Hi all,
Anybody know how to update Spam assassin in Virtualmin?
Currently my spam assassin showing SpamAssassin 3.1.9 (2007-02-13). But I checked
http://spamassassin.apache.org/
where it is showing that 2011-06-16: SpamAssassin 3.3.2 has been released
This is the old version. This is the cause why I am receiving thousands of spams every day…
Howdy,
I suspect there’s another issue going on with your system there.
You had mentioned in another post that you had hundreds of emails in your mail queue, and that’s not common no matter which SpamAssassin version you have. My suspicion is that a web app or email account on your server had been compromised. Though that’s just a guess 
However, the version of SpamAssassin that you have is specific to your Linux distribution.
That is, each Linux distribution ships with a particular SpamAssassin version.
Which distribution/version is it that you’re using there?
-Eric
Hi Eric,
My version is CentOS release 5.0 (Final). Do my system capable to update the version of spamassassin?
If my mailserver had been compromised, which security measures I have to take?
Well, CentOS 5.0 is older – if you run a “yum update”, are you able to update that to the more recent CentOS 5.8?
As far as determining the source of all the spam you’re seeing – that’s the hard part! It’s a matter of studying the emails and email headers, and determining their source.
You should rarely end up with hundreds of emails in your queue – spam doesn’t typically work that way, spammers don’t tend to send that sort of volume to one user.
We typically only see that when something unusual is going on with an account.
My suggestion is to study the spam you’re seeing, and try to understand where it’s coming from. The email headers can often provide clues there.
You can usually tell from the email headers if it’s being locally generated. And if it is, you can also tell which account is generating it.
If it’s being generated on your own server, that often means a web app had been compromised.
It’s also possible that a password of one of your email accounts had been guessed.
The email headers can assist you in figuring all that out though.
-Eric
Hi Eric,
Thank you very much for your help. Really appreciate it. After check some mails, I found that some spam mails came from the same domain.
Example where I received from:
rasberryketone@sipidkerat.com
proflight@scathdacca.com
mgbaxqgwablackbirder@governorates.convivial.in
findmind@otterdeals.com>
info@vitraheezy.com>
was32@eraserfont.com>
info@astayakut.com>
info@deawcort.com>
cdwaukaleja@foxes.amazingly.in>
info@shirlnavi.com>
RefiCenter@newsteadfinancial.com>
info@vinetseppa.com>
lay46@eraserfont.com>
findmind@superfastwebdesignperth.com>
lendingtree@moderndigitaladvisors.com>
hdh534@administratorsubmits.com>
CostcoNews@online.costco.com>
his9@eraserfont.com>
Magicinfo@cleadbdes.com>
info@unputriga.com>
guest9@eraserfont.com>
help-desk@russbizz.com>
proflight@totyjady.com>
proflight@woomewts.com>
rasberryketone@utsuklaft.com>
nursingdegree@calmphoto.com>
the27@eraserfont.com>
info@osagecorpl.com>
findmind@calypsosolar.com>
drifted33@goldenlighter.com>
just44@eraserfont.com>
info@wandyilama.com>
infomed@mophpinyl.com>
earth4energy@harmonicsynergyspa.com>
midrange29@goldenlighter.com>
NoPhoneBills@harmonicsynergyspa.com>
with5@eraserfont.com>
The3@eraserfont.com>
he2@goldenlighter.com>
nfo@dyakweri.com>
great36@eraserfont.com>
Twenty84@eraserfont.com>
hang43@eraserfont.com>
info@calsattry.com>
trying9@eraserfont.com>
infomed@anetsaur.com>
Erik@grtstevr.in>
here57@eraserfont.com>
oneaccordmediallc@gmail.com>
was56@eraserfont.com>
to44@goldenlighter.com>
infofee@icaokriss.com>
swear36@goldenlighter.com>
And Im frequently receiving from eraserfont.com, goldenlighter.com and harmonicsynergyspa.com.
Is there any way to blacklist the domain name?
Well, the root issue here isn’t likely that some of the domain names appear more than once – it’s that it’s likely there’s some sort of compromise on your system that’s allowing so many emails to be sent via your server.
I wouldn’t be looking at how to block some addresses, I’d instead suggest reviewing how they’re getting onto your system at all.
I’ve never heard of spam being sent by the thousands to a single account (not that it couldn’t happen, but it’s certainly not the most common problem).
Using the email headers, you should be able to tell how those emails are getting to your server.
If you like, you could always open up one of those emails, and post the full email headers here.
Also, while I don’t suspect this is related, it certainly can’t hurt – if you haven’t enabled Email Greylisting yet, you may want to try that. It’s excellent at reducing spam. You can enable that in Email Messages -> Email Greylisting.
-Eric
Hi Eric,
This is one the mail header
Return-Path: And46@eraserfont.com
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on domU-12-31-38-00-2D-84.compute-1.internal
X-Spam-Level: **
X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, HTML_90_100,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET, SUBJECT_EXCESS_BASE64 autolearn=no version=3.1.9
X-Original-To: carrie@mof.com
Delivered-To: carrie.mof@localdomain
Received: from yo3.eraserfont.com (unknown [108.178.21.144]) by domU-12-31-38-00-2D-84.localdomain (Postfix) with ESMTP id DA136F5023 for carrie@mof.com; Tue, 5 Jun 2012 04:22:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=eraserfont.com; h=Message-ID:From:To:Subject:Date:Content-Type:Content-Transfer-Encoding; i=And46@eraserfont.com; bh=VHzbcecvPQescB4VdHvU9Y6SFuA=; b=ONJUHew1Dk3OPyI2MtUDBAM7j2uBr4o6sgMeG8uWePD3KWv7/wHVu2uDaebUbmmp90Ytxa2kXiuU kFsH3iHuD9G/KMK/z21qP8rL+dYMnCRNjz/pSa5iOFrLSXYL16t5
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=eraserfont.com; b=D4c2SZSGlRxW7o6mTa/heeXATE/Z/EKq6xSemr5xw4IaCNQCe84GLzOlXvFT5gb1GJnAkooLVINb tCZNzUr0HI2szGvwK/9OMs2vBgwC5wqNHaER5w4uVPuEkLrJfb5l;
Message-ID: Y2FycmllQGh1dHRvbm1kLmNvbQ883@eraserfont.com
From: “CableService” And46@eraserfont.com
To: carrie@mof.com
Subject: Cable deals for low, low prices
Date: Tue, 05 Jun 2012 02:22:21 -0600
Content-Type: text/html; charset=“us-ascii”
Content-Transfer-Encoding: 7bit
And one more thing I noticed in AWS Console. There is a Security Group which allowing 0-65535 port.
Is this can be one of the cause? For mailserver what are the necessary port to be allowed?
Spam issues like that aren’t typically related to the ports that are being allowed.
Did you by chance enable Email Greylisting? I’d be curious if that assisted with the issue you’re seeing at all.
It looks like that email is being delivered to the user “carrie@mof.com” – but so far as I can tell, your server isn’t actually hosting that domain name.
Is that correct? The domain “mof.com” isn’t hosted at your server?
If so – the domain that this email is being delivered to, does it by chance have catch-all email enabled for it? A catch-all address would be configured in “Edit Mail Aliases”.
-Eric
For Mailserver Im using Virtualmin GPL. So that option not available there. I only can see that option in my Virtual Host server where using Virtualmin PRO. Actually it is “carrie@mydomain.com”. I just dont want to paste over here so I changed the domain to mof. Avoiding spam as I can.
Thanesh,
I am receiving a numerous amount of emails from some of the same ones in your full list. I do realize this is a year later and you most likely have this cleared up. However, I am very curious to know if they have completely stopped coming to you? This is over a year later and some of the same: company, group, machine or people, continue to get away with this. One which I received 12:39 A.M. Listed in Subject: Where the He** Are You??? I would rather not state the name of the company this is linked to as I do not want it to pop up and show in web search (that is how I was lead here, search results showing issues) Second if you have received more, I researched for a few hours - paths, names, etc… In one I was able to track the IP address to a company. In email, they put an address at the bottom, it listed address: Michigan in Search they are in California. I will report to as I just recvd another at 7:50 PM . I will be glad to share the info I found if needed.