My ISP is saying that my server is sending spam

[ybred]

We got a call from the ISP that our server or IP is sending spam, we checked the computers for malware or spyware and seem to be no major issue.

we are using:

Build: 9.2.1~svn20120328r31539release9.2-1lenny
Kernel: 2.6.26-2-untangle-686
History: yes (40)
Reboots: 0 (0)


Attached is a copy of the examples that they send me.

any advise will be appreciated.

Thanks

[jcoehoorn]

Block port 25 outbound in the firewall app from everything except your actual mail server. If anyone internal wants to send mail, they can use a server that supports SSL or TLS.

[dmorris]

One of the reported spams is a quarantine digest, so I'd check your spam blocker event log.

[mrunkel]

It looks like his server is sending it. What machine is 66.64.43.226? That's the client that generated that 2nd message.

[ybred]

It looks like his server is sending it. What machine is 66.64.43.226? That's the client that generated that 2nd message.

We do not have machine with this IP address, this is an external IP and our LAN is 192.168.1.N, unless one of the pc has a malware or spyware and it is using that ip.

what do you think?

[mrunkel]

I think your mail server is incorrectly configured, or you have a remote client that is using authenticated SMTP relay to relay spam through your server.

But I don't know your network, so take those two guesses with a grain of salt.

[ybred]

Thank you guys for all your replies,

I Called the provider regarding the IP that they were seen spamming it was different than my IP from my MX records,but it was the IP on their end that was also setup in the router as the IP that connects their network with us, i asked them if they were receiving a lot of spam, they says that it was not too many.

After checked the settings in untangle i notice that the quarantine settings was set to send digest to all address i set it up to just send digest to my domain under: Config > Email > Quarantine

contacted the ISP and they haven't received any more "spam" but looks like actually those emails were quarantine digest emails.

Thanks again... you guys are the best

[dmorris]

Quarantines will only be created for emails that have spam. So if you have quarantines for external users you are probably scanning outbound mail.

I would check that you have not enabled scanning of outbound mail in spam blocker and also that your interfaces are plugged in correctly.

[ybred]

Hey dmorris, thanks for your quick reply.

Under Advance SMTP Configuration => Scan outbound (WAN) SMTP is checked.

this is the option that you are referring to?

so if i have this option check it is actually scanning the WAN port for outbound on their ISP site, i was under the impression that this option is to scan the emails that my local client are sending out (in case one computer is infected with malware or something like that)

Thank you again

[sky-knight]

That option is there to scan SMTP traffic exiting your network. If you have that option turned on, and you haven't defined an explicit list of quarantinable e-mail addresses, and you have quarantine enabled...

You're spamming the world with quarantine digests they'll never see or access.

In short, untick that box. If you think mail exiting your network is spam, you've got large problems. If you want to control your workstations so they can't spam the world, make a firewall rule that blocks SMTP exiting your network, then make a pass rule that allows your mail server to send.