Controlling outbound spam

[AllCore James]

Hello, I am new to PMG, and have recently switched from a 3rd party product... so far, we are very pleased with the change... but we are having a few issues understanding how PMG thinks / does things...

when we check the stastistics >> Domain >> Outgoing reports, one of the largest domain (receiver) is listed as --- Empty Address ---

From our experience with our old product, this would be a big indication of SPAM...

1. Am I correct in reading this report as outgoing spam from our servers through PMG ?
2. IF I am correct, how do we prevent PMG from allowing this to go out to the internet ?

 

[tom]

Just analyse your email logs via the message tracking center and you will see the details about these messages.

 

[dietmar]

Normally, the empty address is used to send non-delivery reports.

 

[atec666]

hey , big issue here !

outgoing 59693 mail !!!!
With - EMPTY ADDRESS - ?
Is proxmox mail gateway pirated ?

 

[atec666]

... when going to tracking center : click on search ... loading ... loading !!

 

[atec666]

command '/usr/bin/pmg-log-tracker -v -l 2000 -s 1583255580 -e 1583276400 -g' failed: got timeout (500)

 

[atec666]

i changed all password and stuff ... but our MX our flagged as spam : cool !

 

[atec666]

i delete postfix queue ... 89888 mail !!!
and finaly go to track center .... how proxmox gateway can send mail when there is not sender ??????

 

[atec666]

Normally, the empty address is used to send non-delivery reports.

... or for hacker !
this is my case.

 

[Stoiko Ivanov]

Mails with empty senders are also called bounces/NDR/....
They are regularly used from mailservers to inform users that something did not work (e.g. that a remote mailbox did not exist or is over quota, or that a mail did not yet get delivered but is still queued)

If your PMG installation got hijacked and was used for spamming I would guess that also many of those bounce mails got generated by PMG (to inform the fake senders that a mail was rejected)

If a mailbox that was relayed over PMG got hijacked the same could happen.

Cleaning the mailq if you have tons of spam-mails in your system sounds like a good idea.

 

[atec666]

Mails with empty senders are also called bounces/NDR/....
They are regularly used from mailservers to inform users that something did not work (e.g. that a remote mailbox did not exist or is over quota, or that a mail did not yet get delivered but is still queued)

If your PMG installation got hijacked and was used for spamming I would guess that also many of those bounce mails got generated by PMG (to inform the fake senders that a mail was rejected)

If a mailbox that was relayed over PMG got hijacked the same could happen.

Cleaning the mailq if you have tons of spam-mails in your system sounds like a good idea.

yep mails -d ALL was done ...
but i'm blacklisted , now .... :-(((

Who prevent this ?
(trace every sender ?)

 

[Stoiko Ivanov]

Who prevent this ?
(trace every sender ?)

The most important question here would be - where did the spammer get access and was able to send mail (via PMG):
* hacked end-user account (in that case you need to change the password of that user - and educate your users on the value of good passwords (and encryption)
* hacked downstream server, which sends via PMG (in that case - change the password of all users on the server, and find out how the attacker got access)
* misconfiguration in PMG (letting the internal port be available from everywhere and having too many ips listed in the trusted networks - in that case fix the config - and do some tests from servers not in your network - to make sure you cannot sent to arbitrary addresses from external IPs)

but i'm blacklisted , now .... :-(((

That is inconvenient, but if you remove the point where the spammer got access you should get delisted in a few days

 

[atec666]

The most important question here would be - where did the spammer get access and was able to send mail (via PMG):
* hacked end-user account (in that case you need to change the password of that user - and educate your users on the value of good passwords (and encryption)
* hacked downstream server, which sends via PMG (in that case - change the password of all users on the server, and find out how the attacker got access)
* misconfiguration in PMG (letting the internal port be available from everywhere and having too many ips listed in the trusted networks - in that case fix the config - and do some tests from servers not in your network - to make sure you cannot sent to arbitrary addresses from external IPs)


That is inconvenient, but if you remove the point where the spammer got access you should get delisted in a few days

hello , and first thank you for your support.
Simple ...
hacker - web - firewall - haproxy - MX

With relaying haproxy submission ... with MX (internal)
openrelay with jump.

This why i answer Proxmox if it will be possible to filter incoming submission on mail gateway too ... ?

 

[Stoiko Ivanov]

Simple ...
hacker - web - firewall - haproxy - MX

Did they hack a website under your control? (did you fix that?)
Did they hack your firewall? (did you fix that?)
or was it just the way the hacker sent the mails - e.g. by a unprotected mail-form on a website?( if yes - fix that form)

With relaying haproxy submission ... with MX (internal)
openrelay with jump.

I don't understand what that means?

This why i answer Proxmox if it will be possible to filter incoming submission on mail gateway too ... ?

PMG can scan mails in both directions - just make sure that internal services do use the internal port (default: 26) and that your rule system is configured to scan both directions.

I hope this helps!

 

[Roberto Blandino IBW]

hello , and first thank you for your support.
Simple ...
hacker - web - firewall - haproxy - MX

With relaying haproxy submission ... with MX (internal)
openrelay with jump.

This why i answer Proxmox if it will be possible to filter incoming submission on mail gateway too ... ?

Yes you can filter outgoing messages