Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Getting blasted with SPAM
  •  
jeffcollett

Messages: 24
Karma: 0
Send a private message to this user
We are running 6.6.2 on OSX 10.5.6.

The past couple days we have been getting hit with spam for africa with emails such as info<_a.t_>onlinesweeps.net and info<_a.t_>britishlottery.org.

They are not going through our barracuda so they are connecting directly. I have all the rate controls on and only allow relay to 2 of our critical servers. I have written a ton of custom rules that aren't even getting used. I am at wits end with these spammers.

Has anyone else dealt with these people or have any suggestions?

Thanks
Jeff
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
What about enabling only SMTP for authenticated users and the barracuda?

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
jeffcollett

Messages: 24
Karma: 0
Send a private message to this user
I have "Users Authenticated through SMTP for outgoing mail" checked. Am I missing something else?



Jeff

[Updated on: Wed, 21 January 2009 16:37]

  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
I would also enable the IP address of the Barracuda in the IP Address group. See if that helps.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
jeffcollett

Messages: 24
Karma: 0
Send a private message to this user
I have the barracuda in there already. It is the only relay allowed.

I did set up a block list of IPs from the servers that are giving me issues and it doesn't seem to be blocking them.

Who knows!!!

Jeff
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I've run into this too with our gateway - also a Barracuda. We had to leave mail.domain.com open to the internet to accept connections from users. Many spammers were connecting directly to the mail server, ignoring the MX record and bypassing the SMTP gateway. That sounds like what you might be running into.

There was no setting in KMS to only accept mail from the gateway, so I got around it by blacklisting everything. I added host ranges 1.0.0.0 -> 192.167.255.255 and 192.168.2.0 -> 255.255.255.255 to the custom blacklist - everything but our network. That rejects everything that tries to connect directly to deliver mail, but doesn't affect the network. Users on the outside aren't affected because they authenticate when they send mail.

That stopped 100% of the spammers who try to bypass the virus/spam filter by going around the gateway.

Scott
  •  
jeffcollett

Messages: 24
Karma: 0
Send a private message to this user
Scott,

That sounds like exactly what is happening. There is no trace of the spammers coming through on port 25.

I set up a custom black list around our network and DMZ.

I also try and take it one step farther by enabling require secure authentication in security option but then I couldn't connect with any smartphone type devices.

So as it stand I will set the blacklist to all IPs around my network and DMZ and anything outside such as mobile users with outlook/entourage and smart devices and still connect since they are authenticating correct.

Thanks for everyone's help so far. This is a major pain.

Jeff

  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
My solution to this was to block port 25 at the firewall, and then require clients to connect on port 587. Its a little "security by obscurity" heavy as there's nothing stopping a spammer from trying to use that port, but so far its been completely effective.

-Elias
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
elias wrote on Thu, 22 January 2009 00:09

My solution to this was to block port 25 at the firewall, and then require clients to connect on port 587. Its a little "security by obscurity" heavy as there's nothing stopping a spammer from trying to use that port, but so far its been completely effective.


So how do other mailservers send you mail Confused

Anyway: KMS is in my opinion too inflexible when it comes to spam filtering and connection control. At least compared to setups like qmail, Exim, postfix and other non-proprietary mailservers.

Also, I wonder why Kerio chose to implement SpamAssassin spam scoring like they did (can we use custom SA rules for instance? Can we tweak scores for SA rules? What about Razor or DCC? Who knows), and why it isn't easily possible to set up a central folder for spam learning. I don't want users to do the spam filtering for me, and they are prone to just delete the spam instead of marking it as such.

Our Bayes filter has learned around 10.000 messages as spam, but KMS is still letting spam through which scores 10+ on a vanilla SpamAssassin installation with no Bayes filtering.

I am thinking about setting up a spam filtering gateway in front of KMS, but it would be easier (and actually provide a lower TCO!) if KMS could use SpamAssasin the way it's officially documented and let us maintain a regular, flat file, IP blacklist.
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
TorW wrote on Wed, 21 January 2009 15:35

elias wrote on Thu, 22 January 2009 00:09

My solution to this was to block port 25 at the firewall, and then require clients to connect on port 587. Its a little "security by obscurity" heavy as there's nothing stopping a spammer from trying to use that port, but so far its been completely effective.


So how do other mailservers send you mail Confused

Sorry, I should have been more specific. Like others in this thread, I have a Barracuda sitting in front of KMS and don't use either the spam filtering or antivirus components in KMS.

-Elias
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
OK, I understand Smile

This is the thing that irks me slightly: we pay for KMS' spam and virus filtering, but we find ourselves wanting (or even needing) additional spam/virus appliances in front of it. Oh, well ...
  •  
jeffcollett

Messages: 24
Karma: 0
Send a private message to this user
TorW,

I agree 100% with you. That is the reason I am in the situation I am in now. I had the antivirus and spam filtering turned of since it is not the best. I basically just had kerio set up as a basic email server.

Kerio has come a long way in the past couple years unfortunately their tech support is nothing without this forum.

Thanks again
Jeff
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Quote:

can we use custom SA rules for instance?

Yes, that is possible, you can use custom .cf files

Quote:

Can we tweak scores for SA rules?

Yes, just edit the 50_scores.cf file

Quote:

What about Razor or DCC?

I got DCC working, but it is a bit cubersome to enable

I am rather happy with the KMS Spam System. Using Blacklists, Spam Repellent, Bayes and custom white/blacklists is really effective for me.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: KMS - Outlook change password
Next Topic: Launch Webmail without browser menus?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 17:48:55 CET 2017

Total time taken to generate the page: 0.00476 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.