[SOLVED] HELP! Seem to be a spammer!?
-
@derelict The Source IP Address should be my WAN IP?
What is the ^and the $ meaning in the Destination port?Limburg | The Netherlands.
It is nice to be important. But it is more important to be nice! | Failure, the best teacher it is! -
had you setup pfsense notifications? If so maybe something was going wrong on pfsense and spamming the notifications - or trying to notify you which were failing. Since you should of gotten them.
Or did you try and setup mailreport package? These would be the 2 ways that pfsense would/could be trying atleast to send mail. Which your isp might not like - especially if something when wrong or was misconfigured and sending out lots of them.
That is regex format looking for the port in question.
-
@herman said in HELP! Seem to be a spammer!?:
@derelict The Source IP Address should be my WAN IP?
What is the ^and the $ meaning in the Destination port?No. You are looking for the inside address so you can find out who on the inside is doing it, so you want to capture on the inside interface (LAN) for all addresses. Unless, like @johnpoz said above, it's actually the firewall doing the emailing.
The fields there are regular expressions.
^25$will only match 25.25might match 2579, 8254, 9925, 25341, etc. -
I have notifications configured. I dont think the firewall is the boogeyman because I setup the internal IP address (10.0.0.x) of the mailserver and mailing to an internal mailbox. Even now the outbound sendconnetor is temporary disabled, the test message from the pfSense arrives in the correct mailbox.
Regards Herman
-
-
Well if your not seeing it logged anywhere, then maybe the ISP is full of shit.. Not the first time that sort of thing every happened. Did your IP change recently - maybe it was the guy with your IP before you, etc.
If your logging all outbound on 25, and not seeing anything logged.. Then its being sent by you - or you have an active state that is still in use? Did you check your state table? flush it after you create your block/logging rules? You have it logging on all possible inbound ports? You have any road warriors coming in via vpn that could be sending spam through vpn connection?
edit: contoso.com - that is one of the domains MS uses in its examples ;)
https://en.wikipedia.org/wiki/ContosoSo your exchange is sending spam? If your letting exchange outbound, and your isp is saying your spamming - then yeah more than likely is your exchange. If you have all kinds of crap like that in its queue what else sort of nonsense is in there? And being sent or tried to being sent, etc.
If you can not just check your exchange log for what it has sent, how about just sniff on you wan for outbound 25... And look to see what kind of stuff is being sent or attempted to be sent.. email is sent in the clear so its very easy to view all the info in email.
Do you accept inbound email into your exchange? If so could be spammers bouncing off you, or using reflection spam.. PM whats your public IP - will check to see if can bounce spam off you, ie open relay.
-
@johnpoz I would really love to pm you, if you teach me how to? God I feel so stupid right now...
-
"Failure, the best teacher it is!"
-
hehe..
Dude look at my profile - you figured out how to follow me..
Click the 3 dots and then start conversation - or just answer the one I started with you.
-
Hi Guys,
It seems that I have found the problem. It looked like the was a Health Mailbox corrupt. Found that because the mails always showed up with the email address inboundproxy@contose.com. The details can be seen in the screenshot earlier. After I finished the migration from Exchange 2013 to 2016 the problem went away. Let have the fingers crossed that this was THE problem?!
I would like to thank all of you guys helping me and giving me a tremendous learning curve. Without your knowledge and tips I wouldn’t have learned so much about pfSense already. We probably will see each other in another topic as I have so many more questions.
Thanks guys, @chpalmer @Derelict @Grimson @johnpoz
Regards,
Herman
