spam/spoofing issues with my mail server.

ncsuapex · 04-27-2009, 10:58 AM

I am running a mail server on CentOS(2.6.18-92.el5PAE) and have been fighting the spam/email spoofing for a while now and it's driving me crazy.

Here is the mail set up:

rpm -qa | grep courier
courier-mlm-0.58.0-1.2
courier-maildrop-0.58.0-1.2
courier-0.58.0-1.2
courier-ldap-0.58.0-1.2
courier-authlib-0.60.2-1.fc2
courier-imapd-0.58.0-1.2
courier-webmail-0.58.0-1.2
courier-pop3d-0.58.0-1.2

rpm -qa | grep spam
spamassassin-3.2.5-1.el5.rf

rpm -qa | grep clam
clamav-0.95.1-2.el5.rf
clamav-db-0.95.1-2.el5.rf
clamd-0.95.1-2.el5.rf
clamav-devel-0.95.1-2.el5.rf

I have tried to feed spam into the baysian filters with the sa-learn command and it doesnt seem to be helping. Another issue I have seen is emails being sent to and from the same address of different individuals in our company: So a spam email would be To: user@hostname.com From: user@hostname.com. Also another weird thing is an email would be sent to user@hostname.com but end up in another users inbox. I've checked aliases/distribution groups and I cant see any real reason why they are getting spam sent to someone else.

I do have an SPF record on our external DNS and I've tested it on various SPF testing websites and they seem to pass. Ive searched around the net and have tried various configurations but nothing seems to stop the spam or the spoofing.

SPF records in DNS:
IN TXT "v=spf1 a mx ~all" ; This is an SPF record (see http://spf.pobox.com/)

mail IN A *external IP of the mail server
IN TXT "v=spf1 a mx ~all" ; SPF record

*mailserver hostname IN TXT "v=spf1 a mx ~all" ; SPF record

Not sure what configurations for courier/spamassassin to post so if anyone can tell me what I would need to post to help troubleshoot please tell me and I can post it. Thanks!

farslayer · 04-27-2009, 11:52 AM

I finally gave up trying to keep SA updated and just bought a Barracuda. It was reasonably priced, annualy support is inexpensive (compared to my time maintaining the old system it actually costs less). Also takes quite a bit of load off the mail server CPU..

Not sure if Courier has anything similar to postfix UCE controlls. These were a big help blocking emails from bad mail servers, Does Courier do anything like postfix relay and access controls ?
http://www.postfix.org/postconf.5.ht...r_restrictions
These restrictions did a lot to block some of the spam typesd you mentioned.

email says it from xdomain.com, reverese lookup says that is not true. mail is dropped before further processing time is wasted on it.

Dropping the emails prior to it even hitting SA, helped reduce the CPU load, since I wasn't processing messages through SA that the system determined earlier were not worth the effort. I was rather amazed at the ammount of SPAM these controls alone eliminated.

Sorry I don't know much about Courier as an MTA I've only used it for POP and IMAP services.

ncsuapex · 04-27-2009, 12:16 PM

I *think* courier uses bofh in the same way postfix uses sender restrictions. This is what I have in my /etc/courier/bofh file:

opt BOFHBADMIME=accept
opt BOFHSUPPRESSBACKSCATTER=none

opt BOFHSPFHELO=pass,unknown,error,none,neutral,softfail
opt BOFHSPFMAILFROM=pass,unknown,error,none,neutral,softfail
opt BOFHSPFFROM=pass,unknown,error,none,neutral,mailfromok,softfail
opt BOFHSPFTRUSTME=1

and actually I had removed the last 4 lines for some reason and just readded them back. I'll see if that makes a difference.

ncsuapex · 05-06-2009, 10:08 AM

I ended up editing my /etc/courier/maildroprc to the following:

Quote:

import RECIPIENT

if ($RECIPIENT =~ /^harvester@/)
{
cc "| /usr/bin/sa-learn -D --single --spam"
exit
}

# Spam Filter
xfilter "/usr/bin/spamc -u $RECIPIENT"

if (/^X-Spam-Status: Yes/:h)
{
UMASK = 007

to "/usr/local/share/Maildir/.Spam/."
}

and changed my /etc/mail/spamassassin/local.rc to this:

Quote:

rewrite_header Subject ****SPAM(_SCORE_)****
required_hits 5
report_safe 0
use_bayes 1
ok_locales en

and that seems to be catching a lot of spam.