Limit the incoming email rate in Postfix

Question: I have spammers sending multiple email messages to my mail server. How can can I limit the number of emails they can send in a given amount of time?

Answer: This is a trick that many spammers and malicious hackers will use to flood your server with their nonsense. Although a spam blocker will certainly help, it still has to process each email. If thousands of emails are sent an hour, that takes up valuable CPU power, memory, disk space, and time.

Postfix mail server allows you to limit the rate of incoming emails, keeping the spam messages from flooding your server. To configure it, edit /etc/mail/main.cf:

# nano main.cf (or vi main.cf)

Add the following directives:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

With these settings, after a client has made 10 connections, Postfix will pause and delay the next connection. If the connection is made 20 times without delivering mail, Postfix will disconnect.

Source: nixCraft

Testing your mail server for an open relay

Question: How do I make sure my mail server isn’t an open relay?

Answer: First we should be clear on what an open relay is. According to spamhelp.org, an open relay is:

“a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”

For example, someone could use yourmailserver.com to send emails from a fake account called fake@fake-accounts.com. It is a way to send spam while making sure their email address is not blocked. In some cases, they might even have software that creates fake email addresses that match the receiving server’s.

SpamHelp.org has an open relay test that you can use to check for open relays. If you find out your server does have an open relay, you should close it immediately. By default Postfix does not allow open rely, so you might want to check the security on your server if you did not open it. If you are running Postfix, you can fix an open relay by following the directions at The Drawingboard.

Source: SpamHelp.org
Photo: Flickr

What is DNSBL and should I care about it?

Question: What is DNSBL and should I care about it?

Answer: DNSBL stands for DNS Block List or Blacklist. Essentially, it is a published list of ipp addresses that are in some way connected to spam. Although the most common form of DNSBL is a list of actually servers and/or computers that actually send spam, there are some that flag ip addresses based on association with spamming computers or the potential to send spam. The latter two are particularly controversial.

The reason you should care about DNSBL is that there is always the possibility that your server could end up on one. If you run a dedicated server with multiple users, the potential is greater because you could actually have users who abuse their privileges and send spam. As a result, their ip address will be flagged, and if that ip address is shared with others, everyone suffers.

The result is that any other email servers that rely on the lists will reject email sent from your server. You can prevent this by ensuring that your server is locked down and not an open relay for spam. Furthermore, you can periodically check the most common block lists to see if your ip addresses are listed. If they are, find out how spam is being sent through your server and eliminate the problem. Within 48 hours of fixing the problem, most lists will remove your IP addresses.

Photo: Flickr

How to defend a virtual private server from hackers

Email forms are a common way for hackers to send spam. If you use email forms such as Matt’s script (often known as FormMail) or other similar mail scripts, your server could be vulnerable to attacks. If you have clients or simply other users creating sites on your server, you might not even know if you have these scripts. To find out, you can run this simple command:

find / -name “[Ff]orm[mM]ai*”

To check for CGIemail scripts, try this command:

find / -name “[Cc]giemai*”

Finally, to disable the sending of emails from the forms, enter:

chmod a-rwx /path/to/filename

This last command will completely lock user permissions to the script, so if you have a customer or user of a VPS who utilizes one of these form scripts, be sure to contact them and give them ample warning before proceeding. You should offer them a safe and secure alternative, leaving your customers happy and your server secure.

Photo: Flickr

Stomping Out Spam

Spam is an ongoing problem with any email account, but many people with their own websites are suddenly placed in the position of needing to fight spam on their own. A good web host, however, will provide you with options that should make it pretty painless for you. When I ran my own web hosting company, spam accounted for nearly 80% of all incoming emails. We successfully stopped most of it, but it took a lot of work.

There are a few options that your web hosting provider may offer for fighting spam. If you see any of these names, you can probably rest assured that they help you keep your inbox clean. Some of the software solutions include Spam Assassin, SpamHaus, and Barracuda. There are others, but these are commonly known and accepted as being good anti-spam solutions.

There are other important things you can do to lessen the possibility of spam harvesting. One is to make sure your email address is not directly listed or linked on your website. If you want your site visitors to contact you, use a contact form script or the contact form that comes with your content management system. If you must list your email address, consider using an image instead of text. This will make it more difficult for spam bots to scoop it up and pass it around to spammers. With a little diligence and forethought, you can have a relatively spam-free inbox.

Photo: Flickr

Free DNS Tools for Web Hosting

Inevitably, there are times when you need to do troubleshooting of your web and email services, or you simply need to make sure all of your network services are operating correctly. For years, I have relied on one free service to handle most of my DNS needs. It is called DNSstuff.com. They offer mail server analysis, DNS reports, SPAM database lookup, traceroute, Whois lookup, reverse DNS lookup, ping, Internet speed test, and much more.

With their full DNS report, you can enter a domain name and find out the name severs and other DNS information. It will also tell you if there are any problems with a particular domain’s DNS setup. Unfortunately, many of their services are no longer free, but there are many other services out there that still offer free advanced DNS tools.

Among the free ones are freednslookup.net, rrlookup.com, and samdns.com. If you need to know the location of an IP address, these tools will help you. If you need to know who owns a domain, you can find that out too. You can even lookup specific DNS records, such as A, MX, CNAME, and NS. Regardless of which tool you choose, it is very important to check these features before you have problems to help prevent them and whenever you have connection issues with your website.

Photo source: SXC

Two Chinese domain registrars to blame

The names of the two Chinese domain registrars allegedly responsible for a large chunk of the world’s spam, have come under fire from University of Alabama’s director of research, Gary Warner. Last week I posted a short entry about Warner’s research, concluding that 70 percent of spam originated in China. Warner has now identified two companies: eName and Xin Net Technology as the two registrars that provide the spammers with safe havens.

According to Warner, 34,283 malicious domains are linked to Xin Net. Registrants of their domains deal in all sorts of crimes, from unregulated drugs to software piracy. eName is linked to several security attackers, including botnets. Warner argues that these registrars could actively prevent these illicit activities and shut down these domains.

With eName, “we are seeing an absolute refusal to cooperate with any legitimate form of an abuse complaint,” Warner said. Xin Net will take minor action when pressed with a complaint, he said.

Rod Beckstrom, newly appointed ICANN president and CEO, has already hinted that new regulations could be on the horizon. Companies like eName and Xin Net could be restricted from registering domains names altogether if they refuse to deal with this type of abuse. Meanwhile, the Chinese government has a team that deals with complaints, but it is undermanned and receives as many as 9,000 complaints per day.

Source: PC World
Photo: Flickr

Chinese domains linked to 70 percent of SPAM

A new report by the University of Alabama at Birmingham (UAB) has concluded that as much as 70 percent of all spam sent in 2009 originated from domains ending in .cn, China’s top-level country domain. Furthemore, the report claims to have confirmed that nearly all of those spam messages originated on Chinese servers.

The study mined millions of spam emails and concluded that they came from 69,117 unique domains. Of that number, 48,552 or 70 percent, were sent from .cn domains. 48,331 were sent from Chinese computers. Chinese domains and servers are ripe for the picking in the minds of spammers for two reasons: 1) Web hosts in China deny the problem and insist that they do not have security issues, and 2) domain names in China are phenomenally inexpensive, costing only about one yuan or 15 U.S. cents.

Gary Warner, UAB’s director of research in computer forensics, insists that China has entered a “spam crisis.”

“Not only is it cheap to operate spam-promoted Web sites through the Chinese technology infrastructure, there is not enough revenue being generated to pay for the creation of programs or entities that could prevent such abuses from taking place,” Warner said.

Source: Newswise
Photo: Flickr

Triple Fiber Network Responds to Shutdown

A week ago from today, the FTC shut down California web host Triple Fiber Network (3FN) for hosting illegal content, including child pornography, malware, and the infamous “Cutwail” botnet.

In a press release riddled with broken English and grammatical errors, the company responded to the shutdown.

Triple Fiber blasted the FTC for shutting down all its servers without prior notification and went on to declare its innocence, claiming it “never provided any services for illegal businesses intentionally.” It offered to help with the investigation, but added there was no evidence to convict it of wrongdoing.

Our company has always been willing to assist authorities in their investigations. Accusing the provider in illegal actions made by its customers is not the way out and will not solve anything. It causing more damage to law-abiding customers than helps successfully fighting cyber criminals.

The company also stated that the evidence the FTC collected against it, including instant message logs of sales pitches to spammers and hackers, “can not be the evidence of [3FN] complicity.”

Triple Fiber Network said millions of dollars have been lost so far by the shutdown. It claims to be doing everything in its power to recover customer accounts, but has not revealed in what manner it is doing so and what, if any, progress has been made.

Photo: Flickr

Phishers have new tools

According to two reports released by the security company Symantec, phishers and spammers are coming up with new ways to attack their victims. In the past they almost exclusively relied on forged emails and web sites. Now, social networking sites like Twitter and Facebook can be added to their lists of targets.

“It is important that end users are educated and it is important that IT managers take measures against attacks,” said Dermot Harnett, Symantec’s senior director of anti-spam engineering and a co-author of the State of Spam and State of Phishing monthly reports.

“There are products — not just Symantec’s — that managers can use. It is important that we as a community protect ourselves,” Harnett told InternetNews.com.

The attackers often use forged emails to initially gain access to an unsuspecting user’s Facebook account, but once they are in the door, they can rely solely on Facebook to spread their spam or phishing scheme. They try to acquire private information until they have enough to get what they are really after: money. Their ultimate goal is still to get bank account information and credit card numbers. Phishers also target free web hosting services where they can quickly setup sites anonymously.

Source: Internetnews.com
Photo: Flickr