Skip to main content

SPAM/Mailman mystery

JanKrohn
I have set up Mailman to have all list members moderated (default_member_moderation), and just one email address to be allowed to post (accept_these_nonmembers). So I'm actually "misusing" Mailman to operate a newsletter instead a mailing list. Yesterday, with these settings, a spam message came through (one of the notorious bitcoin blackmail type) and was distributed to 3600 recipients. The sender address is not a list member. Therefore, it should not have been accepted by Mailman. (Mystery #1). Secondly, the spam score was 10.0. However, SpamAssassin is configured to delete messages over the threshold of 6.0. (Mystery #2). I would really like to prevent this from happening again, and fix the hole in the configuration. But I'm clueless how it happened in the first place. I do have the headers of the spam message after it has been distributed through Mailman, one from Naver, and one from outlook.com. They clearly show that the message came from somewhere outside (which is good; so my server is not compromised). Here the Outlook headers: - Removed Please review - Any insights with the issue would be extremely welcome...

Comments

10 comments

Date Votes
  • cPanelLauren
    HI @JanKrohn Have you checked the exim logs for this email transaction? I feel like that would be the most useful bit in understanding how this came to occur. If you add them here just replace any identifying information.
    0
  • JanKrohn
    - Removed Please review win-iso R=mailman_virtual_router T=mailman_virtual_transport 2019-01-31 00:19:31 1gp04n-0007q6-44 Completed 2019-01-31 00:19:31 SMTP connection from win2.example.com [213.147.xxx.xx]:2079 closed by QUIT 2019-01-31 00:19:32 SMTP connection from [::1]:60382 (TCP/IP connection count = 1) 2019-01-31 00:19:32 SMTP connection identification H=localhost A=::1 P=60382 U=mailman ID=995 S=mailman B=identify_local_connection 2019-01-31 00:19:32 1gp04q-0007vr-R2 H=(cvps173830114556.myserver.com) [::1]:60382 Warning: Message has been scanned: no virus or other harmful content was found 2019-01-31 00:19:32 1gp04q-0007vr-R2 <= win-iso-bounces@mydomain.net H=(cvps173830114556.myserver.com) [::1]:60382 P=esmtp S=6055 id=ddfw77yn-3fcqfjdm-9387860182-34405590@spammer.hr T="[win-iso] ***SPAM*** This account has been hacked! Change your\n password right now!" for
    0
  • cPanelLauren
    Hi @JanKrohn Congratulations on successfully utilizing the exim logs to troubleshoot an issue! Looking at this and at the moderated portion of your initial message I believe I have some further questions:
    • If you go to cPanel>>Email>>Mailing lists under access what is the Access Status of the list you have?
    • If you go from the mailing list UI above to -> Manage next to the mailing list then -> Privacy Options -> Sender Filters -> What is set for Action to take for postings from non-members for which no explicit action is defined.
    As far as why the initial post was moderated, we try not to include any domain names except for examples in posts, so the Hotmail/MS info is most likely why @Infopro moderated it, though he may have further reasoning for that as well.
    0
  • Infopro
    There was just too much information in the email samples including text of the emails themselves, to leave on the forum.
    0
  • JanKrohn
    [COLOR=rgb(85, 85, 85)]The same message was distributed over my mailing list a total of three times now. I've made some modifications in the configuration since then.



      • If you go to cPanel>>Email>>Mailing lists under access what is the Access Status of the list you have?

    [COLOR=rgb(85, 85, 85)] All affected lists are public (as they should be, as they're open to all my visitors).
    • If you go from the mailing list UI above to -> Manage next to the mailing list then -> Privacy Options -> Sender Filters -> What is set for Action to take for postings from non-members for which no explicit action is defined.

    [COLOR=rgb(85, 85, 85)] That setting is "reject" for all of my lists, both before and after re-configuration. From the mail log I could see thousands of spamming attempts, but only these bitcoin scam mails are being ignored by the configuration. As a workaround, I have restricted the message size to 1 kB so that everything is moderated now, banned all non-members that were allowed to post, and configured pre-authorization for a few selected members. Seems to be working, but it's not a long-term solution. The spam score of 10.0 being ignored by the deletion threshold is another issue... (Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam score that meets or exceeds the Auto-Delete Threshold Score (6).)
    0
  • cPanelLauren
    Hi @JanKrohn While I understand why you'd want them available to your users, you might rethink some of the settings for private/public: We can use my test server an example: [QUOTE]Edit Privacy Options: "mailtesting@cptest.us" You can adjust this mailing list"s privacy settings below. Include this list in Mailman"s public advertisement of this server"s mailing lists. Keep this list"s archives private. Require only email confirmation for new subscribers. Require only administrator approval for new subscribers. Require both administrator approval and email confirmation for new subscribers.
    For a public list the following are checked: Include this list in Mailman"s public advertisement of this server"s mailing lists. Require only email confirmation for new subscribers. That's entirely up to you though.
    From the mail log I could see thousands of spamming attempts, but only these bitcoin scam mails are being ignored by the configuration.

    This is because of the header forgery that's being done. I'm curious also if setting the following will stop it from occurring as well: [QUOTE] EXPERIMENTAL: Rewrite From: header to match actual sender If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.
    [COLOR=rgb(85, 85, 85)]The spam score of 10.0 being ignored by the deletion threshold is another issue... (Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam score that meets or exceeds the Auto-Delete Threshold Score (6).)

    That's intriguing, I tried to test this to see if my mail would also be accepted as if this is replicable it's worthy of an internal case but I was unable to do so. Please see below: 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: "SpamAssassin as myuser detected message as spam (1002.7)" 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: Message has been scanned: no virus or other harmful content was found 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F= rejected after DATA: "The mail server detected your message as spam and has prevented delivery (80)."
    I sent this to an email list which I created for testing purposes and confirmed it doesn't get forwarded on to my users. Which version of cPanel are you using? The only differences I see are that 1. I wasn't able to use something that would be potential header forgery 2. We could be using different versions of cPanel - I tested on v78.0.6
    0
  • JanKrohn
    For a public list the following are checked: Include this list in Mailman"s public advertisement of this server"s mailing lists. Require only email confirmation for new subscribers.

    I use the same settings.
    This is because of the header forgery that's being done. I'm curious also if setting the following will stop it from occurring as well:

    Interesting setting. Never noticed it before. It should be good to enable in any case.
    That's intriguing, I tried to test this to see if my mail would also be accepted as if this is replicable it's worthy of an internal case but I was unable to do so. Please see below: 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: "SpamAssassin as myuser detected message as spam (1002.7)" 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: Message has been scanned: no virus or other harmful content was found 2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F= rejected after DATA: "The mail server detected your message as spam and has prevented delivery (80)."
    I sent this to an email list which I created for testing purposes and confirmed it doesn't get forwarded on to my users. Which version of cPanel are you using? The only differences I see are that 1. I wasn't able to use something that would be potential header forgery 2. We could be using different versions of cPanel - I tested on v78.0.6

    I'm still on v76. If it will be fixed on v78, then that's great. I was planning to upgrade anyway.
    0
  • cPanelLauren
    I'm still on v76. If it will be fixed on v78, then that's great. I was planning to upgrade anyway.

    I can't guarantee that, I just happened to have a 78 server to test on, I haven't tested this on 76 but I didn't have a server with a live domain available to test on (without doing local delivery)
    0
  • JanKrohn
    Thanks for your help so far. With all the configuration changes in place, I think it's now safe to wait and see what happens. If a spam mail from a non-member gets caught in moderation within the next month or so, then I'd appreciate help with further investigation. If not, then I think the matter is closed (and I will lift some of the moderation settings in my lists again).
    0
  • cPanelLauren
    Hi @JanKrohn Sounds great! Let us know though if it continues to occur. Thanks!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post