Forums & Blog

Been using smartermail for about 8 months now and have an unlimited license with around 800 users, however have a big problem, 4 times in the last 8 months we been hit by internal spammers in one form or another that has coursed blacklisted IP's.

 The last time was about a week ago, when an a customers account was comprimised, and used to sendout 23,000 spam emails overnight. The emails orginated from a Nigerian IP address, and did receive 300 internal spammer notification emails, but as this was overnight didn't get the emails to the following morning.

 This is not he first time something like this has happened and last time was a user who signup for hosting and then sent 1,000's of spam email overnight, we were able to suspend the users account but not till the next morning by then the damage was done and yet another blacklisted IP. It seems SmaterMail lacks the tools to deal with this.

 We need someway for the internal spammer notification to also suspend the users account till we can check it out, not just send an email.

I really like smatermail but really can't afford for thi to happen again, does any here have any recomendations?

Login to SmarterMail 4.3, go to SECURITY/ABUSE DETECTION

Add an Internal Spammer Notification

60 minutes

100 messages

Now when a user tries to email more than 100 messages within 60 minute period of time you will be notified!  Put your pager email address in there so you are notified immediately

I already have that setup, last time I got over 300 internal spammer notification emails.

Problem with the pager is I don't hav one, not sure if you can even get pagers now in the UK, I did look about 6 months ago but no-one does them anymore, and Eamil to SMS gateways can be expensive.

 Also most of these attacks are at 2am in the morning and don't really want to be woken up, and not always near a computer, would rather SmaterMail had some type of protection built in.

 One idea I have had overnight is to look at the SmaterMail API or the Helm 4 API, to disable the account. What I was thinking is schedule a task to run a script to check the email account spammer notifications are sent  to ever 10 minutes, and if there is an email extract the emails domain and use that to then suspend the account.

 This will take a bit of work to develop, so I would like to hear if soemone has a better idea? Or if it is something that will be added to future versions of SmarterMail? as it is one feature that other mail servers have but SmaterMail lacks.

One thing you should look at is to tighten up the password strength requirements for your users.  Hopefully this will help prevent compromised accounts.

You can also try blocking IP ranges for Nigeria (also Benin, Ivory Coast, other places where such spams originate) to prevent those ip's from using your server for SMTP/IMAP/POP3.

As for blocking actual emails, you may want to take a look at Declude Security Suite.  This product is an add-on for SmarterMail which not only helps with spam and virus protection, but has what they call Hijack protection which will allow you to block/hold any email from a user which exceeds your abuse detection settings.

Thanks for the advice, already blooked some Nigerian IP ranges, but will certainly look at improving it.

 I would also like to strengthen passwords, trouble use Helm 4 which throws up a failure error rather than informing the user the real error when they try to create an email account, which courses no end of complaits from users.

I've had a quick look at the SmaterMail API and I think it should take about 20 minutes to write an ASP script that uses JMail Pro to pickup internal spammer emails, get the domain from it, then use the SmarterMail API to suspend the account. If I then sechedule the ASP file to run every 10 minutes it should do the trick.

Will also have a look at the declude security suite to see what that has to offer. 

 I have had a look at Declude security suite, but I think $1850.00 USD per year is to much to pay just to add hijack protection to SmaterMail, and the solution I've come up with to use ASP to pick up the internal spammer emails and suspend the account through the API should work and be quite easy for me to implement.

I'll probally write it tomorrow as try not to work at weekends these days, so I actualy get at least 1 day off  week. 

I actually need the solution for the problem you have. I mean internal spam. Abuse detection does not help enough. Can you share the asp script please?

Thank you

 I didn't bother writing it in the end, as Smarter Tools have said they will be introducing throttling to stop this type of abuse in the next release.

 Until then I found a cheap Email to SMS provider, so I setup the internal spam abuse email to be sent to the SMS gateway provider who then send it to me as a text message on my mobile phone.

 Does mean though that if someone sendsout spam overnight my phone goes off in the middle of the night!

And also if users send via web forms such as asp or php to many users, abuse detection does not work. How do you handle that? Because I have to add server ips to whitelist and SMTP auth bypass list as some asp components does not support auth., I am having such an issue. Do you have any suggestion? Best would be I think that SM was able to limit users to send x mail per day.

The simple answer is only allow authenticated users.

 For components like CDONTS and PHP which use localhost set it up so they can only send to local addresses, if the person wants to send to a non-local address then they need to setup a local mailbox which forwards to then non-local email address.

 If they want to relay to non-local addresses from scripts, forums, etc. then they need to use a component which supports authentication such as CDOSYS, JMail, AspEmail.

 There are very few email components that do not support authentication these days, and you are better off getting people to stop using CDONTS as microsoft retired this component back with Windows 2000, so by now users should be using CDOSYS.

To limit users to x amount of posts per hour, or per day, would still require that you use authentication so SM can recognise individual users and domains,  but I am really hoping that this feature will be included in the next version of SM as it would be a great way to stop internal spammers.

The problem is on a hosting enviroment, it is nearly impossible to do what you say. Because of complaints from customers. Not sure what mostly hosting companies prefer to do. As it also tells in help section http://help.smartertools.com/SmarterMail/v4/Default.aspx?p=SA&v=4.3.2831&page=systemadmin/frmsmtpauthbypass some app does not support SMTP Auth yet. I have to add it to SMTP Auth bypass list and also white list. 

What made me worried is, to limit users x mails per day, especially for internal spam, I will have to use SMTP auth which will then force me to use auth for those components.

We are a web host and host about a 1000 web sites and have forced all users to use authentication for about 12 months now. We did inform all users first and put up a page explaining what email components support authentication and how to use them.

As I mentioned in my previous post, nearly all email components support SMTP authentication. The only one that did not which a number of users were using was CDONTS, however this component was retired by Microsoft 7 years ago and replaced with CDOSYS which does support authentication.

From most web hosts I have spoken to they have also gone down the same root of forcing users to use authentication, if you don't then you leave a huge door open to spammers that you can do nothing about.

Another reason to use SMTP authentication is unless email forms on web sites that take user input, like contact us forms, are not parsed for malicious user code then they can be easily manipulated to send out 1,000's of spam emails by a spammer.

You should look at using SMTP authentication on all your web apps, and also make sure at the same time you are removing maliscious code from the user imput, if not you will find yourself in the situation were a spammer is using one of the web sites you host to sendout 1,000's of spam emails and you won't know which site to be able to stop them. 

ok you are right and I agree. When I remove server ips from white list and smtp auth bypass list, will abuse detection also warn me about the web forms? And also will SM block those users if they are overusage the limits in abuse detection?

You said:
For components like CDONTS and PHP which use localhost set it up so they can only send to local addresses, if the person wants to send to a non-local address then they need to setup a local mailbox which forwards to then non-local email address.

Can you please explain this? How can they setup so? You mean here they will need to use forwarding which seems not acceptable I think.

Thank you

 You setup SM to Allow Relay to Local Users under General Settings -> Security

 When you create a mailbox in SM you can set it up to forward email to another email address and also select if you want email deleted from the original mailbox when mail is forwarded.

 When you forward email to another email address from a mailbox the forwarding email address can be any email address.

 The abuse detection in SM detects x amount of emails of a certain size from a user during a set amount of time. If all your users are using SMTP authentication then it doesn't matter if they use web app's, email clients, mailinglist software, etc. to send emails. If they send more emails of the same size than is permitted in abuse detection you get a warning. It does work for web forms as I used web forms to test it to make sure it is working correctly when I set it up.