qmail spammer clean up. senderbase problems, relaying and more

One of the clients on a server I manage used a very weak password on two mail accounts and both of these had been exploited by spammers.

Now putting aside the new systems that will have to be implemented to prevent this in future we had the job of cleaning up.  After clearing the mail queue which is a straight forward enough job we were left with the problem that this servers reputation had taken a huge hit.  Spamcop was easy to deal with as they have a quick and easy method of removal from their RBL.  However larger providers such as AOL and hotmail are not so easy to please.

We have taken all the steps they require of us and still we are being rejected.  Now I can fully understand why and have no problems with them doing this however communicating with them to remove the block is extremely difficult.

To get mail flowing for those few clients who forward their mail on I have set up a smarthost that will only accept email from the specific server and then set up the server in question to relay those large providers for whom we can’t currently send to.

If we say server1.mydomain.com was the affected server and relay.mydomain.com is the new relay server.

On server1.mydomain.com we added a file called /var/qmail/control/smtproutes and in this file we put
aol.com:relay.mydomain.com
btinternet.com:relay.mydomain.com
etc etc

On the relay server we went into plesk and added the server1.mydomain.com IP address to the whitelist of IP’s it would accept email from.

sending a -ALRM to the PID of qmail-send on the server1.mydomain.com caused it to attempt to send again.

What this means is that the server with the duff reputation will now relay email destined to those providers to the relay server which will then connect to those providers.  The server with the bad reputation will be left like this to allow it’s reputation to recover.  After which I will remove these settings.

PLEASE NOTE:  I am not doing this to allow the spammers to continue.  I am doing this as damage mitigation after the fact.  The owner of these servers hates spam with a vengeance and has disabled the clients account responsible for this.  This technique basically gives the server a fresh IP for a limited period.

The main problems are with companies using Cisco IronPort/Senderbase Here is an example

[sourcecode][root]  telnet mx-ironport.core.plus.net 25</pre>
Trying 84.92.1.97…
Connected to mx-ironport.core.plus.net (84.92.1.97).
Escape character is ‘^]’.
554-mx.ptn-ipin04.plus.net
554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
Connection closed by foreign host.[/sourcecode]

As you can see there are no instructions on how to contact the server administrator, or to correct any problems.

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*