1

Topic: Spamming issue

- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Cent OS 7.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? yes, 2.9.0
#########################################################################

Facing the spamming issue.
Randomly email accounts are hacked and first on few unrecognized mail id's a "hi" message is sent and then the spamming to numerous mail accounts start immediately.

How to prevent this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Spamming issue

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

3

Re: Spamming issue

ZhangHuangbin wrote:

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

I didn't understand one thing that sending of
hi
message to some unknown gmail accounts is done and connections are established from a particular IP either from Europe or Vietnam and then spamming is done via same IP.
SASL plain authentication method used.
But how they get into the accounts ?

4

Re: Spamming issue

ZhangHuangbin wrote:

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

Please tell me any kind of tool to prevent any such connections from being made to our mail server.
This makes the postfix service down, decreasing the reputation of mail domain on barracuda and cisco tallos intelligence.

5

Re: Spamming issue

ZhangHuangbin wrote:

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

is there any tool to prevent spamming for mail accounts hacked and sending out bulk mails in very large amount > 2000+ ?

6

Re: Spamming issue

saquib.akhtar wrote:
ZhangHuangbin wrote:

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

is there any tool to prevent spamming for mail accounts hacked and sending out bulk mails in very large amount > 2000+ ?

Throttling the emails ?

7

Re: Spamming issue

Jochie wrote:
saquib.akhtar wrote:
ZhangHuangbin wrote:

Seems account password was cracked. The only one solution is forcing all users to use strong passwords.

is there any tool to prevent spamming for mail accounts hacked and sending out bulk mails in very large amount > 2000+ ?

Throttling the emails ?

Ya I have done that.
But I was looking for a solution to prevent immediately the spamming.

I think Mail Security is needed ?

8

Re: Spamming issue

spamming issue is coming for new mail accounts each day.
Throttle only limits outbound sending but domain reputation is going poor.
Is there any tool to prevent hacked mail accounts sending bulk mail in a few minutes ?

9

Re: Spamming issue

Did you force all users to set a strong password?

10 (edited by saquib.akhtar 2018-09-11 14:07:46)

Re: Spamming issue

ZhangHuangbin wrote:

Did you force all users to set a strong password?

Current password policy is like at least 10 characters with :
Password must contain

    at least one letter
    at least one uppercase letter
    at least one digit number
    at least one special character: #$%&'"*+-,.:;!<=>?@[]/\(){}_`~


But then also if some user accesses his/her mail account on a public cyber cafe system or anywhere outside, hi account gets compromised.

But today a new type of spamming was seen; An IP from UK hacked some accounts and tried to send 1 KB genuine subject lie mails to domain members in large amount.

It was hacked from <dyanmicip>.threembb.co.uk

The mail cannot be opened due to errors in it.

What can be done now  ?

11

Re: Spamming issue

1: force all users to use strong passwords.
2: set a global throttle limit, ie. 100 emails per hour. this will help reduce outbound spams.

12

Re: Spamming issue

Hi Zhang,

Is there a possibility of getting an email alert once throttle limit reached 90% ? Thus any account reaching 90% of threashold value triggers an email to an admin/admins (entered email) ?

This would be very helpful !

13

Re: Spamming issue

bigweb wrote:

Is there a possibility of getting an email alert once throttle limit reached 90% ? Thus any account reaching 90% of threashold value triggers an email to an admin/admins (entered email) ?

Such alert/notification not implemented yet.

What kind of notification do you prefer? email?

14 (edited by bigweb 2018-09-25 18:06:33)

Re: Spamming issue

Yes would be good global admin(s) (or any email written in config file somewhere) could get email notification.

PS - I remember i've seen some similar discussion here in forum in 2013 , and its pity this is not implemented yet, as this is really good mechanism to catch spam sending from hacked accounts and stop it immediately before getting to lots of blacklists. (PPS I know you might offer strong passwords, but in my case passwords where stolen with keylogger malware, so if i could get warning about threshold limit - i could have reacted fast and prevent hacker form sending tons of emails.)

Hopefully maybe you can offer some kind of add-on script i could use ?

PPS- i replied to this thred on iredMail, however i have iRedMailPro version .

15

Re: Spamming issue

I will implement the alert by sending email to given email address ('postmaster@<first-mail-domain>' by default) in next iRedAPD release, but not upcoming release, sorry.

or, if you want to contribute some work to implement it, feel free to ask me questions of iRedAPD plugin development here (new forum topic please), i'm more than happy to help.

16

Re: Spamming issue

Getting alerts for mail id's sending out spam mails is the best way of handling alerts.

Also, if possible any way if it can be integrated with ZABBIX MONITORING TOOL, means alerts if a mail id has crossed global threshold ...

If we use EV SSL for our mail domain then how much it can guarantee against the breaching attempt as the Let's Encrypt SSL seems not so secure..

17

Re: Spamming issue

Dear all,

I just improved iRedAPD to send notification email when someone exceeded the quota, it will be available in next release.