1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Mail Spoof Problem

Discussion in 'Plesk for Linux - 8.x and Older' started by chillax, May 18, 2006.

  1. chillax

    chillax Guest

    0
     
    I have a client complaining about receiving lots of returned messages from fake emails and are concerned about being black listed for spamming that they are not doing.

    The mail setup for their domain is to forward everything to their personal account, they did not want to setup mail accounts on the server so everything gets funneled to their off-server, personal email.


    The server's mail setup is as follows:
    Maximum letter size is blank
    Relaying: Authorization required
    POP3 (was unchecked, just changed to checked with 20min default setting)
    SMTP (checked)
    Just checked the box to have dictionary tests of passwords done.

    Enable SPF spam protection is checked
    Only create Received-SPF Headers, never block
    SPF local rules: include:spf.trusted-forwarder.org

    Just changed it from allowing short and full names to only full names


    Additionally, I just installed mod_security.


    Here is a snippet of the header that the client gets with the undeliverable email messages:

    Received: from term2.lula.ch (term2.lula.ch [213.213.191.10]) by
    rly-xk03.mx.aol.com (v109.12) with ESMTP id MAILRELAYINXK38-58a446cb4f2218;
    Thu, 18 May 2006 13:55:04 -0400
    Received: from xsk.darbw ([213.213.102.58])
    by term2.lula.ch (8.13.3/8.13.3) with SMTP id k4II0bW2068019;
    Thu, 18 May 2006 20:00:37 +0200
    Message-ID: 000d01c67aa4$afd16a6e$3a66d5d5@xsk.darbw>
    From: "Elmer Bass" <vkqn@clients-domain.com>
    To: <mrsm26@aol.com>
    Subject: overhead
    Date: Thu, 18 May 2006 19:48:41 +0200
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_0009_01C67AB5.735A3A16"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-AOL-IP: 213.213.191.10
    X-AOL-SCOLL-SCORE: 0:2:270824480:11542724
    X-AOL-SCOLL-URL_COUNT: 0


    Are there any other steps I can take to prevent spammers from spoofing my clients' email addresses?
     
  2. VIB-host

    VIB-host Guest

    0
     
    have you set up the SPF txt record for your customers domain?
     
  3. chillax

    chillax Guest

    0
     
    I have created a TXT record that has this:
    "v=spf1 ~all"
     
  4. VIB-host

    VIB-host Guest

    0
     
  5. chillax

    chillax Guest

    0
     
    Well I used it to create the record and answered no to the first 3 questions because I don't believe they send mail from their domain at all. I went back and changed the first two to yes so that the ~all would only apply to my server (in theory).

    Now my TXT record is:
    "v=spf1 a mx ~all"

    Does that look more correct?
     
  6. VIB-host

    VIB-host Guest

    0
     
    better, but my SPF record look like this in the default DNS settings:

    Code:
    "v=spf1 a mx ptr ip4:<ip>/28 include:<domain>. ~all"
    the /28 is my IP subclass

    And if you only want to add the "a" to the SPF record you sjould add the domain to it.

    Code:
    a:domain.TLD
    This will improve the SPF record

    You should also add the following to your MailServer settings:

    Code:
    Enable MAPS spam protection: sbl-xbl.spamhaus.org;bl.spamcop.net;relays.ordb.org;dnsbl.sorbs.net;cbl.abuseat.org;multihop.dsbl.org
    and then set the login to full account names

    Finaly please do use the spamassassin 3 to prevent the spam. www.4psa.com have made a module to improve the funktionality of spamassassin, from plesk, wish is running the absolutly mimum configuration of spamassassin.

    Whit all the above configurations to my servers, My girlfriend have gone from approcimatly 40 spammails a day to 2 or 3 spammails a day.

    If anyone have better suggestions to this configuration, please do adveice.
     
  7. phatPhrog

    phatPhrog Guest

    0
     
    VIB-host, I am testing your steps and it seems spamassassin doesn't like them very well. Although our spam has been drastically reduced, test SPAM mails sent via our server do not reflect any intervention via spamassassin.

    Just a note...
     
  8. VIB-host

    VIB-host Guest

    0
     
    that's right spamassasin is default only for incomming mails. How ever I have one time read an article describing how to use SA to filter outgoing mails to, but ofcourse I can't remember where :(

    For the rest you should look in your log file, to see who is using your server for spam, and then block them. ex. whit your firewall.

    The log file you have to find is called maillog

    where it's located can differ from OS to OS

    just write find / -name "maillog" -print in you promt to find it
     
Loading...