Qmail: filtering OUTbound mail

whamprod

New Email
Hello all,

I have a server running qmail, and I have a specific issue. I host a number of customer websites, and one of them is spamming my server from a malicious script. I don't have the time to check all the tens of thousands of directories on all of these domains, nor do I have the financial wherewithal to pay someone else to do it.

I am beginning to learn my way around linux command line, and I want to know if there is a way to tell qmail to kill any instance of a message being sent by "anonymous@mydomain.com".

I've already located a bunch of bad scripts and deleted them, but I'm so busy monitoring my mail server that I don't have time to spend on the search. I have purchased a new server with new IP and new name servers, and I will be migrating all of my sites one by one to that server as I ensure that they are clean, but in the meantime I've had to stop qmail, and none of my clients are able to use their email.

Need help quick. PLEASE be gentle. I'm a n00b at this qmail stuff.

Thanks.
 

rfs9999

IMAP Tools
How about qmail's qfilter? untroubled.org: qmail-qfilter

"qmail-qfilter qmail-queue multi-filter front end Bruce Guenter <bruceg@em.ca> Version 2.1 2005-08-12 This program allows the body and/or envelope of a message to be filtered through a series of filters before being passed to the real qmail-queue program, and injected into the qmail queue."

Or take a look at the following site which has a Perl program to drop any mail from a particular sender:

The Dumb Terminal : Knowledgebase : Quickly filter mail using Qmail's .qmail files

I know nothing about qmail but a quick Google search turned up these two methods of filtering inbound messages in qmail.
 

rfs9999

IMAP Tools
Reviewing what I just posted it's not clear to me whether either of the methods I described can be used for outbound filtering.

Maybe this:
What Is Qmail-Scanner?

From the Qmail-Scanner website: "Qmail-Scanner is an addon that enables a qmail email server to scan all gateway-ed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus protection functions, in which case it is used in conjunction with commercial virus scanners, but also enables a site (at a server/site level) to react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments). It also can be used as an archiving tool for auditing or backup purposes. Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in better performance. It is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity."

http://tldp.org/HOWTO/Qmail-ClamAV-HOWTO/x179.html

-Rick
 

EQ Admin

EQ Forum Admin
Staff member
Hi whamprod,

The short term quick fix is to put anonymous@mydomain.com into /var/qmail/control/badmailfrom

It probably won't be hard for the spammer to change the From: address on the spams though.

I do not recommend qmail-scanner, it's nice for small installs but it's all perl and can get crushed under heavy loads. It's been many years since I last used it so it's possible they made it more efficient since I last had it installed anywhere.

SpamAssassin + simscan does a lot better if you're looking for an open source solution that will run on your Linux mail servers.

To track down the forms that are spamming grep through the apache logs for POST lines, sort by site since there are lots of them, and with a little bit of reporting work it should jump out at you which forms are being abused.

While you are working on moving to the new server I recommend separating your email and web hosting services so that spam from a compromised web site does not affect the email reputation of the core mail hosting and hosted email accounts.
 

whamprod

New Email
Hi whamprod,

The short term quick fix is to put anonymous@mydomain.com into /var/qmail/control/badmailfrom

It probably won't be hard for the spammer to change the From: address on the spams though.

I do not recommend qmail-scanner, it's nice for small installs but it's all perl and can get crushed under heavy loads. It's been many years since I last used it so it's possible they made it more efficient since I last had it installed anywhere.

SpamAssassin + simscan does a lot better if you're looking for an open source solution that will run on your Linux mail servers.

To track down the forms that are spamming grep through the apache logs for POST lines, sort by site since there are lots of them, and with a little bit of reporting work it should jump out at you which forms are being abused.

While you are working on moving to the new server I recommend separating your email and web hosting services so that spam from a compromised web site does not affect the email reputation of the core mail hosting and hosted email accounts.
popowich, thanks for the reply. I'm not going to be keeping this server much longer. The server management software is Plesk, and the particular company I lease it from, who you should be able to figure out, wants to charge me $80 a pop for support, when I already pay them $150/month. I'm a small one man shop and I can pay extra is the already expensive $150 won't cover it.....and they are starting to get a little snotty about it. That company was acquired by Godaddy 6 or 8 months ago, and while they insist they will remain free-standing, it is obvious that Godaddy is having some say over their management and customer retention decisions.

For example: I paid them $80 back in June to update my Plesk control panel. In the process, they broke several of my hosted sites by making the databases vanish. Then they insisted on charging me another $80 to fix what they broke, and I had no recourse but to pay it because by the time my customer had discovered the problem and notified me, the nightly server backup was already made, and there was nothing to restore their site from.

Anyway, the problem I'm having is not so much with inbound mail. I've already got Spam Assassin, and my email users use it or not at their discretion. But it doesn't stop emails from (nonexistant) user "anonymous@mydomain.com" who is either spoofing my domain and the emails are coming from somewhere else and then passing through my server.......OR he's got a very clever script running somewhere which I haven't found yet (I AM scanning each site, domain by domain, which is also costing me some money), but either way, I need qmail to identify any emails with sender "anonymous@mydomain.com" and kill them before they clog up the works.

I will try your suggestion to put him into /var/qmail/control/badmailfrom and get back to let you know what happened. Thanks again for the help.
 

whamprod

New Email
Ok, I had to use command line to put anonymous@.... into badmailfrom. The Plesk interface only allows you to put in the domain name without the user's prefix. And "mydomain" in this case is actually MY domain name. So the user is actually "anonymous@.....productions.com". I've already blacklisted @.....productions.com because MY email is hosted by Google. When I nano badmailfrom, "anonymous@....productions.com" is in there.

But here is the problem, I think that badmailfrom is intended to filter out bad senders coming in from outside domains. But the domain that anonymous is using is the same as my hosting business name, and the name server names.
 

EQ Admin

EQ Forum Admin
Staff member
Hello,

The control files such as badmailfrom and content filtering such as SpamAssassin can be configured for both incoming and/or outgoing email. It gets a little blurry since you're using the same server as MX and smtp relay. Which brings us to another possibility, you should also check your mail logs since it might be a compromised email account that is being abused and the spammer is using smtp-auth to relay spams from your server and not using a compromised web site for sending the spam. Have you tried protecting your smtp-auth with any RBL's like you would for the incoming email on port 25 such as assing the Spamhaus RBL? That's a nice low false positive RBL that should help to block some international spammer IP's if that's the problem.

Plesk has a built in backup and restore mechanism so it should have been easy to revert to the previous plesk if the upgrade caused you a problem.

Yes, since you mention it, I checked, and I think I figured out your domain name. If I guessed correctly it seems like there is a problem and you have both your Plesk server and the MX's for Google Apps hosted domains listed in your MX records?
 

whamprod

New Email
Hello,

The control files such as badmailfrom and content filtering such as SpamAssassin can be configured for both incoming and/or outgoing email. It gets a little blurry since you're using the same server as MX and smtp relay. Which brings us to another possibility, you should also check your mail logs since it might be a compromised email account that is being abused and the spammer is using smtp-auth to relay spams from your server and not using a compromised web site for sending the spam. Have you tried protecting your smtp-auth with any RBL's like you would for the incoming email on port 25 such as assing the Spamhaus RBL? That's a nice low false positive RBL that should help to block some international spammer IP's if that's the problem.

Plesk has a built in backup and restore mechanism so it should have been easy to revert to the previous plesk if the upgrade caused you a problem.

Yes, since you mention it, I checked, and I think I figured out your domain name. If I guessed correctly it seems like there is a problem and you have both your Plesk server and the MX's for Google Apps hosted domains listed in your MX records?
I've had Google apps host MY email for 5 or 6 years, exactly to protect my business email from this kind of situation, so that my clients can still reach me by alternative email means if their domain email is offline...... as is the case right now.

The problem is that the current server provider so assed-up the upgrade that I don't trust reverting. And that is academic anyway, since I am replacing that server with one acquired from BlueHost (and I'm going to have to learn Exim now while I'm at it.

But until I can get all my hosted sites migrated to the BlueHost server, I'd REALLY like to get this thing fixed. I'd even be willing to pay someone.......just not my current provider as a matter of principle......if they could actually TEACH me something in the process. If you know of anybody who can help me, I am open to suggestions. The only requirements for me are a) are they reasonably priced (I'm a tiny business), and b) are they available SOON.

If you know someone, please PM me and I'll all too happily respond.
 

EQ Admin

EQ Forum Admin
Staff member
They have a nice control panel, but...

I recommend against BlueHost if it's not too late unless you're OK with your VPS being down for several days per year.

In my case that's lots of outages that are several hours each, and an outage that lasted almost 48 hours, all in the last 9 months.

I made the mistake last year trying to migrate some of my smaller customers there.

I ended up having to remigrate those customers for free.

I moved their web hosting to AWS, and their email hosting to Office 365 / Google Apps for Business / LuxSci depending on what made the most sense for each customer.
 

whamprod

New Email
They have a nice control panel, but...

I recommend against BlueHost if it's not too late unless you're OK with your VPS being down for several days per year.

In my case that's lots of outages that are several hours each, and an outage that lasted almost 48 hours, all in the last 9 months.

I made the mistake last year trying to migrate some of my smaller customers there.

I ended up having to remigrate those customers for free.

I moved their web hosting to AWS, and their email hosting to Office 365 / Google Apps for Business / LuxSci depending on what made the most sense for each customer.
I've already migrated 6 domains there, and i have about 20-25 others still to do. If this weren't such a giant PIA, I'd be open to restarting somewhere else, but at this point, I'm kind of committed. I'm coming up on 62 years old now, and I just don't have the energy to redo all this stuff.
 
Top