Hello. I work for a small ISP, and am having trouble with our e-mail server continually getting blacklisted. It has happened 2 nights in a row now (and I'm not very Linux Savvy). We're running Redhat 5.6.

I think I can see why it is happening, I just don't know how to prevent it. Someone is sending e-mail, using an e-mail address not associated with our server. They are doing it every 15 seconds or so, and their IP address changes every time. Here is two examples.... [pvbb.net is one of our domains, but the usernames are totally unknown]

Any help or advice will be very helpful... I'm not the one that set this server up, but do have a grasp of Linux.

Hi there,

Let us know how you can configured your mail server. I mean using postfix or sendmail?

Also it appears that someone is using your server as a relay agent. Which means they are connecting directly to the server from a workstation by typing: telnet server_name 25 and then typing in bogus From name and sending email.

If you have configured postfix I would be interested in seeing:

/etc/postfix/main.cf

Especially, the following setting:

unknown_local_recipient_reject_code

1 members found this post helpful.

It is configured using Sendmail

Hmm, I thought telnet access was disabled, but it appears I can do so.

How can I disable telnet access?

Have a look at this: http://www.electrictoolbox.com/artic...ction-refused/

Make sure you backup your files before editing them so that you can revert if something goes wrong.

In addition to the telnet approach, I would also ask what form of authentication are you requiring of your users? The two most common ones that I can think of from an ISP perspective would be IP address being "my network" and a user name - password approach like SASL. My first thought was that you are a semi-open relay in that anyone using blah-blah@pvbb.net, the @pvbb.net being the crucial part are being accepted. BTW, you can't rely on header envelop or HELO information as this is easily spoofed.

1 members found this post helpful.

Got in touch with the guy that set it up. He found the user 'spam' (a customers account, with a weak password) was somehow able to get shell access, using a .php installed into their home directory. We removed the account, and the trouble has stopped.

Thanks for your quick responses, though!!

Weak passwords will cause lots of problems, believe me I have managed 5,500 accounts and it is like trying to 'get blood from a turnip' trying to make people understand the reason for strong passwords.

***Note

With Postfix there is policyd you can install to limit the number of emails sent in 24 hours, this will get you blacklisted in a hurry.

I went with another Linux mail server due to this very problem, I can limit the number of emails sent in 24hr, so if it does get exploited (it will happen). This non-sense stopped instantly, plus I could view the IP and the amount of emails sent I knew it was compromised so I just lock the account and notify the helpdesk it is locked and cannot be used again until the password is changed.

You may check and see if there is a package like policyd for sendmail, also to I put rate-limiting rules in iptables in the input chain to stop malicious attackers from running scripts/mail-bombing hitting the server with denial of service attacks.

It is better to stop the attack with iptables and let the email server do what it does best relaying email. The rouge attackers just go to a black-hole now.

90% of all of the spam is sent via exploited email accounts with weak passwords, people don't care they do not have to deal with the administrative headahces and/or clean up.