Spamassassin

Discussion in 'Site & Server Administration' started by seismicmike, Jan 8, 2009.

0
  1. #1
    As I understand the spammers of the world have cranked up their attacks, and have been using some pretty clever ones at that. The other day, my boss mentioned that he got spam saying it came from him. Now I'm looking at one of my clients who (as far as I can tell so far) has spam saying it's from the Postmaster (you know... like failed message sends...) And it's not just clever attacks - it's the sheer volume of them. The one I'm looking at now got like 600 over night! I'm fairly confident I don't have an open relay setup, but could this be someone trying to use my relay?

    What I'm wondering is if the spamassassin people have a new major release in the works and when it's due to come out. I didn't see anything on their website. The rules du jour are apparently not enough any more. There needs to be a new update to the whole system.

    In the meantime does anyone have suggestions as to how I might combat this? Right now I'm relegated to manually reporting each message as spam when I get them. For all our clients (we have lots of email accounts) that could be a full and a half time job in itself. Has anyone else had this problem?
     
    seismicmike, Jan 8, 2009 IP
  2. seismicmike

    seismicmike Peon

    Messages:
    63
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    OK. I'm seriously freaked out, guys. I consider this a major emergency. I'm looking at some of these and it looks like somehow a spammer tried to send mail from my client's account. I have no open relay, and all connections use encryption. How could someone get in? How can I prevent this? How can I recover from this?
     
    seismicmike, Jan 8, 2009 IP
  3. matrafox

    matrafox Active Member

    Messages:
    164
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    88
    #3
    On that server do you have and web server ? or is a e-mail server only.
     
    matrafox, Jan 8, 2009 IP
  4. seismicmike

    seismicmike Peon

    Messages:
    63
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Here's our basic setup (sorry i didn't give details earlier). For the purpose of this discussion, lets' say we have 4 servers. We'll call them 1, 4, 6 and 7 (for the fun of it). 1 is for development. 4 is for backups and for mysql. 6 is for mail and dns with some web, but 7 is primarily our web server. 1 and 7 relay all mail through 6, which has those two specifically mentioned in the /etc/mail/access file as being "RELAY". I thought for sure that this was pretty secure, because a while back we had a problem with one of them not being in that file and it couldn't send mail at all to the outside world. What I'm curious about is if it's possible for 1 or 7 to be an open relay so that the spammer would be using them to send and then it goes through 6.... but they both explicitally only have localhost declared as relay in the /etc/mail/access table, so I'm not sure.

    All are using RHEL5. Sendmail version is..... I'm not sure.... sorry
     
    seismicmike, Jan 8, 2009 IP