The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outrageous amounts of spam for one user

Discussion in 'E-mail Discussions' started by shw, May 7, 2007.

  1. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    One of my servers has only about 20 email addresses in 5 different domains. I would normally receive about 150-300 emails a day including all spam messages. I paid for the service from Chirpy (which has been running great). Recently we added another client with only one domain and two total email addresses within. This one user has caused our 150-300 total emails a day to hit 1200-2000!! She is receiving approximately 2-3 spam messages a minute. I have been doing this stuff for years and this seems so excessive that it seems like something else is wrong. Granted Mailscanner is catching almost all of this spam (if not all) but it is causing resource utilization to sky rocket! To be honest there are probably about 10 domains which you see coming up as the sending domain even if it's not truly being sent by such domain...just found that to be an odd point.

    Does anyone have any last opinions before I talk this person into changing her address (which has already been said to be an issue)?

    Thanks!
     
  2. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    what's the content of these spam messages? Do they share some common pattern? What is that spamassassin score as scanned by mailscanner for these emails? I assume less than 5 if it's going through the mailscanner.

    Did you install DCC, razor and sa-update? Did you enable bayes? These are the neccessary addon to spamassassin to detect more spams.

    Also, did you install chirpy's dictionary attack script?
     
  3. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the response but you may have missed the part where I said that Mailscanner was blocking most if not all of this spam so I do have everything in place. I did install the dictionary attack code as well. It's doing an unbelievable job in stopping these spams but going from 200-250 emails a day to almost 2000 just because of one person is insane which leads me to believe that something else is wrong. Whether it's on Exim/Mailscanner or just her domain name. Her email address is very basic which is not helping matters. It's just her firstname@domain.com and it's a very easy name to guess but I figured the dictionary attack code would alleviate this.

    Oh and the content is almost all regarding medications. Example subject lines below...which were all received within the last minute.

    Start saving on your prescriptions today
    How much do you spend a year on your medication?
    We offer the same medication that Osco does only cheaper!

    Thanks again.
     
  4. nisse

    nisse Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Are you doing any RBL lookups in Exim? If not, adding some should eliminate a lot of the spam before it reaches MailScanner.
     
  5. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Yes, actually here is some code from the exim conf. One thing I didn't do until now was delete the spam list from the Mailscanner config which apparentley mean that exim was not actually doing the RBL but Mailscanner was. Not sure how that works since I thought the email would hit exim first then Mailscanner. If that was the case and the code below has been there wouldn't Exim still be doing the RBL? FYI - I just added sorbs...

    #!!# ACL that is used after the RCPT command
    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :

    drop hosts = /etc/exim_deny
    !hosts = /etc/exim_deny_whitelist
    message = Connection denied after dictionary attack
    log_message = Connection denied from $sender_host_address after dictionary attack
    !hosts = +relay_hosts
    !authenticated = *

    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    !verify = recipient
    !hosts = /etc/exim_deny_whitelist
    !hosts = +relay_hosts
    !authenticated = *

    #**#
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept domains = +local_domains
    local_parts = postmaster:abuse
    #
    # Check sending hosts against DNS black lists.
    # Accept all locally generated messages
    # Reject message if address listed in blacklist.
    deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text
    !hosts = +relay_hosts
    !authenticated = *
    dnslists = dnsbl.sorbs.net :dnsbl.njabl.org :bl.spamcop.net :sbl-xbl.spamhaus.org :list.dsbl.org :cbl.abuseat.org :relays.ordb.org
    # RBL Bypass Local Domain List
    !domains = +rbl_bypass
    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist
    #**#
    #**# RBL List End
    #**#
     
  6. nisse

    nisse Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Yes, Exim sees the mail before MS does, so it would have been doing those lookups. Seems odd that so many are getting through. Could you give a few examples of the IPs that this stuff is coming from?
     
  7. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Sure but some are outside of the US some aren't. Many are but I have clients on this server who do some international business so I can't block international IPs.

    Received: from 190-82-145-17.adsl.cust.tie.cl
    Received: from [60.14.237.44]
    Received: from [217.174.20.114]
    Received: from [67.14.242.214]
    Received: from host-90-188-132-55.pppoe.omsknet.ru

    Any help?
     
  8. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Heh Heh... Just looked at a Mailscanner report and this person has received almost 7000 emails in one (which is the first) week. Tell me this isn't way out of proportion for normal or even bad spam recipients. There has to be something that can be done outside of changing her addy.
     
  9. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It's not anything you did wrong, trust me. Spammers _know_ that it's a valid email and they will hammer it with everything they've got. Expect it to get worse before it gets better, sadly. So long as you have the RBLs and strong SA rules in place, it will do alot to alleviate the problem.

    Chirpy's dictionary attack script is only for those IPs connecting many times over in just a few minutes. These I'm sure are coming from a botnet, so blocking them via IP would be a complete waste of your time, since the IPs will be different every time.

    Is the amount of spam affecting the box's ability to function?

    Added: I have a company hosted on a box we manage that gets about 2-3k per day. We have a special SA ruleset all his own that blocks most of them. We theorize they are from a competitor in his field trying to harm his business. 99.6% of mail to him gets blocked. But they keep trying...
     
    #9 mctDarren, May 7, 2007
    Last edited: May 7, 2007
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    One way of getting past this is to move the email services for her domain to go through something like postini or mailwash. They're setup to deal with this sort of spam load pretty seamlessly. It would, of course, cost extra, but at the end of the day it will let her keep her email address.

    Longer term, I guess you need to work out what happened to cause the spam. Is it possible it could have been malicious, ie someone signed her up for a lot of spam accounts? Is her email address listed in plaintext on her website?

    Another thing you could do is make sure the server has your normal spam filtering (as I just notice you do have already). It's probably worth installing a firewall that subscribes to the spamhaus block list (and some others, I think dshield) like CSF as that just may block some of the traffic. And of course if there's any consistency in IPs that this stuff is from, you could probably just block them permanently. A number of people are singing the praises of ASSP (an Anti-Spam proxy) also lately and a few have worked out easy cpanel installs - may also be a solution.
     
  11. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Not yet, surprisingly, as it's a low-end VPS. I have only one child process which helped with previous resource issues I had. I also disabled outgoing virus scanning and disabled the quarantine on this one domain. Otherwise I am expecting it could become an issue if it does, in fact, become worse. If I would have answered this the opposite way what would your reply have been? :)
     
  12. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I already thought of the postini or Appriver solution but, as you said, it would cost more. I wouldn't have a problem if I was already reselling such service but I would have to put up an original purchase to become a partner. I will be checking into this further.

    I will also check into the Anti-Spam proxy as you noted.

    I, unfortunately, do not have any communication directly with this company as it was a reseller who had brought this account into action.
     
  13. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    A VPS? Ouch. It might become a problem more quickly this way. First thing - find the thread in here where I outline how to add a HELO check to your Exim settings. It blocks about half the spammers for my client since they regularly use illegal or incorrect HELO info.

    We regularly run IP checks by using a SQL search of the Mailwatch database for this client that creates a sorted bubble array of IPs used to spam him. We take that list of IPs and look for those that are used more frequently than others and ban them via iptables. If they are used more than five times, we blacklist it. It's very rare that an IP is used that often however. But you can use phpmyadmin to run SQL queries against the Mailwatch database and get those IPs.

    Grab the mail manage (cmm) script from Configserver and install it. Use your Mailscanner front end in WHM to feed spam for the account to another email address and use cmm to scan through it. Write up some aggressive, custom Spamassassin rules for the spam that IS getting through to stop it if you can.

    That should get you started. ;) (Ps: don't throw more money at the problem if it isn't needed. So long as your VPS is not bogging or causing your provider to flag you for resources we have several options to try...)
     
    #13 mctDarren, May 7, 2007
    Last edited: May 7, 2007
  14. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Great information. I will jump into this ASAP. Especially the easy one dealing with the HELO :)

    Yeah, VPS. Believe it or not I have this bad boy running pretty smoothly even with Chirpy's Mailscanner install. I changed some settings and have very good success with spam even now with getting bombarded. I feel like I'm running a loadsim on this thing to test it's capacity. One good thing that will come from this, once I have this person's spam under control I know I can handle many more people on this one VPS...well as long as I don't get another one of these!

    Thanks for the quick responses...everyone.
     
  15. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
  16. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    I was just getting ready to ask about this as I was trying to search but I see you've posted quite a bit. :D

    Thanks again.
     
  17. shw

    shw Active Member

    Joined:
    Oct 24, 2006
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Wow...these lines help a lot. I added a few other ISP's on there which all seem to have relay servers with their domain in there. I'm still working on the HELO aspect. I want to make sure I am not putting legit emails at risk any more than I am.

    * deny message = Faked Yahoo, so you must be spam.
    o log_message = Fake Yahoo
    o senders = *@yahoo.com
    o condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
    * deny message = Faked hotmail, so you must be spam.
    o log_message = Fake hotmail
    o senders = *@hotmail.com
    o condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
    * deny message = Faked MSN, so you must be spam.
    o log_message = Fake MSN
    o senders = *@msn.com
    o condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
    * deny message = Faked AOL, so you must be spam.
    o log_message = Fake AOL
    o senders = *@aol.com
    o condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
     

Share This Page