URGENT! Spammed by Excessive Undeliverable Gateway messages 2

[Excelerate2004]

Hello Everybody,

I have a bit of a serious problem...I'm getting spammed by hundreds of Undeliverable Gateway messages with @aol.com email addresses.

How can I stop this?

Thanks, any help would be much appreciated.

 

[Excelerate2004]

Can anybody out there, give me some help regarding this problem?? Please?

 

[sstoppel]

I am not sure exactly what you are experiencing from your description. You may want to post a section of your gwia logs.

If you are getting bounces from aol mailservers a spammer may be using your domain as a "from" address OR you may have an open relay.

If you are getting mail to bogus addresses in your domain that are undeliverable, you are probably on a spam list. A front-end spam filter will alleviate most of those messages.

 

[ZenMuster]

I would check GWGuardian software or one alike. That should take care of your problem.

 

[Excelerate2004]

I think one of these items is the answer:

"...getting bounces from aol mailservers a spammer may be using your domain as a "from" address OR you may have an open relay."

So I guess the next step would be to get a front end spam filter.

Hopefully that will put me on to the right track.

Thanks for your help.

 

[lgarner]

If you have an open relay, close it.

If your domain is being used by a spammer, then antispam software on your end won't help your bandwidth. However, an antispam gateway (I use Spamassassin) will take the load off your GWIA.

 

[marvhuffaker]

What version of GroupWise are you using? Different versions handle relaying differently.

Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

 

[Excelerate2004]

If I have an open Relay how do I close it?

I'm using GW 5.5

Thanks

 

[Excelerate2004]

Hi lgarner,

I went to the Spamassassin website:

http://spamassassin.apache.org/index.html

To try to find out some information, but was left more confused than anything else.

How does spamassassin work? Is it easy to set up? Is it a free service?

If you could answer those questions for me that would be a great help. I need to get something in place as this spam is getting out of hand!

Thank you

 

[sstoppel]

To close an open relay:

http://www.mail-abuse.com/support/an_sec3rdparty.html#Groupwise

 

[marvhuffaker]

Just to add to what sstoppel said.. GroupWise 5.5 by default is wide open to relaying. You can disable it, but you have to take into account the information posted on that link. Make sure your system is patched AND you've taken the appropriate action to shut off relaying. I'm guessing that it will cut off the majority of problems that you are seeing.



Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting

http://www.redjuju.com

 

[Excelerate2004]

Thanks guys, I'm going to look at some of these issues now.

I'll repost if and when I make any changes.

Your help has been much appreciated as this is knowledge and experience that I dont have when it comes to Groupwise.

Cheers

 

[Excelerate2004]

I just followed the link posted by sstopel and found that the radio button to Prevent Message Relaying had already been checked.

So maybe thats not the issue at all.

What next??

 

[lgarner]

Spamassassin isn't a service, it's a product to block spam. You install it on a server. The server also runs an MTA (which is really the only part that you need in this case). You'd have your incoming mail go to the Spamassassin server, which processes it and forwards it to GWIA if it's ok.

I use Postfix as the MTA. Each hour it downloads a list of valid email addresses. Anything not valid is rejected.

As I said, this keeps the load off your corporate mail server, but doesn't help the bandwidth. For that you would need a service which processes the mail before it reaches you. Your firewall could then be configured to allow SMTP only from your service provider.

Also, there are a few anti-spam solutions specifically for GW, but I don't know if any work with v5.5. You could check Guinevere or GWAVA.

 

[MichiganRon]

Spamassassin is a free (open-source) product which is being used by thousands of companies. Version 3.0 was just released a few days ago and is probably going to be very good at stopping spam. I have heard, however, that Spamassassin can be a bear to set up.

That being said, here's my 2 cents: If you have a little money to spend (around a couple grand), I would [red]HIGHLY[/red] recommend looking into purchasing a Barracuda Spam Firewall (

http://www.barracudanetworks.com).

We purchased one this summer. Installation and configuration was easy. Since that time, over 80% of the email to our organization has been stopped before it even made it to our mail server (negligible false-positive rate). It is an excellent product! Also, it's relatively inexpensive when compared to other anti-spam products (except, of course, spamassassin).

We have used GWAVA on our server for the past couple years. I got to know the software pretty well. It does a great job of virus blocking, but I was much less impressed with it's ability to stop spam. That is why we looked elsewhere. I researched what was available, weighed the options of "free" vs "pay for" services and products, and decided to go with a Barracuda. I haven't looked back. We still use the GWAVA on the server side as a second line of defense against viruses, but it really gets very little use. To it's defense, Beginfinite (makers of GWAVA) have released a new version which is supposed to improve spam filtering. However, for a little more cash I can stop spam before it even get's to my mail server, freeing up plenty of system resources.

With regard to your immediate problem: Unfortunately, GW 5.5 does not have many built-in capabilities for stopping spam. It's likely that your "@aol.com" spam is not actually coming from AOL IP addresses. Using a RBL might help, but GW5.5 doesn't let you do that. I really don't have any suggestions to stop this problem without purchasing a different product. Sorry.

Ron


“If you are irritated by every rub, how will you be polished?”
~ Mevlana Rumi


Do you live in Michigan? Join us in the Tek-Tips in Michigan forum.

 

[Orenf]

You might want to consider a managed spam service (such as Electric Mail), which will filter and mangae traffic outside of your network, and prevent directory harvest attacks or relaying issues. Since you won't have to install anything on your end, it is typically much more cost effective than managing an in-house solution.

Oren Friedman

 

[susantci]

There is a way in Netware Administrator Groupwise View to tell the mail system to delete all undelieverable/ problem messages. You have to go into the configuration of the GWIA under SMTP and make sure that the problem and undeliverable messages are not checked. You can also set the email bomb threshold lower.

Plus consider upgrading to Groupwise 6.5 which has its own spam control.

Susan Hebel, MASE, CNE
Senior Network Engineer
TCI Systems, Inc.

http://www.tcisystems.com

 

[bytehd]

Except that this 5.5.4 patch doesnt work.

5.5.4 does indeed NOT relay by adding the "/NOROUTING" to the GWIA.CFG file in the SYS:SYSTEM folder.

The problem is that the messages are NOT deleted.
They pile up in the DEFER folder.
Bouncing back and forth between DEFER/SEND.
I eventually had to delete more than 89,000 files
from these folders before GWIA was brought to its knees.
The messages keep getting queued up.

And NO symantec corp AV NLM for Novell does NOT in ANY WAY
find the enbedded Netsky virus in the mime section.

Damn symantec.

Im trying to get my client to install ASSP or GW 6.5.

George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[sstoppel]

We had great success with gwavix, which blocks that junk before it gets into the gwia at all. It is easy to configure and very low maintenance. Not sure how well it scales to a large system but on our 75 person network it is more than adequate.

 

[bytehd]

thanks for the tip

George Walkey
Senior Geek in charge

http://www.insyncva.com