How to check SMTP User doing the Spam?

[greenberet88]

Hello everybody,

I have an Email server with postfix, we have SMTP authentication installed, and we are getting spam outbound, meaning that somebody is using our server to send spam outside, we have fixed a lot of that but we still get it from time to time.

My question is:

If we have SMTP authentication, and the spammer is sending emails, it means its using a user and password as a SMTP Authentication,

**** How can I trace who account is being used for the spammer *** ??

any log line or log modification to show me that?

Thanks a lot in advanced.

Alan

 

[Noway2]

I realize this may seem like asking the obvious, but how do you know that it is originating from your server? Are you sure that it isn't back-scatter?

If it is originating from your server, it should be fairly easy to tell which system it is coming from. You will need to look at the mail logs. In my Linux system, the log is /var/log/mail.log, but yours may vary. What you will want to do is search the log for one of the key words of the spam, such as the recipient that will let you find the entries associated with that message. There will be a hex-number to the left of the to: you can use that as the ID to search the logs for the entries associated with that message to make things simpler. You should then find the ones that say "client=" and "from=". Note the "from=" picks from the headers and may be spoofed. The client= should give you the (fully qualified) domain name / and or IP of the system that made the connection, allowing you to trace it. One thing to note, if you use a spam filter that receives the mail and then re-injects it, you will need to follow the trail twice with two ID numbers as it will re-inject as received from localhost.

 

[greenberet88]

Hello Norway2 and thanks for your quick response.

We have stopped the spamming from our server, yet like you said its possible we are getting the Back-scatter emailed, I have checked the logs and i´m getting the NOQUEUE in tons, how can i block the backscatter emails..... should i block the MAILER-DAEMON with a header-check?

Thanks a lot.

 

[Noway2]

Take a look at this:

http://www.postfix.org/BACKSCATTER_README.html

It is an article from the creator of Postfix that discusses multiple techniques on how to deal with spam back scatter. Basically, the first line of defense is to configure postfix to reject messages for non known recipients. If messages get through this, then you need to get a little more creative. Use specifics of how your host identifies itself and use these patterns in a regex to filter legitimate traffic from the noise. The article goes into a lot more detail and has examples of how this is done.

Personally, I am starting to think that the goal of the spammers is to create as much nuisance traffic as they can and clog the system rather than get you to buy Viagra or send money to Nigeria. This is a much more nefarious purpose. In this regard, the anti spam measures have been very effective in furthering their goals. This is one of the reasons why I have my server set to quietly discard the crap it catches rather than reject it with a bounce. Bouncing messages just causes more trouble as you are seeing. The down side is that legitimate mail to non-existent recipients, such as caused by having a spelling error, may not be discovered as quickly.