1 files changed, 287 insertions, 0 deletions
diff --git a/content/blog/mail-disaster.md b/content/blog/mail-disaster.md
new file mode 100644
index 0000000..ab6d452
--- /dev/null
+++ b/content/blog/mail-disaster.md
@@ -0,0 +1,287 @@
++++
+title = "Mail Problems"
+categories = [ "Mail", "Linux", "Security" ]
+date = "2019-03-29T12:58:31+01:00"
+thumbnail = "/images/blog/mail-disaster/mail-disaster.png"
++++
+
+## History
+
+It was a beautiful day. My mailserver on the Raspberry Pi B was running
+without any issues for some time now.
+
+In the evening of March 12th I got a nice email from my external DNS
+provider:
+
+```
+The BuddyNS janitor writing. A safety notification on your BuddyNS account:
+
+    Your zones reached 60% of your account's traffic quota.
+
+Details:
+* Total traffic produced this month: 181 Thousand queries.
+* Current traffic quota: 0.3 Million queries/month.
+```
+
+Well, fine, I thought, finally somebody is checking on my web page and I
+went to sleep.
+
+Of course this was not the case: I had a weak password in one of the accounts
+of my mailserver (which allowed any legitimate Linux user to send
+emails). This caused all those DNS lookups for my domain on the
+BuddyNS DNS servers.
+
+So, my thinking went along the lines: well, some weeks ago
+I replaced the SD card, because the old one was worn out, I cannot
+remember whether I replaced all standard passwords. My suspicion got
+confirmed when I saw the following line in the my mail log:
+
+```
+From: "George"<alarm@andreasbaumann.cc>
+```
+
+Swearing big times about my own stupidity (the default password for the
+'alarm' account is - well - weak) I started cleaning up the mess.
+
+Checking my mail server logs I found that all attacks went via one single
+IP (185.228.80.18). So just blocking the firewall was the fastest way to
+fix the tousands of spam email being sent via my now defacto open mail relay.
+
+## Checking status
+
+There are various helpfull tools to check the status of your mail
+server. I picked https://mxtoolbox.com/. This is what I got:
+
+```
+ dmarc  andreasbaumann.cc  DNS Record not found   
+ blacklist  smtp.andreasbaumann.cc  127.0.0.2   
+ blacklist  smtp.andreasbaumann.cc  Blacklisted by JUNKEMAIL
+ blacklist  smtp.andreasbaumann.cc  Blacklisted by NIXSPAM   
+ blacklist  smtp.andreasbaumann.cc  Blacklisted by TRUNCATE   
+ blacklist  smtp.andreasbaumann.cc  Blacklisted by UCEPROTECTL1   
+ blacklist  smtp.andreasbaumann.cc  Blacklisted by WPBL   
+ mx  andreasbaumann.cc  No DMARC Record found
+ mx  andreasbaumann.cc  DMARC Quarantine/Reject policy not enabled   
+```
+
+I also like the results from ~~[http://zy0.de/q/83.150.2.48](http://zy0.de/q/83.150.2.48)~~:
+
+{{< figure src="/images/blog/mail-disaster/zy0_de.png" alt="zy0_de check resulst for 83.150.2.48" >}}
+
+Especially it shows you headers of SPAM mails, which are quite helpful
+to detect, what went wrong:
+
+```
+Spam samples A small selection
+
+ 12.03.2019 02:03 (Z) (date of processing)
+
+Return-Path: <alarm@andreasbaumann.cc>
+X-Original-To: cindy@SPAMTRAP.INVALID
+Received: from smtp.andreasbaumann.cc (smtp.andreasbaumann.cc [83.150.2.48])
+ by mail.ixlab.de (Spamtrap) with ESMTP
+ for <cindy@SPAMTRAP.INVALID>; Tue, 12 Mar 2019 03:03:20 +0100 (CET)
+Received: from User (unknown [185.228.80.18])
+ by smtp.andreasbaumann.cc (Postfix) with ESMTPA id 909CD77F2A;
+ Tue, 12 Mar 2019 01:22:20 +0100 (CET)
+Reply-To: <gg828579@gmail.com>
+From: "George"<alarm@andreasbaumann.cc>
+Subject: Good Day!!
+Date: Mon, 11 Mar 2019 17:22:27 -0700
+MIME-Version: 1.0
+Content-Type: text/html;
+ charset="Windows-1251"
+Content-Transfer-Encoding: 7bit
+X-Priority: 3
+X-MSMail-Priority: Normal
+X-Mailer: Microsoft Outlook Express 6.00.2600.0000
+X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
+X-NiX-Spam-Hash2: 5994f93f698c55d5b527b1da55f31611
+X-NiX-Spam-Source-IP: 83.150.2.48
+X-NiX-Spam-MX: mail.ixlab.de
+X-NiX-Spam-Listed: yes
+```
+
+## Blacklisting
+
+Mail servers can ask blacklists for bad IPs or domains and then block
+incoming mails.
+
+Most blacklists give you a home page, where they explain, how they 
+manage the list. There you might also find the status of your IP or domain.
+
+There are basically three ways you can try to get off such a list:
+
+* you can fill in a form, usually describing what went wrong and how
+  you solved the problem.
+* you have to send an email with basically the same kind of information
+* you can do nothing, the delisting happens automatically
+
+Keep in mind, that humans read those messages, be polite and be open
+about what went wrong. I never had a problem getting delisted, when
+I described, what I did wrong in the past and how I will enforce better
+security in the future.
+
+Also note: you usually don't get any email or feedback. Give people time
+and they will consider the case. If they think, you deserve to send
+emails again, they will delist you from the blacklist.
+
+Find below short descriptions of what I had to do in the individual cases.
+
+### JumkMailFilter
+
+Visited the "remove from the list" for at:
+
+https://ipadmin.junkemailfilter.com/remove.php
+
+Entered my IP and some text, why I got onto the list.
+
+### DNSBL
+
+~~[http://www.dnsbl.manitu.net/remove.php?value=83.150.2.48](http://www.dnsbl.manitu.net/remove.php?value=83.150.2.48)~~
+
+I had to fill in a form and describe, what went wrong on my side and
+how I fixed the problem.
+
+### TRUNCATE
+
+http://www.gbudb.com/truncate/index.jsp
+
+Had nothing to do here, but wait:
+
+```
+"Maintenance of this list is completely automated and there are no
+provisions for the manual addition or removal of entries."
+```
+
+### UCEPROTECTL1
+
+```
+"This blacklist does not offer any form of manual request to delist. 
+Your IP Address will either automatically expire from listing after
+a given timeframe, or after time expires from the last receipt of
+spam into their spamtraps from your IP Address.
+
+There is an express delisting for 89 CHF
+```
+
+For a personal domain I can wait for seven days sending out no spam.
+
+For a business domain I would most likely pay the 89 CHF. :-)
+
+### WPBL
+
+~~[http://www.wpbl.info/](http://www.wpbl.info/)~~
+
+```
+IP addresses are automatically removed with time, after
+spam stops arriving. For example, a lone spam sighting
+will only get an IP listed for 7 days. You can also
+remove an IP address using the Lookup facility at the 
+top of the page. This no-questions-asked, instant removal
+facility is provided for the benefit of administrators
+who feel that the record is in error or have fixed the
+security problem that allowed spam to be sent through
+their hosts. Access to the removal facility may be
+restricted if there is any abuse of our system, including
+attempts to automate removal of multiple IPs using
+scripts. Removed records still remain in database backups. 
+```
+
+Clicking on:
+
+http://www.wpbl.info/cgi-bin/remove.cgi
+
+I got:
+
+```
+Found IP address 83.150.2.48 in database, marking for removal.
+Record removed. The published list is updated hourly, so changes may not show immediately. 
+```
+
+### SPAMCOP
+
+https://www.spamcop.net/w3m?action=checkblock&ip=83.150.2.48
+
+I filled in the provided form.
+
+### IBM DNS
+
+This is a nice security product called 'IBM-X-Forge-Exchange', 
+so I had to log in with my IBM Id.
+
+{{< figure src="/images/blog/mail-disaster/ibm.png" alt="entries in IBM-X-Forge-Exchange" >}}
+
+I also had to describe my case to get delisted.
+
+### Gmail
+
+Now this one was tricky. Google has a not-so-great postmaster tool, hard
+to find forms to fill in and some confusing documentation.
+
+I tried here:
+
+https://glockapps.com/blog/remove-ip-address-gmail-blacklist/
+
+https://support.google.com/mail/contact/msgdelivery
+
+The postmaster tools are not a big help, really, I registered nonetheless.
+
+I got reject till March 28th, as far as I can tell the domain reputation below
+is one of the worst ones you can get and the only option is to wait some weeks
+after filling in the forms:
+
+```
+Our system has detected that this message
+is 550-5.7.1 likely suspicious due to the very low
+reputation of the sending 550-5.7.1 domain
+```
+
+## Course of Action for a better mail service
+
+I made sure, I have some security standards in place, so that
+at least faking the domain in the 'From:' field is not so simple:
+
+* [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework): Sender Policy Framework
+* [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail): Domain Keys Identified Mail
+* [DMARC](https://en.wikipedia.org/wiki/DMARC): Domain-based Message Authentication, Reporting and Conformance
+
+Those things don't help against a broken account on the mail server,
+as in my case, but they provide positive rating for emails being
+judged in the future, and they are simple to implement.
+
+I also added a list of accounts/emails to the postfix configuration.
+Only those accounts are allowed to send emails from the host.
+Even if this means you have to generate the entry in '/etc/passwd'
+and another one in that postfix list. This makes sure,
+no "rogue" Linux account can be abused for sending emails, when
+compromised.
+
+I added myself to the [DNSWL](https://www.dnswl.org) white list too.
+
+And of course, I deleted the 'alarm' account on the machine. :-)
+
+### Update 4.4.2019
+
+Gmail is still blocking me (or again?). So is bluewin.ch. The mess is
+not over, so I can only recommend everybody to make sure not to get
+into this situation in the first place.
+
+Added [Fail2Ban](https://www.fail2ban.org) to filter for common Postfix
+and Postfix SASL errors, like password-breach attempts via SASL. This
+works like a charm.
+
+Added [Spamassassin](https://spamassassin.apache.org/) and
+[Razor](http://razor.sourceforge.net/) to get rid of spam.
+
+### Update 15.4.2019
+
+Gmail likes us again.. :-)
+
+## References
+
+* https://mxtoolbox.com/
+* http://zy0.de/
+* https://en.wikipedia.org/wiki/Sender_Policy_Framework
+* https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
+* https://en.wikipedia.org/wiki/DMARC