Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just got up and running with the qmail (Qmail Rocks install) and have to say that it’s the greatest thing since sliced bread. But I’ve got a pre-existing problem with spammers sending thousands of emails to our server daily in what I assume are dictionary attacks.
While it was a nuisance before, I’m now getting bounce bounced! messages out the wazoo due to the mailer daemon sending out the “no mailbox here by that name” message to bogus sender accounts.
Been checking up on some suggestions here involving solutions like spamhaus that would take care of the spam by sender location, but what other options do I have to cut down on the spam to non-users that it won’t catch?
SpamHaus is definitely a step in the right direction. They will block a good many of these bogus senders before they get mail into your queue. Since you installed according to qmailrocks, you should already have the mfcheck patch installed. mfcheck does a reverse DNS lookup on the sending domain. This ensures that sending a bounce is possible. To make sure it's actually working, you'll want to be sure you have /var/qmail/control/mfcheck and the value in this file should be simply "1".
If you are getting a good many emails sent to the same account on your system and this account doesn't exist anymore, but spammers keep trying, then you'll get a lot of bounces generated from this too. In that case, I recommend installing the qregex patch. Post if you're interested in that and I'll explain how. The qregex patch will allow you to create a "badmailto" control file that allows you to put addresses in there that you want to block. This stops the messages at SMTP time, so you dont have to get them into your queue.
You may also want to get Russ Nelson's doublebouce trim patch which is used to discard doublebounces, which are mostly useless anyhow. I'm not sure if qmailrocks includes the doublebounce trim patch or not. I felt like it did, but I don't remember now.
look at DSPAM and spam assassin both work with qmail very well and will work together. I would suggest starting with DSPAM. You could always just drop the spam messages rather than bounce them. That is your problem with the bounces being bounced back
Your recommendation of spamhaus in a previous thread is what got me interested in the solution initially. If last night is a good indicator, spamhaus looks like it’s going to make a significant impact at reducing the problem. You definitely deserve a big thanks for the suggestion.
Let me give you a little more information about my problem so I can get your advice on the gregex patch….
Spammers are randomly generating recipient addresses by putting first, last, and/or object names in front my domain name. If I understand the gregex solution correctly, I’m going to have to maintain a list of thousands of bad email address in the file for it to be of any use.
Thank you for your assistance so far, it's been very helpful.
You can block his IP address using /etc/tcp.smtp with a line like this...
123.456.789.10:deny
Then you rebuild the database with qmailctl cdb.
This isn't very effective if the spammer keeps changing his IP address, but you can always keep blocking his new IPs. However, this quickly becomes a game of whack-a-mole.
With the mfcheck patch doing its job, at least you have the luxury of knowing that your bounces can be delivered (usually) so that means your spammer woudl need to be sending his crap from a legitimate mail server where you can notify his ISP.
I'd try running with mfcheck and spamhaus for a while. I think you'll find that dictionary attacks happen less frequently. If you want to ensure that dictionary attacks dont' happen again, you could look for the "realrcptto" patch which I believe also works with vpopmail. This basically checks your list of actual vpopmail users to see if the account is real. If it's not, the message is denied. Unfortunately I dont know much abotu this because I've never used it. But then again, I'm not really having any problems with dictionary attacks either.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
There are solutions to block directory harvesting attacks, but so far as I know none are free. I know one that works really well (called MailGate Edge), because I helped to design it It is, however, not free.
A real problem with Qmail is that it accepts all messages for it's domains and only bounces invalid recipients after the message was written to disk. The advantage is that a spammer doesn't get an error message during the SMTP session that they can easily use to determine valid e-mail addresses from invalid (and so build a perfect list by trial and error). The bad news is that you end up processing a lot of junk and the spammer could still be parsing the bounces you try to send back to them (even if they don't accept the messages).
The only thing you can really do for free to prevent those messages from being accepted is to implement some RBL checking. Depending on what RBL you use, it's likely to either not block much spam, or block many legitimate messages. Spamhaus is very accurate and won't block good e-mail, but it won't block a whole lot of spam, unfortunately.
Yeah, I'd say running an RBL is probably not worth it. I just started doing this myself lately and it's pretty much worthless. While spamhaus is blocking thousands of messages per day, my personal RBL only blocks like 2 or 3. So really it's just a waste of time.
I'd get on as many RBL sites as you can (within reason... at some point, you're slowing down your own SMTP) and I'm mainly speaking of the popular ones like spamhaus, spamcop, CBL, and I think there are a few others. I don't have mine in front of me right now, but I can post them here if anyone's interested. However, you can just as easily Google for yourself and find some good ones to use. However, some people have said that using just ANY rbl site is a bad idea, as the admins may not be very active about removing IPs that are legitimate.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well feel free to e-mail me if you want information. I don't want to place commercial information here since it might be considered an endorsement by LQ (LQ does not endorse products).
I don't mean to say that your problem is impossible to solve with free software. There just isn't any free software to do specifically what you're asking for. If you were willing to invest some time, you could build your own solution. In the mean time, using very accurate RBLs could help cut down on the problem.
Just wanted to mention that I just started using TMDA and I love it! It's wonderful! Say goodbye to spam. I'm not gonna say it will stop it cold, but it will definitely grind to a halt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.