We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Emails infected with/emitting spamware/spamtrojan traffic
Emails infected with/emitting spamware/spamtrojan traffic
Hello Everyone,
Im facing very critical problem. Spamhaus.org block me every week. i have hosted more then 50 clients domains on my vesta server. i dont know which client system have virus and why spamhaus block me. i have added relay rules in exime so that no one send email up to 60 email per hour. below is login info of one of hosted domain email account for your testing purpose like header.
URL: http://www.rangpura.com/webmail/
Email: everyone@...
Password: 786@...
if there anyway to make configuration spamhaus block client ip not server ip or is there any way to block infected emails???
Thank you in advance
Im facing very critical problem. Spamhaus.org block me every week. i have hosted more then 50 clients domains on my vesta server. i dont know which client system have virus and why spamhaus block me. i have added relay rules in exime so that no one send email up to 60 email per hour. below is login info of one of hosted domain email account for your testing purpose like header.
URL: http://www.rangpura.com/webmail/
Email: everyone@...
Password: 786@...
if there anyway to make configuration spamhaus block client ip not server ip or is there any way to block infected emails???
Thank you in advance
Last edited by skurudo on Fri Mar 03, 2017 5:21 pm, edited 1 time in total.
Reason: login/pass removed
Reason: login/pass removed
Re: Emails infected with/emitting spamware/spamtrojan traffic
Those spamlist a very tricky bastards, no shame at all ;-)
Install rkhunter and maldet, search your system for infected files.shonir wrote: dont know which client system have virus and why spamhaus block me.
Lower to 30-40 e-mails.shonir wrote:i have added relay rules in exime so that no one send email up to 60 email per hour.
Re: Emails infected with/emitting spamware/spamtrojan traffic
Thank you for your response.
i have make change in exim sending relay and now limit is 40 emails per hour.
i also installed Maldet using below instruction. j
https://vpstalk.club/secure-harden-your ... checklist/
ust want to confirm is it enough to stop all emails to send trojan or infected filse??
i have make change in exim sending relay and now limit is 40 emails per hour.
i also installed Maldet using below instruction. j
https://vpstalk.club/secure-harden-your ... checklist/
ust want to confirm is it enough to stop all emails to send trojan or infected filse??
Re: Emails infected with/emitting spamware/spamtrojan traffic
For a start, yes.
But we must clearly understand that security is not only a set of actions or rules, it is rather a process.
But we must clearly understand that security is not only a set of actions or rules, it is rather a process.
Re: Emails infected with/emitting spamware/spamtrojan traffic
skurudo wrote:For a start, yes.
But we must clearly understand that security is not only a set of actions or rules, it is rather a process.
i think virus is not in server its in client systems. they are sending email attaching virus/trojen but how i can trace that is there any way to block that account automatic or trace out??
Re: Emails infected with/emitting spamware/spamtrojan traffic
i have added some rules for block users who spam
jail.local
sendmail.conf
jail.local
Code: Select all
[sendmail]
enabled = true
filter = sendmail
bantime = 28800
action = iptables-multiport[name=sendmail, port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
sendmail-whois[name=sendmail, [email protected]]
logpath = /var/log/maillog
maxretry = 5
sendmail.conf
Code: Select all
# Fail2Ban configuration file
#
# Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/
# Contibutors: Gutza, the SASL regex
#
# $Revision: 0 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \[<HOST>\] .*to MTA
# \[<HOST>\] \(may be forged\)
\[<HOST>\], reject.*\.\.\. Relaying denied
(User unknown)\n* \[<HOST>\]
badlogin: .* \[<HOST>\] plaintext .* SASL
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Re: Emails infected with/emitting spamware/spamtrojan traffic
skurudo wrote:For a start, yes.
But we must clearly understand that security is not only a set of actions or rules, it is rather a process.
any recommendation?? im tired to unblock ip from PBL and XBL.
Re: Emails infected with/emitting spamware/spamtrojan traffic
im feeling so much depression due to getting ip blocked from spamhaus after every 2/3 days.
getting error below from CBL: http://www.abuseat.org/lookup.cgi?ip=182.187.136.22
IP Address 182.187.136.22 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2017-03-19 11:00 GMT (+/- 30 minutes), approximately 8 hours ago.
It has been relisted following a previous removal at 2017-03-16 14:25 GMT (3 days, 4 hours, 34 minutes ago)
If this IP address is NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan traffic and needs to be fixed. Find and remove the virus/spamware problem then use the CBL delisting link below.
In some unusual cases, IP addresses used in shared hosting (especially those using IPSwitch Imail, Plesk or Cpanel) can trigger CBL listings. If this is a shared hosting IP address, make sure that your mail server software is set up to identify _itself_ in its mail connections, not each of your customers.
And getting error below from PBL: https://www.spamhaus.org/query/ip/182.187.136.22
Ref: PBL444048
Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem
getting error below from CBL: http://www.abuseat.org/lookup.cgi?ip=182.187.136.22
IP Address 182.187.136.22 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2017-03-19 11:00 GMT (+/- 30 minutes), approximately 8 hours ago.
It has been relisted following a previous removal at 2017-03-16 14:25 GMT (3 days, 4 hours, 34 minutes ago)
If this IP address is NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan traffic and needs to be fixed. Find and remove the virus/spamware problem then use the CBL delisting link below.
In some unusual cases, IP addresses used in shared hosting (especially those using IPSwitch Imail, Plesk or Cpanel) can trigger CBL listings. If this is a shared hosting IP address, make sure that your mail server software is set up to identify _itself_ in its mail connections, not each of your customers.
And getting error below from PBL: https://www.spamhaus.org/query/ip/182.187.136.22
Ref: PBL444048
Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. For help with SMTP Authentication or ways to quickly fix this problem
Re: Emails infected with/emitting spamware/spamtrojan traffic
i don't know how to trace the client who is sending infected emails. so that i can block them and save other clients emails to get bounce back due to ip blocked.