Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
As I'm sure is the case with many of you who run your
own Internet-connected servers w/ Linux, I get a lot
of spam relay attempts. I have configured my postfix
to avoid the open relay problem and I have yet to see
anything in the logs which suggests that any of these
attempts have succeeded.
I get an average of 3-4 failed spam attempts each day.
The overwhelming majority come from China or Korea,
though I do sometimes see other types of failed
attacks (mod_proxy, etc) from Europe and other parts
of the world.
Sometimes I do a WHOIS on the originating IP address,
and among other information it returns an email
address along the lines of "report spam to
My question: How often (or do you?) take the time to
report spam relay, mod_proxy, or crack attempts to the
address provided? And if you do complain, what exactly
do you send them? A snippet of your log entry? Would
there be any additional security concerns raised by
providing the offending ISP with your own hostname or
Or do you believe that the ISP's admin is himself
responsible in many of these cases and that
complaining would therefore be futile?
I get an average of 3-4 failed spam attempts each day.
Is that all??? We get on average 3-4 a minute!
I use a number of blacklist to filter them and manage to cut the number down to ones that get through to about 10 a day. Pretty good evidence that blacklists work.
I used to report all spam to www.spamcop.net and KnujOn (www.knujon.com). Spamcop will report spam to the spammer's upstream ISP on your behalf and add the spammer's address to their blacklist.
However I began to suspect that the spammer's ISP was actually in collusion with the spammer as (I think) Spamcop does not hide your email addresses in the reports they forward to the upstream ISP and I got even more spam. I have temporarily stopped using Spamcop since and my spam levels appear to have dropped but I still forward spam to KnujOn.
I am in two minds about using Spamcop but if we all stopped forwarding our spam to blacklist maintainers, then we are on the way to losing the spam war.
My advice is that if you are going to report the spammer to his upstream ISP (at abuse@whatever) and expose your email address anyway, you may as well report it to Spamcop as they will do it for you and add it to their blacklist which we can all use.
I use sendmail, had the same issue for a very long time, the only way i minimized my spam was to rely on DNS, any mail that came in had to verify that it actually comes from the claimed server, and the reverse-dns also confirms, otherwise the server doesnt accept any mail from any non-confirming senders. 2, also removed accept from localhost (the name) and only used my IPs locally as the accepted IPs to relay out.
It's worth reading up on greylisting for postfix too. There's a howto on the postfix site. In short, for new IP's it tells the sender that Postfix isn't accepting mail and to retry later. Most bots don't retry.
Sounds like you are running your own private server. I do the same. The incoming spam, like yours, is little. I report spam (logs) to abuse@ at the offending isp when it originates in my home country. I block IPs (usually the isp's entire range) via iptables for chronic offenders. When a country is particularly nuisancesome (and I know none of my email users will be affected) I block the entire country range.
I block some regions and countries categorically (lacnic (latin america), afrinic (africa), China, Korea, Taiwan, Russia, etc.).
When reporting I include the Target IP, Source IP, Time Zone, Data Port, and log entries showing the infraction. My message looks like this:
An IP registered to XYZ is illegally sending spam. Please take immediate
action against your user(s) to stop this activity. We advise XYZ to
document the handling of this issue; XYZ may be subpoenaed for records
regarding this case.
Source IP: nnn.nnn.nnn.nnn
Target IP: nnn.nnn.nnn.nnn
Data Port: 25
Time Zone: My Time Zone (or GMT if applicable for your logs)