Hit by replies to spam -help?!

Forums › IT Pro and developers › Hit by replies to spam -help?!

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#289224 20-Aug-2021 17:58

I have committed the same sin as Hilary Clinton; I have an email server in my garage.

All has been well for many years untill I woke up a few days ago and found over 10,000 emails in my inbox.

They were mostly replies from domains saying "no such address exists" and a few from real people saying "out-of-office"

As fast as I deleted them more came in. I then deleted the email address, but that just resulted in me sending out a ton of emails saying "no such address exists" from my end.

I have now shutdown the domain altogether.

In the meantime though, I have been blacklisted from here to the moon, included Geekzone.

[Thanks Mauricio for unblocking me)

Any suggestions for what I can do about this? (other than going to Mexico doing the spammer in? -if I found him)

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2763950 20-Aug-2021 18:09

Do you have SPF etc enabled on your domain ? Sounds like you dont and someones used that to their advantage to spam.....

XPD / Gavin

LinkTree

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41029

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2763980 20-Aug-2021 19:47

It doesn't help much after but any domain should have SPF/DKIM/DMARC set to the strictest settings.

The IP address is now blacklisted. Your ISP won't like you for it. It will be hard to recover but can be done - with time you can remove it from all the blacklists.

Other than this, the IP address being marked as suspicious will disappear from some lists over time.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#2764044 20-Aug-2021 22:32

Bummer - amateur mistake on my part. Surprised it didn't happen sooner.

Anyway, at least nobody will be chanting "lock him up!"

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2764068 20-Aug-2021 23:14

Suggestion, move to GMail and stop running your own domain at home. I did that back in the day when GSuite was free and I have never looked back.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2764074 20-Aug-2021 23:36

It may even have been compromised and not related specifically to the domain itself. Out of interest, what mail server were you using?

But I strongly recommend shifting this to an actual email provider. Dug deep in their website, Zoho still offer a "Forever Free" plan: https://mail.zoho.com.au/orgsignup.do?plan=free

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#2764077 21-Aug-2021 00:27

Which ISP? I run my own SMTP server still, but since I am on 2Degrees, I get it to send by relaying via their SMTP servers, which fixes the blacklisting problems. If you send email from an ordinary ISP IP address, there is a fair chance that the receiving SMTP server will block it simply because it is in a block of ordinary IP addresses that are not expected to send emails. However, it is getting rare for ISPs to provide SMTP servers you can use - that is one more reason I am with 2Degrees. There are SMTP servers out there you can pay to use in a similar way - they vary from the occasional free one (for low traffic) through fairly cheap up to massively expensive (intended for use by large corporates sending out daily mailings to millions). I use dynu.com for my backup MX servers, and they have an option to do SMTP relay for US$9.99 per year. I would probably use them if I needed to change to an ISP that did not have SMTP relay as an option.

I do also have SPF set up, but not DKIM. Before SPF arrived, I used to occasionally get a few of those "no such address" reply type emails, but I do not think I have had one since I set up SPF.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2764080 21-Aug-2021 06:32

fe31nz:

Which ISP? I run my own SMTP server still, but since I am on 2Degrees, I get it to send by relaying via their SMTP servers, which fixes the blacklisting problems. If you send email from an ordinary ISP IP address, there is a fair chance that the receiving SMTP server will block it simply because it is in a block of ordinary IP addresses that are not expected to send emails. However, it is getting rare for ISPs to provide SMTP servers you can use - that is one more reason I am with 2Degrees. There are SMTP servers out there you can pay to use in a similar way - they vary from the occasional free one (for low traffic) through fairly cheap up to massively expensive (intended for use by large corporates sending out daily mailings to millions). I use dynu.com for my backup MX servers, and they have an option to do SMTP relay for US$9.99 per year. I would probably use them if I needed to change to an ISP that did not have SMTP relay as an option.

I do also have SPF set up, but not DKIM. Before SPF arrived, I used to occasionally get a few of those "no such address" reply type emails, but I do not think I have had one since I set up SPF.

You know that because you are relaying via 2D, then you would need the 2D SMTP servers in your SPF as an allowed IP and DKIM won't work as 2D won't be signing the outbound messages.

It also means that anyone else using the 2D SMTP servers can spam as your domain, while that is unlikely they would be legitimate outbound emails that your SPF rule had allowed.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41029

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2764081 21-Aug-2021 07:00

I have been thinking about this event and I don't think someone spoofed your address. From your description I think your server was compromised and used to send out spam.

Under this circumstances even if you had SPF/DKIM/DMARC your IP would still be considered toxic as all those emails would be "valid" as they would have been sent from your server and pass all those restrictions.

Lesson learnt. Don't run your email server if not constantly patching and updating. The IP is toxic now (as OP mentioned I had to create a WAF rule just to allow him to post this topic) and you might have problems in the future accessing some services.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#2764167 21-Aug-2021 10:55

BarTender:

Suggestion, move to GMail and stop running your own domain at home. I did that back in the day when GSuite was free and I have never looked back.

I do have a Gmail address also - but I have an aversion to outfits like Google and wish to minimise my dependence on them.

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#2764169 21-Aug-2021 10:57

fe31nz:

Which ISP? I run my own SMTP server still, but since I am on 2Degrees, I get it to send by relaying via their SMTP servers, which fixes the blacklisting problems.

I am on 2degrees as well, running an hMail server. I was not using the snap SMTP outgoing server; too late now.

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#2764222 21-Aug-2021 11:00

freitasm: I have been thinking about this event and I don't think someone spoofed your address. From your description I think your server was compromised and used to send out spam.

Under this circumstances even if you had SPF/DKIM/DMARC your IP would still be considered toxic as all those emails would be "valid" as they would have been sent from your server and pass all those restrictions.

Lesson learnt. Don't run your email server if not constantly patching and updating. The IP is toxic now (as OP mentioned I had to create a WAF rule juat to allow him to post this topic) and you might have problems in the future accessing some services.

Possible but I am past this point now.

I am getting email through 1stDomains from now on.

Cheers and thanks guys for keeping my brain active. 👍

Mighty Ape

Shop now at Mighty Ape (affiliate link).

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2764234 21-Aug-2021 11:21

I used to run hMailserver, only had issues with it once after an update turned off the SMTP external access - woke up to 50k+ emails queued up - soon flushed those out and found the setting. Did end up being blacklisted but managed to remove from most, others was just a waiting game.

XPD / Gavin

LinkTree

decibel

335 posts

Ultimate Geek
+1 received by user: 224

#2764331 21-Aug-2021 14:18

freitasm: ... I had to create a WAF rule juat to allow him to post this topic.

Yes, lesson learned - I thought WAF stood for "Wife Acceptance Factor" - now I know better.