LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-15-2008, 02:57 PM   #1
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Rep: Reputation: 15
spam relay question


Hey all,

As I'm sure is the case with many of you who run your
own Internet-connected servers w/ Linux, I get a lot
of spam relay attempts. I have configured my postfix
to avoid the open relay problem and I have yet to see
anything in the logs which suggests that any of these
attempts have succeeded.

I get an average of 3-4 failed spam attempts each day.
The overwhelming majority come from China or Korea,
though I do sometimes see other types of failed
attacks (mod_proxy, etc) from Europe and other parts
of the world.

Sometimes I do a WHOIS on the originating IP address,
and among other information it returns an email
address along the lines of "report spam to
abuse@<hostname>.com."

My question: How often (or do you?) take the time to
report spam relay, mod_proxy, or crack attempts to the
address provided? And if you do complain, what exactly
do you send them? A snippet of your log entry? Would
there be any additional security concerns raised by
providing the offending ISP with your own hostname or
IP address?

Or do you believe that the ISP's admin is himself
responsible in many of these cases and that
complaining would therefore be futile?

Your thoughts, please.

Thanks
 
Old 04-15-2008, 04:00 PM   #2
MountfordDrive
LQ Newbie
 
Registered: Jun 2007
Location: West Midlands, UK
Distribution: Ubuntu and Debian
Posts: 5

Rep: Reputation: 1
Quote:
Originally Posted by cylarz View Post
I get an average of 3-4 failed spam attempts each day.
Is that all??? We get on average 3-4 a minute!

I use a number of blacklist to filter them and manage to cut the number down to ones that get through to about 10 a day. Pretty good evidence that blacklists work.

I used to report all spam to www.spamcop.net and KnujOn (www.knujon.com). Spamcop will report spam to the spammer's upstream ISP on your behalf and add the spammer's address to their blacklist.

However I began to suspect that the spammer's ISP was actually in collusion with the spammer as (I think) Spamcop does not hide your email addresses in the reports they forward to the upstream ISP and I got even more spam. I have temporarily stopped using Spamcop since and my spam levels appear to have dropped but I still forward spam to KnujOn.

I am in two minds about using Spamcop but if we all stopped forwarding our spam to blacklist maintainers, then we are on the way to losing the spam war.

My advice is that if you are going to report the spammer to his upstream ISP (at abuse@whatever) and expose your email address anyway, you may as well report it to Spamcop as they will do it for you and add it to their blacklist which we can all use.
 
Old 04-16-2008, 12:24 AM   #3
madumadu
LQ Newbie
 
Registered: Feb 2008
Posts: 6

Rep: Reputation: 0
I use sendmail, had the same issue for a very long time, the only way i minimized my spam was to rely on DNS, any mail that came in had to verify that it actually comes from the claimed server, and the reverse-dns also confirms, otherwise the server doesnt accept any mail from any non-confirming senders. 2, also removed accept from localhost (the name) and only used my IPs locally as the accepted IPs to relay out.
 
Old 04-16-2008, 12:45 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
It's worth reading up on greylisting for postfix too. There's a howto on the postfix site. In short, for new IP's it tells the sender that Postfix isn't accepting mail and to retry later. Most bots don't retry.
 
Old 04-16-2008, 05:36 PM   #5
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
Sounds like you are running your own private server. I do the same. The incoming spam, like yours, is little. I report spam (logs) to abuse@ at the offending isp when it originates in my home country. I block IPs (usually the isp's entire range) via iptables for chronic offenders. When a country is particularly nuisancesome (and I know none of my email users will be affected) I block the entire country range.

I block some regions and countries categorically (lacnic (latin america), afrinic (africa), China, Korea, Taiwan, Russia, etc.).

When reporting I include the Target IP, Source IP, Time Zone, Data Port, and log entries showing the infraction. My message looks like this:

An IP registered to XYZ is illegally sending spam. Please take immediate
action against your user(s) to stop this activity. We advise XYZ to
document the handling of this issue; XYZ may be subpoenaed for records
regarding this case.

Source IP: nnn.nnn.nnn.nnn
Target IP: nnn.nnn.nnn.nnn
Data Port: 25
Time Zone: My Time Zone (or GMT if applicable for your logs)

Begin Log:

<pertinent log info here>
 
Old 04-16-2008, 06:24 PM   #6
cylarz
Member
 
Registered: Aug 2005
Location: California
Distribution: CentOS 5
Posts: 54

Original Poster
Rep: Reputation: 15
You are correct; it is a small private server which hosts a handful of domain names/websites I registered. I am the only user. I would like, however, to put a stop to this waste of my bandwidth.

I block some regions and countries categorically (lacnic (latin america), afrinic (africa), China, Korea, Taiwan, Russia, etc.).


Yeah, I'd like to do that. I am using IPtables; do you block the countries there or in your mail server settings? How do you do it?

I'd be just fine with blocking mainland China, Taiwan, and S Korea completely. Over 90% of the spam attempts seem to originate in one of those three.


When reporting I include the Target IP, Source IP, Time Zone, Data Port, and log entries showing the infraction. My message looks like this:

<snip>

So do you report every individual piece of junk, or do you partially reply on Spamhaus et al like the others mentioned?

Thank you, by the way, to all who wrote. It looks like I've got some more research to do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using sendmail relay (SMART_HOST) through a spam filter laurat Linux - Newbie 1 11-03-2007 08:18 PM
SPAM Relay: Fedora6 and Sendmail 8.13.8-2 ChrisGosley Linux - Security 3 04-11-2007 11:22 PM
Open Mail Relay without spam. dlublink Linux - Software 2 04-25-2006 11:46 AM
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 03:22 PM
Anti Spam Software for a Send Mail Relay thecrab Linux - Software 1 08-06-2003 09:19 AM


All times are GMT -5. The time now is 02:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration