please help, i`m in trouble with spam`ers

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
uteliux
Normal user
Normal user
Posts: 37
Joined: 2008-07-09 14:43

please help, i`m in trouble with spam`ers

Post by uteliux » 2010-01-05 15:31

Hello!,
Can someone please help and explain for my how to stop spamers who tries to spam my server. In awstats log i`m geting such data (egzample):

2010-01-05 15:13:17 abuzipeosa7754@mydomain.lt 218.102.23.55 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:25 porololeu4224@mydomain.lt 122.200.253.202 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:29 helouxojyf4552@mydomain.lt 216.127.78.33 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:29 zoziykoreu8136@mydomain.lt 216.127.78.33 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:29 bywiwuwyai4663@mydomain.lt 216.127.78.33 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:57 esowuu3892@mydomain.lt 69.160.247.211 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0
2010-01-05 15:13:57 okejuconaz7255@mydomain.lt 69.160.247.211 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 550 0

This is just little part of my log, spamer tries to send 10-15 messagen in 1min!.
In DAY log i see that hmailserver deletes message, and says that user do not exists (example with: osetahafo3403@mydomain.lt):

"SMTPD" 2668 30623 "2010-01-05 15:14:04.765" "212.77.68.6" "SENT: 220 sveiki!"
"SMTPD" 2668 30623 "2010-01-05 15:14:04.859" "212.77.68.6" "RECEIVED: HELO purplehat.split.it"
"SMTPD" 2668 30623 "2010-01-05 15:14:04.859" "212.77.68.6" "SENT: 250 Hello."
"SMTPD" 2664 30623 "2010-01-05 15:14:04.937" "212.77.68.6" "RECEIVED: MAIL FROM:<>"
"SMTPD" 2664 30623 "2010-01-05 15:14:04.953" "212.77.68.6" "SENT: 250 OK"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.046" "212.77.68.6" "RECEIVED: RCPT TO:<osetahafo3403@mydomain.lt>"
"DEBUG" 2668 "2010-01-05 15:14:05.062" "AWStats::LogDeliveryFailure"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.062" "212.77.68.6" "SENT: 550 Unknown user"
"SMTPD" 2664 30623 "2010-01-05 15:14:05.140" "212.77.68.6" "RECEIVED: RSET"
"DEBUG" 2664 "2010-01-05 15:14:05.140" "PersistentMessage::DeleteFile()"
"DEBUG" 2664 "2010-01-05 15:14:05.140" "PersistentMessage::~DeleteFile() - E3"
"SMTPD" 2664 30623 "2010-01-05 15:14:05.140" "212.77.68.6" "SENT: 250 OK"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.218" "212.77.68.6" "RECEIVED: QUIT"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.218" "212.77.68.6" "SENT: 221 goodbye"
"TCPIP" 2668 "2010-01-05 15:14:05.296" "Disconnecting socket 1608 for session 30623"
"DEBUG" 2668 "2010-01-05 15:14:05.312" "Socket::~Socket(ID:30623, Addr=68690736)"
"TCPIP" 2668 "2010-01-05 15:14:05.359" "Created accept socket 1608 on listening socket 932"
"DEBUG" 2668 "2010-01-05 15:14:05.359" "Socket::Socket(ID:30624, Addr=68690736)"

My users are not receiving ANY SPAM. I dont know ho to handle this problem. And i think that is the reason why my mail server is blacklisted.

SORRY for my english. AND HAPPY NEW YEAR!!

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: please help, i`m in trouble with spam`ers

Post by ^DooM^ » 2010-01-05 15:34

According to that, a spammer is trying to send email to you. That would not add you to a blacklist. I wouldn't worry about it if that is all that is happening. Add those IP's to your firewall perhaps.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

uteliux
Normal user
Normal user
Posts: 37
Joined: 2008-07-09 14:43

Re: please help, i`m in trouble with spam`ers

Post by uteliux » 2010-01-05 15:42

mabey spamfilters adding me to BL, because my server sends message back to spamer with message:

<bbz@mydomain.lt>: host karamele.****.lt[82.140.**.**] said: 550 Unknown user
(in reply to RCPT TO command)

can it be reason?

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: please help, i`m in trouble with spam`ers

Post by ^DooM^ » 2010-01-05 15:44

No that is your server telling the spammer to go away, it doesn't send any email out with a 550 command. As I said that log would not put you on a blacklist. More likely reasons are your IP is listed as residential or dynamic if ran from a home connection.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: please help, i`m in trouble with spam`ers

Post by ^DooM^ » 2010-01-05 15:46

Also your HELO message says "SMTPD" 2668 30623 "2010-01-05 15:14:04.765" "212.77.68.6" "SENT: 220 sveiki!" That should be a FQDN such as mail.yourdomain.lt

Also make sure your ip's RDNS resolves to your FQDN.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: please help, i`m in trouble with spam`ers

Post by sheffters » 2010-01-05 15:47

shouldnt get blacklisted for failure messages.

Post your mail IP / check the resons why your listed on the BLs .. they usually have reason codes

S.

*edit* .. never mind, you did, I just cant read logs properly ... :)

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: please help, i`m in trouble with spam`ers

Post by dzekas » 2010-01-05 15:51

uteliux wrote: This is just little part of my log, spamer tries to send 10-15 messagen in 1min!.
In DAY log i see that hmailserver deletes message, and says that user do not exists (example with: osetahafo3403@mydomain.lt):

"SMTPD" 2668 30623 "2010-01-05 15:14:04.765" "212.77.68.6" "SENT: 220 sveiki!"
"SMTPD" 2668 30623 "2010-01-05 15:14:04.859" "212.77.68.6" "RECEIVED: HELO purplehat.split.it"
"SMTPD" 2668 30623 "2010-01-05 15:14:04.859" "212.77.68.6" "SENT: 250 Hello."
"SMTPD" 2664 30623 "2010-01-05 15:14:04.937" "212.77.68.6" "RECEIVED: MAIL FROM:<>"
"SMTPD" 2664 30623 "2010-01-05 15:14:04.953" "212.77.68.6" "SENT: 250 OK"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.046" "212.77.68.6" "RECEIVED: RCPT TO:<osetahafo3403@mydomain.lt>"
"SMTPD" 2668 30623 "2010-01-05 15:14:05.062" "212.77.68.6" "SENT: 550 Unknown user"
It is not spam. It is backscatter. Spammer used your domain in spam messages. Your server is only handling bounces and it is handling them correctly. If your hardware can't cope with it, get better hardware.

Or you could use ips.backscatterer.org RBL, but it can create false positives. Some normal servers have higher backscatter rate.
Last edited by dzekas on 2010-01-05 15:55, edited 1 time in total.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: please help, i`m in trouble with spam`ers

Post by sheffters » 2010-01-05 15:54

Elo,

Your only on two ... neither of which are really a problem as there just crap lists.

ips.backscatterer.org ... complains about the bounce messages (idiots)
dnsbl-3.uceprotect.net ... which seems to be some limited blacklist thats done manually and some automation via there own closed systems

I wouldn't worry about those two ... can't see them being used by anyone.

Can check easily here ... http://www.dnsbl.info/dnsbl-database-check.php

S.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: please help, i`m in trouble with spam`ers

Post by dzekas » 2010-01-05 16:05

uteliux wrote: "SMTPD" 2668 30623 "2010-01-05 15:14:04.765" "212.77.68.6" "SENT: 220 sveiki!"
Please note that correct SMTP greeting should not say "hello" in Lithuanian. Software doesn't care if you are polite or not. Greeting should display your server's hostname as first word.

uteliux
Normal user
Normal user
Posts: 37
Joined: 2008-07-09 14:43

Re: please help, i`m in trouble with spam`ers

Post by uteliux » 2010-01-05 16:40

dzekas, i know, i changed this message to "sveiki" before posting here, to hide my servers info :)

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: please help, i`m in trouble with spam`ers

Post by sheffters » 2010-01-05 20:55

uteliux wrote:dzekas, i know, i changed this message to "sveiki" before posting here, to hide my servers info :)
doh ... doesnt help troubleshooting problems! ... doesnt matter if people know your server address as long as you dont post passwords ... its publically available anyway (or it couldnt send / receive mail) ... so its no worries to post stuff like server name.

S.

User avatar
mattg
Moderator
Moderator
Posts: 20000
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: please help, i`m in trouble with spam`ers

Post by mattg » 2010-01-06 01:15

sheffters wrote:Can check easily here ... http://www.dnsbl.info/dnsbl-database-check.php
Interesting list Sheffters, I had been looking for such a list.

Thanks
Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply