Limiting SMTP Access and strange Spam folder problem

Virtualmin
1

Hi

my first post here.

I must say Virtualmin is really a great help to adminster a server, which is nothing I am familiar with. I have installed it without any trouble and have Postfix, Greymin, Spam Assassin and DKIM running.

I host several domains and since I already know I won’t need much more than a webserver and email, I have set the firewall to “block all”. Later I manually added “accept” for the webserver ports 80&443 and SMPT ports 25&587. Since I have a fixed IP from my ISP, I also added an “accept” for this, because I only access/send email from this IP.

The server is currently being hammered by spam emails from various networks all around the world. Log file entry example (I replaced my email addresses / domains with xxx here):

> Apr 1 00:36:40 srt postfix/smtpd[5655]: connect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:36:40 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=riskyzk@rennerpetroleum.com, recipient=xxx@xxxxxx.tld > Apr 1 00:36:40 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:36:40 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=riskyzk@rennerpetroleum.com, recipient=xxx@xxxxxx.tld > Apr 1 00:36:40 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:36:40 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=riskyzk@rennerpetroleum.com, recipient=xxx@xxxxxx.tld > Apr 1 00:36:40 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:36:40 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=riskyzk@rennerpetroleum.com, recipient=xxx@xxxxxx.tld > Apr 1 00:36:40 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:36:40 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=riskyzk@rennerpetroleum.com, recipient=xxx@xxxxxx.tld > Apr 1 00:36:40 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:36:40 srt postfix/smtpd[5655]: lost connection after DATA from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:36:40 srt postfix/smtpd[5655]: disconnect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:37:39 srt postfix/smtpd[5655]: connect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:37:39 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=copdzw@rainbowsgold.com, recipient=xxx@xxxxxx.tld > Apr 1 00:37:39 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:37:39 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=copdzw@rainbowsgold.com, recipient=xxx@xxxxxx.tld > Apr 1 00:37:39 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:37:39 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=copdzw@rainbowsgold.com, recipient=xxx@xxxxxx.tld > Apr 1 00:37:39 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:37:39 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=copdzw@rainbowsgold.com, recipient=xxx@xxxxxx.tld > Apr 1 00:37:39 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:37:39 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=copdzw@rainbowsgold.com, recipient=xxx@xxxxxx.tld > Apr 1 00:37:39 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:37:39 srt postfix/smtpd[5655]: lost connection after DATA from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:37:39 srt postfix/smtpd[5655]: disconnect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:38:40 srt postfix/smtpd[5655]: connect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:38:41 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=kopeckqr@roteerdbeere.com, recipient=xxx@xxxxxx.tld > Apr 1 00:38:41 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:38:41 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=kopeckqr@roteerdbeere.com, recipient=xxx@xxxxxx.tld > Apr 1 00:38:41 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).net.html; from= to= proto=ESMTP helo= > Apr 1 00:38:41 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=kopeckqr@roteerdbeere.com, recipient=xxx@xxxxxx.tld > Apr 1 00:38:41 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:38:41 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=kopeckqr@roteerdbeere.com, recipient=xxx@xxxxxx.tld > Apr 1 00:38:41 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:38:41 srt postgrey[4573]: action=greylist, reason=new, client_name=NATIONAL-NA.edge2.Washington1.Level3.net, client_address=4.30.208.222, sender=kopeckqr@roteerdbeere.com, recipient=xxx@xxxxxx.tld > Apr 1 00:38:41 srt postfix/smtpd[5655]: NOQUEUE: reject: RCPT from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222]: 450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/(mydomain).com.html; from= to= proto=ESMTP helo= > Apr 1 00:38:41 srt postfix/smtpd[5655]: lost connection after DATA from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:38:41 srt postfix/smtpd[5655]: disconnect from NATIONAL-NA.edge2.Washington1.Level3.net[4.30.208.222] > Apr 1 00:39:28 srt postfix/anvil[5321]: statistics: max connection rate 2/60s for (smtp:173.15.249.157) at Apr 1 00:29:47 > Apr 1 00:39:28 srt postfix/anvil[5321]: statistics: max connection count 1 for (smtp:173.15.249.157) at Apr 1 00:29:28 > Apr 1 00:39:28 srt postfix/anvil[5321]: statistics: max cache size 2 at Apr 1 00:30:22

Is there by chance a way to prevent these guys from sending spam but leave legitimate users through? I tried to restrict SMTP and AUTH access to 127.0.0.1 in the firewall, but it causes all email from “outside” to be returned to sender.

And looks like the spam guys somehow managed to get through because

webmin → read user mail → mailbox → spam

shows some emails without any headers and sender receiver address

Unknown
0 kB

clicking on it gives me

Mail headers View all headers | View raw message
From
To
Date
Subject
Message contents
This message has no body contents.

But when I try to delete it, it says

No mail selected to delete

got a few thousand of these and I cannot delete them.

Any help would be greatly appreciated.

2

Howdy,

Are you just looking to block email from one particular ISP?

If so, you could always use your firewall to block that IP address.

If you didn’t want to use the firewall, you could use a command like this to block a specific IP until the next time you reboot:

route add -host x.x.x.x reject

Where “x.x.x.x” is the IP address you wish to block.

-Eric

3

In addition to what Eric said, there are some things you can do to mitigate spam attacks.

It can help to install a software like “fail2ban” or “CSF/LFD” which can analyze logs and ban IP addresses based on regular expressions. CSF in addition is a full iptables manager and has quick IP blocking features.

Also you can configure Postfix to accept only a limited number of concurrent connections from each IP address.

To analyze those “phantom” emails, you can log in to the server with SSH and go to /home/DOMAIN/homes/USER/Maildir and take a look at the immediate mail files. That way there’s no layer inbetween that needs to interpret mails or so, you can see and delete the actual mails there.

4

Unfortunately, it’s not just one or a few networks! Spam comes from Japan, USA, Germany, Argentina, France, Russia and Brazil (various IP’s). I have now installed fail2ban and it seems have an effect. Thanks.