Question Postfix-Spam: Connect from unknown host - invalid sender adress

[Sascha]

Hi everyone,

i have a litte problem on my hosting Server. I´ve installed Ubuntu 12.04.5 LTS‬ with Plesk Version 12.5.30 Update #44.
Since few weeks ago I got many spam e-mails throw the server. So i look up to the logs and i found some entry:

Aug 8 13:28:12 XXXXXX postfix/smtpd[28687]: warning: hostname abs-static-186.163.102.118.aircel.co.in does not resolve to address 118.102.163.186: No address associated with hostname
Aug 8 13:28:12 XXXXXX postfix/smtpd[28687]: connect from unknown[118.102.163.186]
Aug 8 13:28:13 XXXXXX postfix/smtpd[28687]: 4665E6EA33BC: client=unknown[118.102.163.186]
Aug 8 13:28:13 XXXXXX postfix/cleanup[29255]: 4665E6EA33BC: message-id=<[email protected]>
Aug 8 13:28:13 XXXXXX /usr/lib/plesk-9.0/psa-pc-remote[3308]: handlers_stderr: SKIP
Aug 8 13:28:13 XXXXXX /usr/lib/plesk-9.0/psa-pc-remote[3308]: SKIP during call 'check-quota' handler
Aug 8 13:28:14 XXXXXX postfix/qmgr[3615]: 4665E6EA33BC: from=<[email protected]>, size=12728, nrcpt=1 (queue active)
Aug 8 13:28:14 XXXXXX postfix-local[29258]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Aug 8 13:28:14 XXXXXX spamd[4784]: spamd: connection from localhost [127.0.0.1] at port 58893
Aug 8 13:28:14 XXXXXX spamd[4784]: spamd: using default config for [email protected]: /var/qmail/mailnames/XXXXX.de/USER/.spamassassin/user_prefs
Aug 8 13:28:14 XXXXXX spamd[4784]: spamd: processing message <[email protected]> for [email protected]:110
Aug 8 13:28:14 XXXXXX postfix/smtpd[28687]: disconnect from unknown[118.102.163.186]

The sender e-mail adress does not exists on the server.
How can I block this "spam".

I see in the postfix manual the settings for "smtpd_helo_restrictions" with the options "reject_invalid_hostname" and "reject_unknown_hostname". So I think this is right option for me.

Can I configure this on my Server with Plesk? Or do I have to change the postfix config directly on the server?

When I change the config directly on the server - Can PLESK overwrite this config by the next restart for example?

Thanks before.
Best regards
Sascha

 

[Sascha]

Does somebody has any idea?

 

[Reboot]

Does the sender logon before sending the spam?

Under Tools & Settings > Server Wide Mail Settings, set the Open Relay function to disabled.

On the same tab, turn on limitations on outgoing email messages. This will help limit the amount of spam being send in the feature. You have to make an estimate how much mail the average user sends, though.

And no, Plesk overwrites mostly files regarding to Web Servers.

 

[Lloyd_mcse]

Relay options need to be set as "authorization is required" and tick SMTP, or you won't be able to send from Outlook.
Are the emails coming to a non-existent user? If so change how this type of mail is handled eg reject it.

Plesk > Subscription > domain.tld > Mail Settings > "What to do with mail for non-existent users *" = Reject

As for Plesk overwriting mail config, it will only overwrite things that are handled in Plesk, for example the smtp_bind_address.

I suggest you install Fail2Ban, and add a block list or two to you mail setup.

Plesk > Tools & Settings > Mail Server Settings > "Switch on spam protection based on DNS blackhole lists" = sbl.spamhaus.org;zen.spamhaus.org;b.barracudacentral.org

I hope that helps.
Kind regards

Lloyd

 

[Sascha]

Hi,

thanks for the answers,

I´ve enabled "Relay Options" with "authorization is required" on "SMTP".
The E-Mails comes from on "non-existing" user (for example: Gina85@...) to an existing user. If I see this right, the user are not authenticated.
Mail Setting for my Domains => non-existing user = Reject.

I´ve enabled the DNS blackhole lists with "bl.spamcop.net". So I will append the list now with your (Lloyd_mcse) options -> Thanks!

Fail2Ban is installed and I have activate the Default Jail "plesk-postfix". If the other options don´t help me, I append another Jail for postfix to block IPs...

Thanks!

Best regards
Sascha

 

[Bitpalast]

I think that Sascha wants to block all incoming mails that have a sender address that is not configured in his own local domain (which has the same domain name).

Example: A spammer uses "[email protected]" to send mail to "[email protected]". As the mail server knows no mailbox "[email protected]" it shall block the incoming mail as spam without specific spam filter queries. As saschas-domain.com is owned by Sascha an operated on the recipient's server, this host should know that the incoming mail cannot be real mail, because it has been sent from a non-existent address in its own domain.

The anti-spam measures mentioned above are all good for blocking spam, but they will not achieve what Sasche has requested. I am not aware of any mail server setting to achieve what Sascha is looking for. Nice feature idea.