How Does A Server Admin Handle An Abuse Issue?
William Nabaza
October 10, 2008
Most server administrators I know and have talk to enforces prevention and avoidance to be reported as a spammer instead of facing it head on for a cure, they avoid it. Here are some practical steps based on my experiences since 1995 of being a Server Administrator on how to avoid it. We know server administrators are not just part of the system, they are the "system" themselves enforcing zero-tolerance against spam. First and foremost is the foundation of a server of how an abuse or abuse reporting system is setup and placed.
1. Setup a separate dedicated email for this (preferably not using one of your domain's email system or preferably hosted on another server). This email's sole purpose is to receive computer generated logs of abuse report made within 24 hours against allotted ip addresses. This email must not be published anywhere even in your whois info, or in your published pages. I prefer @gmail.com or @yahoo.com. When that email address is setup, go here: http://www.spamcop.net/w3m?action=ispsignupform click on "create an Isp account" then log in and click on "Request Reports" and type all allotted ip addresses under your account one ip per line, it's a good thing to specify all ip addresses on your other server accounts as well for centralized reporting. In this way when someone (ignorantly, envy motivated, or plain abuse of one of your members) you will get it on your email address.
2. Open an account at groups.google.com and join these 2 specific newsgroups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
This is where abuse report issues that are handled and resolved are being posted and spam abusers are reported live to all admin's eyes. By subscribing to it you will be able to monitor every abuse report reported against an ip address, setup a filter in your email address to filter out your ip addresses and so it will end up in your inbox other reports are to be discarded directly to your trash folders for permanent deletion.
Once you have dealt with a spam issue, which I doubt will happen after you practice all steps included in this article, you need to report this issues is either ongoing or resolved and the abuser/spammer is terminated and removed from your server and banned. Reports submitted/posted here needs to have full headers. Mostly web-based email system can be setup to do this, just click on "show full headers report" and copy and paste the whole abusive/spammed email message and paste it on these groups. That way you are saying in front of admins alike that you are enforcing zero-tolerance on all of your members and an active promoter of anti-spam laws in the internet.
3. Logon to WHM (Web Hosting Manager) and click on "Security" and then "Tweak Security" under "SMTP Tweak", click on "Configure" and make sure "Allow connections to localhost on port 25." is disabled. This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers. Also it will help to check your mail queue manager a couple of times per day, login to WHM and click on "Email", click on 'Mail Queue Manager" if you see any suspicious looking email address there trying to send usually free web-based ones or generated randomly, and click on "Delete all messages in Queue." That only means that your system can't send it because it's not routable for it's ip address origin are questionable and not listed on your trusted ip's to send out email.
4. Login to WHM (Web Hosting Manager) and click on "Contact Manager" under "Server Contacts" menu. Make sure you placed "2 or 3" on Alert Priority Assignment right beside "Recently Uploaded Cgi Script Mail". This will email you on a daily basis (if there are uploaded pages or scripts) that are set to use your smtp or mail on your server which could be the source of spam abusers to send out spam using your ip addresses. Setup a filter for it and it always is prefixed on the Subject: "[newmailcgi] Recently Uploaded CGI scripts" take note that even php form mail that are insecuredly setup to send spam are also reported to your email address setup as contact manager on your server's WHM. Make sure to actively monitor this and when it happened to give ample warnings to the user who uploaded this.
5. Go to http://www.dnsstuff.com/ and under "Spam database lookup" type in your ip address and make sure there are no red areas or red rows on any spam database sites, this will confirm that your ip addresses are "clean" from spam. Run another test and click on http://whois.sc/yourdomain.com and see this result "Blacklist Status: Clear " it must always be that way, if it says listed, then you are listed on one or more spam database site and your ip address as one whose spam is originated and declared as spamvertised sites.
6. Go to http://www.dnsreport.com/ and run a dns report on your domain and make sure the "SOA record" shows your email address dedicated to your domain on the "Hostmaster E-mail address:". Make sure your "Acceptance of abuse address" is setup as your email abuse@yourdomain.com. Make sure also that mail relaying is not enabled on your domain.
7. To disable mail relaying on your server, login as root via ssh to your server, nano or pico to this file : /etc/mail/spamassassin/local.cf make sure you write out or copy first a backup of it before doing any modifications, make sure the lines: trusted_networks XXX.XXX.XXX.XXX will contain each in one line the ip addresses alloted to your server, so whenever someone tries to "spoof" an email message using one of your domains or your client's domains to send spam, they will be rejected because obviously they will be running it on another ip addresses. Sites like proxy sites need to be included in the banned sites when you create your (TOS) terms of services or (AUP) Accepted User Policy.
8. If your mail queue logs are sending "forged" email address using admin@yourdomain.com to someone else, chances are your SPF (Sender Policy Framework) Record is not setup, so go to http://www.openspf.org/ and set it up. In the dns report scan you've done to your domain will also show this spf record if already set up.
9. Whenever an abuse report issue is sent either thru spamcop's abuse reporting system or reported by a human being, you have 2 email addresses that you need to check everyday or at the most thrice a day to make sure you are running "clean" ip addresses.
10. The last worst case scenario that need to happen to you is to receive an actual spam abuse report from a human or from a software generated abuse reporting system setup by spamcop, it should be dealt and enforced with zero-tolerance on the abusers and all headers (within 6 monts old) need to be kept on your computer's hard drive. All abuse report's headers from humans need to be logged also, when copying and pasting a report make sure you require a valid proof such as a full header copy that you can enable on your web-based email system in the form of "show full headers" The spammer/abuser needs to be terminated and removed from your server as soon as possible and if possible hours away from an actual abuse report and need to be posted on the following groups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
Thus, saying that you adhere to your zero-tolerance fight against spam and will cause your server's ip addresses to be delisted for free on most spam database lookup site while some requires some kind of a fee for it to be removed. I hope this scenario will never happen to you if you have practice steps 1 - 9. If this resource article coming from a server admin like me to a server admin/postmaster like you have proven to be beneficial and reduced your time on dealing with spammers/abusers, please drop me a line at william@nabaza.com and I appreciate it. God will give me the rest of the rewards.
1. Setup a separate dedicated email for this (preferably not using one of your domain's email system or preferably hosted on another server). This email's sole purpose is to receive computer generated logs of abuse report made within 24 hours against allotted ip addresses. This email must not be published anywhere even in your whois info, or in your published pages. I prefer @gmail.com or @yahoo.com. When that email address is setup, go here: http://www.spamcop.net/w3m?action=ispsignupform click on "create an Isp account" then log in and click on "Request Reports" and type all allotted ip addresses under your account one ip per line, it's a good thing to specify all ip addresses on your other server accounts as well for centralized reporting. In this way when someone (ignorantly, envy motivated, or plain abuse of one of your members) you will get it on your email address.
2. Open an account at groups.google.com and join these 2 specific newsgroups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
This is where abuse report issues that are handled and resolved are being posted and spam abusers are reported live to all admin's eyes. By subscribing to it you will be able to monitor every abuse report reported against an ip address, setup a filter in your email address to filter out your ip addresses and so it will end up in your inbox other reports are to be discarded directly to your trash folders for permanent deletion.
Once you have dealt with a spam issue, which I doubt will happen after you practice all steps included in this article, you need to report this issues is either ongoing or resolved and the abuser/spammer is terminated and removed from your server and banned. Reports submitted/posted here needs to have full headers. Mostly web-based email system can be setup to do this, just click on "show full headers report" and copy and paste the whole abusive/spammed email message and paste it on these groups. That way you are saying in front of admins alike that you are enforcing zero-tolerance on all of your members and an active promoter of anti-spam laws in the internet.
3. Logon to WHM (Web Hosting Manager) and click on "Security" and then "Tweak Security" under "SMTP Tweak", click on "Configure" and make sure "Allow connections to localhost on port 25." is disabled. This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers. Also it will help to check your mail queue manager a couple of times per day, login to WHM and click on "Email", click on 'Mail Queue Manager" if you see any suspicious looking email address there trying to send usually free web-based ones or generated randomly, and click on "Delete all messages in Queue." That only means that your system can't send it because it's not routable for it's ip address origin are questionable and not listed on your trusted ip's to send out email.
4. Login to WHM (Web Hosting Manager) and click on "Contact Manager" under "Server Contacts" menu. Make sure you placed "2 or 3" on Alert Priority Assignment right beside "Recently Uploaded Cgi Script Mail". This will email you on a daily basis (if there are uploaded pages or scripts) that are set to use your smtp or mail on your server which could be the source of spam abusers to send out spam using your ip addresses. Setup a filter for it and it always is prefixed on the Subject: "[newmailcgi] Recently Uploaded CGI scripts" take note that even php form mail that are insecuredly setup to send spam are also reported to your email address setup as contact manager on your server's WHM. Make sure to actively monitor this and when it happened to give ample warnings to the user who uploaded this.
5. Go to http://www.dnsstuff.com/ and under "Spam database lookup" type in your ip address and make sure there are no red areas or red rows on any spam database sites, this will confirm that your ip addresses are "clean" from spam. Run another test and click on http://whois.sc/yourdomain.com and see this result "Blacklist Status: Clear " it must always be that way, if it says listed, then you are listed on one or more spam database site and your ip address as one whose spam is originated and declared as spamvertised sites.
6. Go to http://www.dnsreport.com/ and run a dns report on your domain and make sure the "SOA record" shows your email address dedicated to your domain on the "Hostmaster E-mail address:". Make sure your "Acceptance of abuse address" is setup as your email abuse@yourdomain.com. Make sure also that mail relaying is not enabled on your domain.
7. To disable mail relaying on your server, login as root via ssh to your server, nano or pico to this file : /etc/mail/spamassassin/local.cf make sure you write out or copy first a backup of it before doing any modifications, make sure the lines: trusted_networks XXX.XXX.XXX.XXX will contain each in one line the ip addresses alloted to your server, so whenever someone tries to "spoof" an email message using one of your domains or your client's domains to send spam, they will be rejected because obviously they will be running it on another ip addresses. Sites like proxy sites need to be included in the banned sites when you create your (TOS) terms of services or (AUP) Accepted User Policy.
8. If your mail queue logs are sending "forged" email address using admin@yourdomain.com to someone else, chances are your SPF (Sender Policy Framework) Record is not setup, so go to http://www.openspf.org/ and set it up. In the dns report scan you've done to your domain will also show this spf record if already set up.
9. Whenever an abuse report issue is sent either thru spamcop's abuse reporting system or reported by a human being, you have 2 email addresses that you need to check everyday or at the most thrice a day to make sure you are running "clean" ip addresses.
10. The last worst case scenario that need to happen to you is to receive an actual spam abuse report from a human or from a software generated abuse reporting system setup by spamcop, it should be dealt and enforced with zero-tolerance on the abusers and all headers (within 6 monts old) need to be kept on your computer's hard drive. All abuse report's headers from humans need to be logged also, when copying and pasting a report make sure you require a valid proof such as a full header copy that you can enable on your web-based email system in the form of "show full headers" The spammer/abuser needs to be terminated and removed from your server as soon as possible and if possible hours away from an actual abuse report and need to be posted on the following groups:
news . admin . net-abuse . policy http://groups.google.com/group/news.admin.net-abuse.policy?lnk=sg
news . admin . net-abuse . misc
http://groups.google.com/group/news.admin.net-abuse.misc?lnk=sg
Thus, saying that you adhere to your zero-tolerance fight against spam and will cause your server's ip addresses to be delisted for free on most spam database lookup site while some requires some kind of a fee for it to be removed. I hope this scenario will never happen to you if you have practice steps 1 - 9. If this resource article coming from a server admin like me to a server admin/postmaster like you have proven to be beneficial and reduced your time on dealing with spammers/abusers, please drop me a line at william@nabaza.com and I appreciate it. God will give me the rest of the rewards.
Print
Email
