Score:0

check what processes connecting to external port

au flag

I am running an email server for a school associaltion and we offer email forwarding service for graduated students, offering them an email alias in our domain name, like [email protected], and we forward the email to their designated personal address registered with us.

We have recently upgraded from a very old email server on which newer TLS ver is no longer supported, and moved to a ubuntu20 postfix + spamassassin + perl spf check config. After setup we found that the IP does have bad reputation for sending spam email. I checked again the postfix main.cf and the postfix should not be working as open relay.

smtpd_sender_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    defer_unauth_destination

the email volume lookup was a bit worrying as some website seems to record my IP sending 1 out of 30 million email in the world on some days

https://talosintelligence.com/reputation_center/lookup

email history email reputation

of course I don't think they have bugged my server to check me so I don't know where their data come from

I am thinking of checking if there is any other program which may be sending email on my server

I have setup ufw to allow destination port 25 out with loggin

#sudo ufw status
To  Action      From
--  ------      ----
25  ALLOW OUT   Anywhere  (log)

I am seeing around 6000 out entries in the past 60 hours in ufw.log by grep "DPT=25 ", which looks reasonable to me given we have members at order of 1000.

also checked mail.log, the count of lines of for delivery (250 ok, 550*, 454*) adds to roughly 3000 lines.

And also I have seen many times postfix try to delivery some non-delivery notice but the connection is either timeout or rejected. I have since increased min and max backoff time, and decreased queue lifetime to try reduce retry volume of some spam email we receive at the aliases.

I also receive bounce from for example gmail and some other smtp server

status=bounced (host gmail-smtp-in.l.google.com[74.125.130.26] said: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users, the message has been blocked
status=bounced (host gmail-smtp-in.l.google.com[74.125.130.26] said: 550-5.7.1 [MY IP] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, this message has been blocked
status=bounced (host gmail-smtp-in.l.google.com[74.125.130.26] said: 550-5.7.1 [MY IP] Our system has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending IP 550-5.7.1 address. To best protect our users from spam, the message has been 550-5.7.1 blocked.
status=deferred (host imsmx1.netvigator.com[219.76.94.45] refused to talk to me: 554-wironin01.netvigator.com 554 Rejected: Spam email from server IP <MY IP> is blocked by Talos Please go to "https://www.talosintelligence.com/reputation_center/lookup?search=MY IP"
status=deferred (connect to mail.feed-silver.cam[89.144.62.60]:25: Connection refused)
(sender non-delivery notification) status=bounced (host aspmx.l.google.com[142.251.12.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces.
  1. should I be worried any other processes are sending email on my server trashing my email reputation? thats why I wish I was able to check from ufw log what processes tried to make connection to external 25 port
  2. are email reputation site data reliable? I mean, I am not sure if email volume 2+ is anything worrying, but netvigator being an ISP checks it gives it reasonable level of crediability.
  3. for our association providing email forwarding service. Should we outright drop emails of high spam score or simply use the default practice of spamassassin to add [SPAM] to subject and let final receiver decide the handling? reference: https://support.google.com/a/answer/175365?hl=en
  4. does us forwarding spam email trash reputation of our sending IP?
  5. should we relay sender non-delivery notification back to sender? Although sometimes I read in mail log it seems to fail immediately, suspect they are forged header email.
  6. is there any IP equilvalent of SPF to domain name? or is it entirely impossible due to email relaying.
  7. does setting up dkim help reputation of my IP? we do have a small volume of email that is send out via our own domain.
cn flag
Bob
In general the issue with providing a forwarding service is that unless you do quite stringent filtering, you will also forward all spam that people receive. And your server will be more often than not be considered the source of that spam to whatever spam filter is running on the destination you forward the messages to. That is somewhat unavoidable AFAIK.
cn flag
Bob
So unless you stop forwarding spam messages, your reputation will not improve. Sending bounces is something you want to avoid, backscatter is another problem to forwarders are often responsible for (see for example https://willem.com/blog/2019-09-10_fighting-backscatter-spam-at-server-level/)
Score:0
cm flag
  1. Yes and no. You should be worried; find the real cause. But the culprit may not be the mail server. It can also be a rogue device in the network that shares the publicly visible IP. But as we don't know your network's topology that is pure speculation.
  2. Yes they are reputable. The longer the IP is in use (for ham and spam) the more reliable the analysis gets. Big unusual spikes as shown are concerning and require a thorough investigation of the cause.
  3. Neither flag (and then relay), nor drop. It has to be rejected before accepting the mail. This is known as pre-queue-filtering.
  4. Absolutely, yes. But your problem right now is something different. Hacking, spam-bot, account-breach, relay-attack, virus, ...
  5. NDNs must be send back to the original sender. But first implement 3). Also monitor NDNs to see if your forwarding-addresses still exist. Some users shut down their account and do not inform you that the forwarding will never work from there on, or must reach a different address instead.
  6. I don't understand that one. SPF is based on domain names to classify the sending IP. Or do you mean DNSRBLs? They should also be part of your anti-spam measures of 3).
  7. Yes, but for forwarding mail it does not really help. It helps for originating mails from your end. But the reputation is lost by the real spam outbreak cause.

So first find the culprit and eliminate that. Then apply anti-spam techniques to minimize the acceptance of spam and therefore relaying of spam. Do so by rejecting incoming mails; filtering is bad, unless you do pre-queue-filtering during the SMTP dialog.

After doing that ask yourself if relaying mails is the way to go. All mail clients can handle multiple accounts, so host the mails yourself.

au flag
thanks @mailq, so 1, I am trying to find a way to log any attempt to connect to external 25 port, I want to know if there are any other processes except the postfix that is "sending" outbound email. its not a shared server we are sole user of that IP 2. the reason I question its reliability, is because server pretty much send email every day but on days, they log 0 volume. 8. the school is quite reputable, we are offering members an email address with prestige domain name as a service, we are not prepared to manage mailboxes, so an alias forwarder seems the only service we can provide.
au flag
thank you again @mailq, will take your advice and further adjust the server
au flag
for 3. spamassassin milter has since been implemented for a week already
cm flag
For me "reliable" doesn't mean "exact". They can't be exact as they are only monitoring mail traffic indirectly. Only your next network hop can be exact on the numbers (if they would measure). For the logarithmic scale in the picture: I've insight into a similar project with identical scale, and the worldwide largest sender Google ranks at 7 (per IP).
au flag
Yes I do understanding they must be using sampling. However it also means to me that I will be expecting may be 10 times difference (assume it may be off by log 1) in volume estimation to see if my IP is actually spamming, and also there seem no much indication on how the spam level is calculated and how it is related to the email volume, which I am unsure how to judge its trustworthiness. I may have to treat things ceteris paribus and just look for trend changes
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.