Scalix Forums

Skip to content

tracking down bots

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

Post Reply
KKJensen
Posts: 142
Joined: Wed Sep 06, 2006 9:34 am
Contact:
Contact KKJensen

tracking down bots

Postby KKJensen » Thu Sep 06, 2007 12:55 am

Hi there,

I think I've got a machine "somewhere" with a bot on it since I keep getting stuff accumulating in the /var/spool/mqueue directory that is getting refused and, judging by the addresses, looks to be spam. Our ip has been blacklisted because of this outgoing email and I'm curious if anyone could help.

Is there some way that, in the message logs etc, to find what local ip address these emails are originating from? Most machines on our network are new, are running antivirus software and should be fine. Others, particularly those owned & admin'ed by some of the managment are not being taken care of by myself and I cannot vouch for them. I've got to figure out who the offender is before I can un-blacklist our ip.

Is there not some way of configuring scalix to scan OUTGOING email for spam?

A million thanks in advance.
Top
adhodgson
Posts: 176
Joined: Thu Mar 02, 2006 8:09 am

Postby adhodgson » Thu Sep 06, 2007 7:27 am

Hi,

Look in the mqueue directory and see if you can read the files containing the messages - these will include the headers, and should have the IP address of the client causing the problem. We use SpamTitan which acts as a smart host for Scalix - you can download the ISO and build yourself a spam box appliance for a fraction of the cost of a Barracuda firewall or the like, or follow the howtos on this forum for integrating Spamassassin into Scalix, but as we have over 200 users on the server I wanted to put less of a load on the Scalix box.

Andrew.
Top
KKJensen
Posts: 142
Joined: Wed Sep 06, 2006 9:34 am
Contact:
Contact KKJensen

Postby KKJensen » Thu Sep 06, 2007 8:45 pm

Thanks for the pointers. I'm going to look into making a dedicated spam box as a gateway so the scalix machine isn't doing so much. We only have about 50 email accounts and only a few of those are heavily used so things aren't that bad.

I found out by looking at the queue files that they were out-of-office replies to spoofed addresses so there was nowhere for them to go. Nice to hear that my trojan/spambot worries were unfounded.
Top
adhodgson
Posts: 176
Joined: Thu Mar 02, 2006 8:09 am

Postby adhodgson » Fri Sep 07, 2007 5:14 am

Hi,

That figures - we used to get blacklisted because of this sometimes, as well as having NDR messages going out all over the place. If you are like me and have enough Linux boxes to maintain already without having another one to play with :), I would give Spamtitan a look, as it is quite cheap, and will really make a difference to messages coming in and out of the server. We use recipient verification, so that invalid recipients are blocked at the gateway level, meaning we never generate NDRs, and it has a very good spam detection rate, giving users nightly reports which are easy to release messages from if they need to, and of course, that means that the out of office replies don't end up going to Spambot honeypot addresses.

Andrew.
Top
Post Reply

Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 5 guests

Powered by phpBB® Forum Software © phpBB Limited