1529 smtp-mx.mac.com
    3 1520 mx1.hotmail.com
    1 1247 gateway-r.comcast.net
    1 1154 mailin-02.mx.aol.com
    1 836 mta1.grp.scd.yahoo.com
    1 831 mta3.grp.scd.yahoo.com
    1 661 relay8.cso.uiuc.edu
    1 518 ibmr.btconnect.com
    1 517 mx2.mail.tw.yahoo.com
    1 517 pamx1.hotmail.com
    1 500 mx3.hotmail.com
    1 495 mx1.seznam.cz
    1 493 bep.internode.on.net
    1 491 smtp.tin.it

    Top 50 local destinations by message count
    ------------------------------------------

    55225 333MB :blackhole:
    1433 11MB *****

    Top 50 local destinations by volume
    -----------------------------------

    55225 333MB :blackhole:
    1433 11MB *****

  2. #2
    Join Date
    Jan 2004
    Posts
    445
    Try changing your default addresses to :fail.

    http://www.configserver.com/free/fail.html

  3. #3
    It looks TOTAL SPAM to me. Open one of the bounced mails and look at the contents. Does the content somehow related to any one of the a/c that you have on your VPS?
    Chris

  4. #4
    99% of it appears to be randomly generated account names that don't exist.

  5. #5
    I'm not concerned about the a/c names. Instead look at the msg body. Are they same in all the mails?
    Chris

  6. #6
    Well, I've got all the :blackhole: settings changed to :fail:

    My host has set up SPF records for my domains.

    Beyond that they're at a bit of a loss, although they're still researching the problem.

    The amount of incoming/outgoing mail (I'm still not quite sure how to read those statistics as to whether it's all incoming, or if somehow my domains are being used to relay mail) is still causing heavy loads on the VPS.

    They're asking if they can edit the MX records for my domains. I'm not sure exactly what that does:

    "The easiest thing to do would be to change MX records for these domains, because when someone tries to send an email to a domain the first thing that is done is a MX record lookup so that the sending mail server knows where to attempt a port 25 connection to. By changing the MX record these lookups should fail and no mail will be sent to the domain. Would you like us to do that? Also, for which domains would you want to set this?"

    My concern is that for the majority of my domains I *do* have a valid contact email address ([email protected] or webmaster@ blahblah.com, etc.) which are not physical accounts but rather forwarders to the single physical account I actually use. My interpretation of the above is that what they are wanting to do would kill even those forwarders.

    Not sure what to do or request.

    This is way out of my league from a comprehension/experience standpoint.

  7. #7
    Join Date
    Jan 2004
    Posts
    445
    Have you seen any change in the Exim stats?

    Are you running a control panel?

  8. #8
    As you say you only have 15 domains on the server, I would implement an exim filter. Just edit /etc/exim.conf and add the following lines:

    # Exim filter
    if $return_path does not contain "yourdomain.com"
    then
    seen finish
    endif
    if $return_path does not contain "yourdomain2.com"
    then
    seen finish
    endif
    if $return_path does not contain "yourdomain3.com"
    then
    seen finish
    endif
    etc...
    etc...
    etc...

    Make sure to put your domain names instead of yourdomain.com, but keep the " characters before and after the domains. You must have the line # Exim filter included before the filter rules and you should restart exim afterwords.

    That should discard any mail that has not been sent from domains hosted by you.
    MP Hosting
    http://mphosting.net

  9. #9
    Quote Originally Posted by sawbuck
    Have you seen any change in the Exim stats?

    Are you running a control panel?
    Cpanel/WHM, although admittedly a novice with both.

    Not sure what you mean by "change in the Exim stats". Since when and what am I looking for?

    Thanks.

  10. #10
    Quote Originally Posted by mpoulsen
    As you say you only have 15 domains on the server, I would implement an exim filter. Just edit /etc/exim.conf and add the following lines:

    # Exim filter
    if $return_path does not contain "yourdomain.com"
    then
    seen finish
    endif
    if $return_path does not contain "yourdomain2.com"
    then
    seen finish
    endif
    if $return_path does not contain "yourdomain3.com"
    then
    seen finish
    endif
    etc...
    etc...
    etc...

    Make sure to put your domain names instead of yourdomain.com, but keep the " characters before and after the domains. You must have the line # Exim filter included before the filter rules and you should restart exim afterwords.

    That should discard any mail that has not been sent from domains hosted by you.
    This one confuses me bigtime. Wouldn't this kill any and all mail coming from outside my domains to legitimate email addresses/aliases? Or are you referring to outgoing mail?

  11. #11
    Join Date
    Jan 2004
    Posts
    445
    Quote Originally Posted by dharding
    Not sure what you mean by "change in the Exim stats". Since when and what am I looking for?
    Thanks.
    Just that you had originally posted exim stats output and wondering if you were seeing an improvement.

  12. #12
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Quote Originally Posted by dharding
    Well, I've got all the :blackhole: settings changed to :fail:
    The most important thing one can do!

    They're asking if they can edit the MX records for my domains. I'm not sure exactly what that does:
    Just say NO!


    Not sure what to do or request.
    Request nothing and do this part yourself:

    Server Configuration > Tweak Settings > The maximum each domain can send out per hour (0 is unlimited): 50

    By setting the number of mailouts per hour to 50, you will do two things;
    - shorten greatly how much Spam can be sent from your VPS, from a hacked script
    - give you or someone else, time to view Spam sitting in the queue -- it will have the account ID of the hacked script they are using so it can be found & fixed
    (note: you should also be checking 'Mail Queue Manager' at least once a day, to checkup on how much eMail is there)


    The other thing you can do is install this Dictionary prevention script:
    http://www.configserver.com/free/eximdeny.html

    Follow the instructions as stated on the Web page and you should have no problem.

    Oh, and for heaven sakes turn off or disable SpamAssassin for the whole Server. It sucks up Server resources and just not as effective as the methods already discussed.
    Last edited by Website Rob; 12-01-2005 at 04:44 PM.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  13. #13
    Thanks Rob, I appreciate the assistance.

    After yet another episode this afternoon, it appears that the problem is not outgoing mail, but rather incoming mail. In particular, one of my domains appears to be on someone's sh*t list. The amount of incoming spam to that one domain (and it's from multiple IPs) constitutes the majority of the spam involved.

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    try some rbls
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    dharding, your welcome for the help and it would seem the root of some problems is now being found.

    From what you describe, the account is being 'Mail Bombed' and that can be pretty deadly. Only defence I know of is to remove the eMail addresses being bombed, or Suspend the account -- pretty drastic but an excellent Temporary solution.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •