0

PROBLEM: Users are getting 15-20 SPAM emails per hour, even with SpamAssassin set to its most aggressive settings

SOLUTION: SPAM filtering services are available from companies like McAfee (Intel). These services work by changing the domain MX record to point to the McAfee servers; McAfee filters the email and returns it to our HostGator private server on port 25.

NEW PROBLEM: Spammers are ignoring our MX records and delivering email directly to port 25 of our domain host (e.g. yourdomain.com) … so SpamAssassin is useless and we can’t use an outside Spam Service. If we can’t fix this we will be forced to move all the domains on our Private Server to a GoDaddy Exchange Server (Exchange implements the solution proposed below).

PLATFORM: I'm using a dedicated server that I lease through HostGator. The server is running CentOS with a WHM / cPanel setup. I'm hoping to find some sort of script / plugin that will allow me to block all IP addresses (except ones that I choose to allow) from port 25 on SOME domains but not all domains (since some users aren't using McAfee as a 3rd party solution).

PROPOSED SOLUTION: McAfee recommends that participating domains (not all domains will use an external SPAM service) deny SMTP access to all mail servers (clients can still access via SMTP AUTH) … EXCEPT for an ALLOW block containing IP Addresses of authorized McAfee servers. This is evidently the solution Exchange uses.

QUESTION: Is there a way to do this? HostGator has been ZERO help to me whatsoever. They just keep telling me to use SpamAssassin, which I don't want to use.

I guess I'm just perplexed by this. I can't be the ONLY person experiencing this issue, yet no matter how much I Google it there doesn't seem to be any clear cut answer. Spammers are bypassing my MX records (which are pointed to McAfee spam solutions) and therefore avoiding the spam filters altogether, hence blowing up my inbox with all this spam. As I understand it, Exchange servers work by denying ALL IPs on port 25 except for the IPS of the third party spam solution. Now I know I don't have an Exchange server, but isn't there an easy way to do this on my server?

  • 5
    Yes. Create an iptables rule set that does exactly what they propose. Tutorials on how to do this are a dime a dozen online. – EEAA Mar 11 '15 at 00:40
  • I tried Googling this, I just wasn't sure what to Google. The question is, with the iptables rule can that be setup on a per account basis? – DigitalSky Mar 11 '15 at 00:46
  • 2
    Does each account have a different IP address? If not, then no, there's nothing you can do on a per-account basis. IPTables works at the IP routing layer of the networking stack, and the SMTP application works several levels higher than that. The firewall knows nothing about SMTP. – EEAA Mar 11 '15 at 00:48
  • Got it. Each account DOES NOT have a different IP address so I guess it's back to the drawing board. I don't know how these spammers are bypassing my MX record and getting emails through to me without going through McAfee first. – DigitalSky Mar 11 '15 at 00:52
  • Why not just disable smtp on your domain and have mcafee deliver email to a different server like smtp.yourdomain.com. Legit mail would go to your MX records. – jbrahy Mar 11 '15 at 05:46
  • [Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Mar 11 '15 at 18:34

2 Answers2

1

What McAfee told you is definitely the recommended approach here. Spammers intentionally try direct connections for the exact reason you pointed out - they're trying to bypass perimeter defenses.

The specifics depend on your environment, preferences, and details from McAfee. Here are some links to get you started:

Mike B
  • 11,570
  • 42
  • 106
  • 165
0

You don't specify your mail software but there are a number of options for this case. They can be combined. (I would recommend the first for all hosts not providing MX services. It should resolve your issue.)

  • Configure the mail server to listen on the local host interface(s) (127.0.0.0, ::1) only. Configure the mail server to use a common server as a smart host for routing.
  • Limit Internet SMTP (port 25) access to MX (and outgoing MTAs if used) with a firewall. Apply to outgoing traffic as well as incoming traffic.
  • Disable pipelining unless reverse DNS passes.
  • Configure your server to delay responses by 10 to 20 seconds if the host fails reverse DNS. (Exim does this and many spambots timeout before delivering their payload.)
  • Require remote users to authenticate on the Submission (587) port to send email via your servers.
BillThor
  • 27,354
  • 3
  • 35
  • 69
  • 1
    I'm using exim on a WHM / cPanel server running CentOS. I guess I'm just perplexed by this. I can't be the ONLY person experiencing this issue, yet no matter how much I Google it there doesn't seem to be any clear cut answer. Spammers are bypassing my MX records (which are pointed to McAfee spam solutions) and therefore avoiding the spam filters altogether, hence blowing up my inbox with spam. As I understand it, Exchange servers work by denying ALL IPs on port 25 except for the IPS of the third party spam solution. Isn't there an easy way to do this on my server? – DigitalSky Mar 11 '15 at 18:37
  • It can be easily done in a connect ACL which denies all connections not from the desired IP addresses. I haven't used the McAfee spam solution, but they should have the requisite A and PTR records in place to pass rDNS validation. You can use then block any incoming connection on port 25 not from their domain. (This is should be more reliable than blocking by IP address.) – BillThor Mar 12 '15 at 14:25