spam issue

Hi, I don’t know if this is the right place to ask for advice on this issue, but I’m a newbie using Interworx and I’m kind of worried about it. I recently moved to this interworx server and in the last few days I’ve noticed users of one of the domains are receiving a lot of spam, mostly attached virus. I have checked thoroughly the headers of these messages and it seems mail have been sent from the server, which leads me to the question, how can I make sure the server is properly closed to relying and how come these messages have the proper headers making them look as if they were sent from my server, or, were they actually sent from there?
Is there anyway to secure qmail to solve this issue?

I’ve just seen all the messages seem to have been sent from the same IP, does interworx has any feature to block IPs? I know how to do it in Apache but it’s not a webserver problem, if I delete this domain from qmail as Chris suggested in another thread for a different problem, will they be still able to send mail relying on the server?

Thanks for your help.

From NodeWorx:

System Services => Mail Server => SPAM Filter Settings

There is an option for global whitelist and global blacklist. I would think that adding the IP to the global blacklist would do the trick here.

I haven’t actually done this myself (yet). Anyone want to confirm or deny?

Tim

Actually the global whitelist and blacklist boxes are for e-mail addresses, and they correlate directly to the whitelist_from and blacklist_from SpamAssassin configuration options, so this won’t block based on IP.

JustMe, it’d probably be easiest if you posted one of the mail headers in question so we can see exactly what’s going on. I’d also recommend enabling Clam Antivirus in NodeWorx => System Services => Virus Filtering, if it isn’t already enabled.

Paul

How did I know it couldn’t be that easy

JustMe, it’d probably be easiest if you posted one of the mail headers in question so we can see exactly what’s going on. I’d also recommend enabling Clam Antivirus in NodeWorx => System Services => Virus Filtering, if it isn’t already enabled.

Always good advice. I can tell you I get TONS fewere viruses since I Spamassassinw as added.

Ok, first at all, thanks Tim, you have helped me a lot to setup the server, even though you probably don’t know.
To the point, I’m not really worried about virus in the server, at least not virus sent through email since email is handled offsite, my concern is about email users getting email from the external mail server.
The fact is that I’ve been checking the messages and I was wrong because although all the messages were sent by the same individual (same format and content), they are sent from different IPs THROUGH my box and they look as valid email messages from common addresses like webmaster@ info@ admin@ , etc. This confuses users who open the message and voila. Analizing the IPs I have located this person but there’s not much I can do since it looks like a dialup dynamic IP. I’ll post the headers;

From info@mydomain.com Mon Jul 11 14:54:35 2005
X-Apparently-To: my_email_at_yahoo@yahoo.com via 209.73.178.133; Mon, 11 Jul 2005 14:54:54 -0700
X-Originating-IP: [63.246.XXX.XX] //This is my box IP
Return-Path: <info@mydomain.com>
Authentication-Results: mta342.mail.scd.yahoo.com from=mydomain.com; domainkeys=neutral (no sig)
Received: from 63.246.136.24 (HELO mydomain.com) (63.246.XXX.XX) by mta342.mail.scd.yahoo.com with SMTP; Mon, 11 Jul 2005 14:54:54 -0700
Received: (qmail 25425 invoked by uid 108); 11 Jul 2005 21:56:10 -0000
Message-ID: <20050711215610.25424.qmail@mymaindomain.com> //IMPORTANT
Delivered-To: dan@mydomain.com
Received: (qmail 25413 invoked by uid 108); 11 Jul 2005 21:56:10 -0000
Received: from 130.red-81-34-111.pooles.rima-tde.net (HELO mydomain.com) (81.34.111.130) by unknown.sagonet.net with SMTP; 11 Jul 2005 21:55:56 -0000
From: info@mydomain.com Add to Address BookAdd to Address Book
To: dan@mydomain.com
Subject: Members Support
Date: Mon, 11 Jul 2005 23:54:35 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=“----=_NextPart_000_0009_AD05FD99.45F6F1D1”
X-Priority: 3
X-MSMail-Priority: Normal
Content-Length: 74113

Those are the headers, please note that I have replaced my real domain name and IP. The rest is untouched, I’ve setup a catchall email to forward email to my account at yahoo.
I’m really worried because mail seems to have been actually sent from my main domain (IMPORTANT above), ie my box name. I was planning to delete this account for email to be handled completely off the server but I’ like to sort out this issue first.
I’d really apreciate any ideas.

Regards

Justme, here’s what these mail headers are telling me:

To: dan@mydomain.com

Spammer decides to send message to dan@mydomain.com

From: info@mydomain.com

Spammer knows that he can specify ANYTHING for the From: section of the message, so to prevent dealing with any bounce messages or complaints, he decides to say the message is from info@mydomain.com. This is just the way SMTP works - anybody can forge a sender.

Received: from 130.red-81-34-111.pooles.rima-tde.net (HELO mydomain.com) (81.34.111.130) by unknown.sagonet.net with SMTP; 11 Jul 2005 21:55:56 -0000

This is the part he can’t forge. Spammer using hijacked computer 130.red-81-34-111.pooles.rima-tde.net aka 81.34.111.130 connects to your mail server 63.246.XXX.XX (the IP of mydomain.com) and sends a message to dan@mydomain.com. The (HELO mydomain.com) part says that the spammer identified itself as “mydomain.com”. They could have said anything here, it doesn’t matter. The “by unknown.sagonet.com” means that your server accepted the message - unknown.sagonet.com is the default reverse dns name for IPs at Sago Networks - so this was a result of doing a reverse dns lookup on your IP 63.246.XXX.XX.

Your server says “yes, I handle mail for mydomain.com, I’ll take the message.”

The message was passed on to the mail system, which now has to figure out what to do with a message sent to dan@mydomain.com.

During this process, a “message-ID” is created. The mail system needs this ID to be unique for obvious reasons - so it puts together a combination of the date/time, the process id handling the message, the mail system name (qmail), and the “main” domain that the mail system is configured with. Here’s what it came up with:

Message-ID: <20050711215610.25424.qmail@mymaindomain.com>

I’m fairly certain it’s getting the mymaindomain.com from the /var/qmail/control/me file.

Your server determines, via the catch-all you’ve set up, that it should forward the message on to my_email_at_yahoo@yahoo.com. So it does - it connects to yahoo’s mail server and sends the message on. So in this sense, your server is sending (forwarding) the spam message - but only because it was told to forward mail sent to dan@mydomain.com to your yahoo address.

So, to make a long story short, the spammer could send a message to dan@mydomain.com since your server is set up to accept mail for mydomain.com. And your server forwarded that message on to your yahoo.com account since that’s what the catch-all is set up to do. The end result is the spammer’s message ending up in your yahoo.com inbox.

I hope I’ve answered your question here. I don’t see anything out of the ordinary, no illegal relaying, etc. Everything looks on the up and up - except for the fact that there are spammers in the first place giving us all headaches

Let me know if you have any questions about this,

Paul

Thanks Paul, that’s why I said I didn’t know if this was the right place since it does not seem an interworx issue.
Can I conclude from your explanation that if I delete this qmail account (mail is handled offsite) that would solve (or transfer to the offsite mail server) the spam problem, at least for this domain?
And, if I delete this domain, would any mail sent from the server, from this particular domain be considered as spam by other servers?
I understand this would be just your opinion, each server must have their own policies.

Thanks Again.

Yes, if you delete the mail setup for that domain on your server, using the vdeldomain command, that would prevent your server from accepting mail destined for mydomain.com. And as long as DNS doesn’t specify your server as a mail recipient for mydomain.com, nobody should be trying to send mydomain.com mail to your server (although I’ve seen spammers keep outdated DNS information for a really long time).

Deleting the mail setup for mydomain.com won’t have any affect on mail sent from the server - as you said it’s totally up to the recipient whether they consider a message spam or not. But mail sent to dan@mydomain.com won’t be routed through your server anymore, since your server will have stopped accepting mail destined for addresses @mydomain.com.

This sounds a bit confusing just reading it back, but I hope it answers your question.

Paul

Hey, it’s all good. Sometimes I’m right, sometimes I’m not (though more often than not I’m right ).

Hopefully Paul has answered your questions.

Thanks!!!

Thank you Paul, it’s not confusing at all, I really apreciate your help on this issue, you’ve been really helpful.
Tim, I really mean it, I’m not being sarcastic, just an example, without your help, I had not been able to setup properly DNS, that among other things, you are kind of my personal hero I did not mean you did not know how to setup the server, I meant you didn’t know you had helped me!!!

Glad to be of service.

I got what you meant, as I said it’s all good. Never thought it was sarchastinc at all.