[BlueOnyx:21173] Re: Spammer

Colin Jack colin at mainline.co.uk
Sun Jul 16 13:56:16 -05 2017 

Hi Michael,


    Do you have a half way recent AV-SPAM installed on it? Version 6.1.0 or
    better? The most recent one is 6.2.1.

Mine says 6.3.0-1 (
    
    Under "Network Settings" / "AV-SPAM" / "Services" see if "Milter-GeoIP"
    is enabled. If not, turn it on.

Yes – already enabled.
    
    Then in the "GeoIP" tab tick the boxes for "Suspend Accounts" and
    "Enforce Email Limits".

Okay done that.
    
    Set the limits for "Service Accounts", "Virtual Sites" and "Users" as
    per your liking. You can still change them to different settings for
    each individual Vsite and User, but these will be the initial (default)
    values that will be used once this feature is enabled.

Set them all low.
    
    Milter-GeoIP will now track the email volume (outgoing) of your server
    and will help you to pinpoint who sends how much. As this ties into
    Sendmail it'll give you the actual user names under which the outgoing
    emails are created.
    
    Under "Usage Information" / "Email" you will see "Email Traffic as
    reported by Milter-GeoIP".

Excellent … this will help.
    
    If the culprit is a certain User of a Vsite, then you can directly see
    this there once some activity has been recorded by Milter-GeoIP.
    Additionally: Once a user is close to sending more emails than allowed
    (>75% of allowed usage), both you and the user will get a warning. If he
    reaches his hard daily limit for outgoing emails, then no further email
    can be sent by him and another warning is generated.
    
    Lastly: If a user with valid login details tries to send email from
    blacklisted a country, then Milter-GeoIP can either block that or even
    suspend the account automatically if you configure this. But it at least
    generates a warning if valid login details are used from suspicious
    countries.
    
    Now if the culprit is a system account such as "apache"? Milter-GeoIP
    will tell you as well and also enforces limits and cutoffs on that. If
    all Vsites run their PHP scripts as a siteAdmin of a Vsite and one of
    their PHP scripts creates the SPAM? In that case the offender will be
    the name of the siteAdmin account of that Vsite, which makes it easy to
    find.
    
    Most of this doesn't outright stop the sending of SPAM, but it raises
    the yellow and red flag early and lets you know if something fishy
    happens. Additionally it aids in identifying the culprit and limiting
    the volume of SPAM that he might get out.
    
    As some mentioned already: There are sneaky ways of sending outgoing
    emails. But if it runs through Sendmail, then Milter-GeoIP will see this
    and will report it. It doesn't catch those cases where a compromise
    brought its own SMTP-mechanism aboard which bypasses Sendmail, though.
    But these are sufficiently rare anyway.
    
    And as always: If you need a hand, send me the login details offlist and
    I'll take the shotgun and shovel to this case. ;-)
    
Brilliant advice. I will do my own digging initially using your suggestions but if I need your shotgun and shovel I will shout! (

All the best and thanks

Colin

More information about the Blueonyx mailing list