Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Setup SPF record (Our Kerio Connect e-mail server is being used for sending spam.)
  •  
stagiair

Messages: 7
Karma: 0
Send a private message to this user
Hello

Our Kerio Connect e-mail server is being used for sending spam.
We are now blacklisted by the Belgian ISP Belgacom.
Belgacom send us an e-mail on how to get removed from the blacklist.

In order to do so we need to set up an SPF (Sender Policy Framework).

Our domain is registered by One.com. We've asked them to help us set up the SPF record.
But they told us that they will not be able to help us as they are not responsible for sending the e-mail.

Best regards
  •  
MacLab

Messages: 229
Karma: 14
Send a private message to this user
You probably need to do more than that. You need to figure out how your server is being used to send spam and stop it. A spf record is not going to stop it. It will barely put a dent in it. Check Kerio KB articles on protecting your server and put the measures in place. You also might have a compromised account so check the logs.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
HI Stagiare,

Are you a Belgian company? If so and you can speak Dutch/Flemish we can support you in that languages. It is only possible to use your Connect if they know how logon to the connect server. We had some active unauthorized logins today from Taiwan, Russia and Ukraine. They tried to logon with my personal account. But I change I password every 14 days. So some how they knew my account/password.


ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
sim72

Messages: 6
Karma: 0
Send a private message to this user
Hello stagiair,
Is your server hosted by your company? It is in your LAN? Maybe you have a virused computer in your LAN and that computer use the same gateway as your email server. I think, from ISP Belgacom point of view your public IP is guilty for sending spam. Maybe your email server is 100% ok.
  •  
stagiair

Messages: 7
Karma: 0
Send a private message to this user
Hello sim72 and ICT and Me,

Yes our server e-mail server is located in our lan and hosted by our company.
I don't think any of the local computers are infected.
I scanned all of the computers using ESET Smart Security and Malwarebytes.

Maybe they didn't send it through our mail server but they could be identifying themself as our mail server?

Yes we are a Belgian company but I think it is better to speak in english so more people can understand me and help me Smile

I will see if changing passwords is an option.
  •  
manyhats

Messages: 44
Karma: 1
Send a private message to this user
just my two cents...
How many people use your mail server? Is it a possibility that someone at your business did this on purpose? Did you look over your email logs for alot of emails from one account? Perhaps an onsite email filter to scan both incoming and outgoing emails would help?
  •  
stagiair

Messages: 7
Karma: 0
Send a private message to this user
Hello manyhats

We have 10 accounts for our kerio connect server.
And the mails they sended really looked like an automated system will update this post tomorrow with an example mail from the spam.
  •  
manyhats

Messages: 44
Karma: 1
Send a private message to this user
Depending on how you have the IP/DHCP setup that could point to the machine with the issue. Again just my .02 but if you determine which machine was sending the email you could try to boot the machine with something like a Hiren BootCD and use the scanning tools to look for malicious software. Or if you have all of the user files on a central storage device you could just reload the OS on the questionable machine. I am not onsite with you so my statements are just suggestions.
  •  
sim72

Messages: 6
Karma: 0
Send a private message to this user
You can have a look at Logs ->Debug. Make sure the options SMTP server and SMTP Client are checked in Logging messages window. You may also enable (check) User authentication (same window).

For the future, you may want to use two ISP. You will have one public IP only for your server(s) and another IP for accounting, financial, IT, logistic departments and so on.
  •  
stagiair

Messages: 7
Karma: 0
Send a private message to this user
Like I said in my previous post, this is one of the spam messages that Belgacom send us.

Host: xxx.xx-183-91.adsl-static.isp.belgacom.be
Belgacom Reference: 002/1710530613/757139266
----------
Date: 2014-01-13 13:46:55
From: lloyds<_at_>hi5.com
Subject: Important Update !
To:gemma_black2@hotmail.co.uk,gemma_boylan@hotmail.com,gemma_brisley@hotmail.com,gemma_brown@cotyinc.com,gemma_bryson@hotmail.com,gemma_cable@yahoo.co.uk,gemma_capp@yahoo.co.uk,gemma_caunter@kohleruk.com,gemma_cg17@hotmail.com,gemma_chu@hotmail.com,gemma_clode@yahoo.co.uk,gemma_corlett@hotmail.com,gemma_cream@yahoo.co.uk,gemma_dale@hotmail.com,gemma_denny@hotmail.com,gemma_dobson@hotmail.com,gemma_dolan@hotmail.com,gemma_dover@yahoo.co.uk,gemma_dovey@hotmail.com,gemma_dunell@hotmail.com,gemma_e_bell@hotmail.co.uk,gemma_ed@hotmail.com,gemma_ed@live.com,gemma_eddy2004@hotmail.com,gemma_emery@yahoo.co.uk,gemma_ewington@yahoo.co.uk,gemma_forbes@hotmail.com,gemma_gibson62@hotmail.com,gemma_gilbert@yahoo.co.uk,gemma_gobbett@yahoo.co.uk,gemma_grossman@hotmail.com,gemma_groves@hotmail.com,gemma_hardie@hotmail.com,gemma_harries@hotmail.com,gemma_hawthorne@yahoo.co.uk,gemma_henry20@hotmail.co.uk,gemma _hooks@talktalk.net,gemma_horne@hotmail.com,gemma_horrocks@hotmail.com,gemma_jackson@hotmail.com,gemma_jones09@yahoo.co.uk,gemma_kail@spring.com,gemma_konrad@yahoo.co.uk,gemma_laking@hotmail.com,gemma_lockett@yahoo.co.uk,gemma_love@qvc.com,gemma_maddison@yahoo.co.uk,gemma_makeup77@yahoo.co.uk,gemma_marshall25@yahoo.co.uk,gemma_mb@hotmail.co.uk,gemma_mc_neill@hotmail.com,gemma_montalto@hotmail.com,gemma_murray@live.co.uk,gemma_nicholls@hotmail.co.uk,gemma_orrock@hotmail.com,gemma_pascal@yahoo.co.uk,gemma_pawson@yahoo.co.uk,gemma_phillipson@hotmail.com,gemma_pike14@hotmail.com,gemma_preater@yahoo.co.uk,gemma_price@live.co.uk,gemma_pryor@hotmail.com,gemma_quinn@hotmail.com,gemma_ralls@yahooo.com,gemma_richardson@hotmail.com,gemma_richmond@yahoo.co.uk,gemma_ridgley@hotmail.com,gemma_ritchie1979@hotmail.com,gemma_sankey@yahoo.co.uk,gemma_serenity@yahoo.co.uk,gemma_sofianos@hotmail.com,gemma_stemp@hotmail.com,gemma_stenhouse@btinternet.com,gemma_stidolph@hotmail.com,gemma_sturgess @hotmail. com,gemma_sutton1@hotmail.com,gemma_szakacs@hotmail.com,gemma_taylor3@sky.com,gemma_taylor@hotmail.co.uk,gemma_terry@hotmail.com,gemma_trickett@hotmail.com,gemma_uni@msn.com,gemma_varnom@hotmail.com,gemma_w1989@hotmail.com,gemma_w9@hotmail.co.uk,gemma_williams10@yahoo.co.uk,gemma_xox_@hotmail.co.uk,gemma_young@live.com,gemmaa@hopwood.ac.uk,gemmaaas@hotmail.co.uk,gemmaadams81@hotmail.co.uk,gemmaalashe@yahoo.co.uk,gemmaalderdice@hotmail.com,gemmaallport@hotmail.com,gemmaamy@googlemail.com,gemmaandkate@btinternet.com,gemmaangell@yahoo.co.uk,gemmaarkley@yahoo.co.uk,gemmaarmstrong@live.co.uk,gemmaartell1<_at_>talktalk.net


The 'x' represent numbers but I removed them for security reasons.
The host is what I think a sort of reverse dns look up domain?

but our external IP is 91.183.xx.xxx

@sim72 having 2 ISP's might be a solution but we are only working with max 10 people at the moment so that might be something but not for now anyways.

Well our network setup is something like this

(Wan) -> Modem -> Server (Windows 2k3) (Kerio, DNS, DHCP, Active Directory, ...) -> Lan (clients)
  •  
ICT and Me

Messages: 940

Karma: 53
Send a private message to this user
I get the strong feeling your Connect is Open relay.
Are you sure you are not Open Relay server.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
stagiair

Messages: 7
Karma: 0
Send a private message to this user
I'm pretty sure we are not using an open relay.

(dutch)
[img]http://i.imgur.com/qH1Xfui.jpg[/img]

[Updated on: Wed, 19 February 2014 09:27]

  •  
manyhats

Messages: 44
Karma: 1
Send a private message to this user
Do you still have your mail logs from 13/1/2014? I would scan those to see if you notice these messages actually going through your email server. If these messages started from a workstation they may have their own SMTP program and simply skip your Kerio server.
Also, do you have wireless at this place of employment? A hacked wireless network would allow these troubles also. And just to clarify the message from your ISP has you RDNS name as the host. I am not sure if you were confused on why they listed your host name that way or not...
  •  
manyhats

Messages: 44
Karma: 1
Send a private message to this user
Also, you can go over to MXToolbox.com (I assume as I have never tried from Europe) and choose the diagnostic test. It will check the open relay status of your email server.
stagiair

Messages: 7
Karma: 0
Send a private message to this user
From MXToolbox

mx:adomain.be
Pref Hostname IP Address TTL
10 mail.adomain.be xx.xxx.40.112 3 hrs

smtp:mail.adomain.be
Category adomain Result
smtp mail.adomain.be Warning - Reverse DNS does not match SMTP Banner
smtp mail.adomain.be OK - xx.xxx.40.112 resolves to 112.40-xxx-xx.adsl-static.isp.belgacom.be
smtp mail.adomain.be OK - Supports TLS.
smtp mail.adomain.be 0.983 seconds - Good on Connection time
smtp mail.adomain.be OK - Not an open relay.
smtp mail.adomain.be 3.588 seconds - Good on Transaction Time

spf:adomain.be
Category Host Result
spf adomain.be A Valid TXT Record was not found
spf adomain.be A Valid SPF Record was not found

I checked the logs again but it didn't show anything usefull
Previous Topic: Reply Email empty
Next Topic: Changing Open Directory Master
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 25 01:08:42 CET 2017

Total time taken to generate the page: 0.00517 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.