From: John H. <web...@ew...> - 2007-10-03 04:08:08
|
Vernon wrote: > > I am receiving emails to people that do not exsist on server. I'm > assuming that the SPAMMERS are sending emails to any name they can > thing of in the hopes of hitting ones that work, problem is I am > getting clobbered with SPAM to all these names. Any ideas why my > account (I am setup as the webmaster, postmaster and so forth) would > be receiving all this mail? > > ------------------------------------------------------------------------ > Vernon Webb > Vernon, Yes. I've been whittling away at this same issue. A bit more info about your setup would help. Mine are CentOS servers running sendmail. Lots of default accounts are created during the OS install.... uucp, webmaster, postmaster, mail, nobody, gdm and on and on. For me, the key accounts with regards to hosting are postmaster and abuse. These meet the RFC requirements for email service to a domain. I have postmaster delivered to a separate account on a different server and mostly monitor the count looking for spikes. After that, it gets more difficult. I'm still deciding which accounts really need to exist and which ones don't. I have stopped the receipt of email to users like games, uucp, sshd, news, news-admin, sales and many others. I have been asking some questions on another list about some sort of system which only allows email to be delivered to explicitly named email accounts for the virtual hosts, but so far no response. I personally do receive mail to root which gets hit with a LOT of spam mostly due to these other accounts. But it is a way to immediately know if someone's site starts spewing spam due to some hack. Spammers used to leave these 'sacred' accounts alone. I guess they thought they'd get blocked pretty fast. But now, so much blocking is done dynamically and basically most spammers rely on using freshly compromised systems that I guess blocking happens so fast that it really doesn't matter much about abusing these addresses as well. I saw somewhere a few months ago a method for looking ahead to like the virtuser or access db before allowing the mail in. I don't think it is milter-ahead, but darn I can't find this again in spite of hours of searching in the last week. The alternative is setting up a bounce or send to /dev/null for each of these addresses for every hosted domain. Not pretty. Which reminds me that I need to check what 'bounce' actually sets up within Webmin/Virtualmin as I don't mind rejecting mail during smtp, but I don't want to bounce mail after smtp. No need to spew spam back out to the forged 'From:' address as that really makes you a spammer yourself. I've been pretty slow about removing or killing the receipt of email to these system users, as I'm trying to think about which circumstances might create a need for one of these to send mail which would likely be something that should be checked. One thing that can help, you might want to get rid of the system user webmaster if it exists and if you need a webmaster address set it up under the servername under a user like webmaster.servername. I'd be pretty worried about doing this with root though. ;) I do believe that databases of email addresses do exist. I also believe that rejecting as much as possible might even help with reducing incoming mail overall. In other words, just /dev/null ing bad mail is looks just the same as it being received by a real user. I've been doing a lot of revamping in the last few months. I've moved more into the smtp process, such as starting to use spamass-milter, rejecting anything scored 10 or above. Also added clamav-milter. I had been doing running these after smtp and dealing with it internally. One of the upsides is it takes a bit longer to get through the smtp process. Any good mailserver is going to keep the connection and deliver the mail. This couple of seconds or so however does seem to kill off a lot of the zombie systems and they pretty much just force it out and if you can't get it fast, they give up so they can move on. I've also started running OSSEC on some systems. It can look for any string in any log file and react to that string. For instance, it will look for a reject line in the logs, look at the IP address and if it has occurred a certain number of times in a certain amount of time, it will block that address at the firewall for a certain amount of time. This is working great, picking up bad usernames, rejects by spamhaus, clamassassin and spamassassin. Then I don't even bother allowing any email in from them for my set amount of time. Overall, it has reduced system loads as mail processing is so intensive. It also has the bonus of looking for rootkits, blocking ssh attempts, ftp, imap, pop... and on and on. I'm feeling pretty good with my systems, except for this one last 'system user' gotcha. Does anybody else have an idea about something that stops this spam to system users problem? Best, John Hinton |