Re: [webmin-l] Getting Killed With Emails That Are Not Mine

[John H. <web...@ew...>]

Vernon wrote:
>
> I am receiving emails to people that do not exsist on server. I'm 
> assuming that the SPAMMERS are sending emails to any name they can 
> thing of in the hopes of hitting ones that work, problem is I am 
> getting clobbered with SPAM to all these names. Any ideas why my 
> account (I am setup as the webmaster, postmaster and so forth) would 
> be receiving all this mail?
>
> ------------------------------------------------------------------------
> Vernon Webb
>
Vernon,

Yes. I've been whittling away at this same issue. A bit more info about 
your setup would help. Mine are CentOS servers running sendmail. Lots of 
default accounts are created during the OS install.... uucp, webmaster, 
postmaster, mail, nobody, gdm  and on and on. For me, the key accounts 
with regards to hosting are postmaster and abuse. These meet the RFC 
requirements for email service to a domain. I have postmaster delivered 
to a separate account on a different server and mostly monitor the count 
looking for spikes.

After that, it gets more difficult. I'm still deciding which accounts 
really need to exist and which ones don't. I have stopped the receipt of 
email to users like games, uucp, sshd, news, news-admin, sales and many 
others. I have been asking some questions on another list about some 
sort of system which only allows email to be delivered to explicitly 
named email accounts for the virtual hosts, but so far no response. I 
personally do receive mail to root which gets hit with a LOT of spam 
mostly due to these other accounts. But it is a way to immediately know 
if someone's site starts spewing spam due to some hack.

Spammers used to leave these 'sacred' accounts alone. I guess they 
thought they'd get blocked pretty fast. But now, so much blocking is 
done dynamically and basically most spammers rely on using freshly 
compromised systems that I guess blocking happens so fast that it really 
doesn't matter much about abusing these addresses as well.

I saw somewhere a few months ago a method for looking ahead to like the 
virtuser or access db before allowing the mail in. I don't think it is 
milter-ahead, but darn I can't find this again in spite of hours of 
searching in the last week.

The alternative is setting up a bounce or send to /dev/null for each of 
these addresses for every hosted domain. Not pretty. Which reminds me 
that I need to check what 'bounce' actually sets up within 
Webmin/Virtualmin as I don't mind rejecting mail during smtp, but I 
don't want to bounce mail after smtp. No need to spew spam back out to 
the forged 'From:' address as that really makes you a spammer yourself.

I've been pretty slow about removing or killing the receipt of email to 
these system users, as I'm trying to think about which circumstances 
might create a need for one of these to send mail which would likely be 
something that should be checked.

One thing that can help, you might want to get rid of the system user 
webmaster if it exists and if you need a webmaster address set it up 
under the servername under a user like webmaster.servername. I'd be 
pretty worried about doing this with root though. ;)

I do believe that databases of email addresses do exist. I also believe 
that rejecting as much as possible might even help with reducing 
incoming mail overall. In other words, just /dev/null ing bad mail is 
looks just the same as it being received by a real user. I've been doing 
a lot of revamping in the last few months. I've moved more into the smtp 
process, such as starting to use spamass-milter, rejecting anything 
scored 10 or above. Also added clamav-milter. I had been doing running 
these after smtp and dealing with it internally. One of the upsides is 
it takes a bit longer to get through the smtp process. Any good 
mailserver is going to keep the connection and deliver the mail. This 
couple of seconds or so however does seem to kill off a lot of the 
zombie systems and they pretty much just force it out and if you can't 
get it fast, they give up so they can move on.

I've also started running OSSEC on some systems. It can look for any 
string in any log file and react to that string. For instance, it will 
look for a reject line in the logs, look at the IP address and if it has 
occurred a certain number of times in a certain amount of time, it will 
block that address at the firewall for a certain amount of time. This is 
working great, picking up bad usernames, rejects by spamhaus, 
clamassassin and spamassassin. Then I don't even bother allowing any 
email in from them for my set amount of time. Overall, it has reduced 
system loads as mail processing is so intensive. It also has the bonus 
of looking for rootkits, blocking ssh attempts, ftp, imap, pop... and on 
and on.

I'm feeling pretty good with my systems, except for this one last 
'system user' gotcha.

Does anybody else have an idea about something that stops this spam to 
system users problem?

Best,
John Hinton