Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Help Plz - How to prevent IPv6 addresses from sending spam?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Help Plz - How to prevent IPv6 addresses from sending spam?

Atomic7Atomic7 Member
edited December 2013 in Help

Today my mail was blocked by google and I received this message:

[Google-IPv6-address] said: 550-5.7.1 [My-IPv6-address 1] Our system has detected an unusual 550-5.7.1 rate of unsolicited mail originating from your IP address. To protect 550-5.7.1 our users from spam, mail sent from your IP address has been blocked. 550-5.7.1 Please visit http://www.google.com/mail/help/bulk_mail.html to review 550 5.7.1 our Bulk Email Senders Guidelines.

Does this mean my system is compromised or is it only my IPv6 being used as spam relay? I am using postfix and my IPv4 is protected by SPF. I have many IPv6 addresses and I don't know if others are also being used to send spam. How do I protect my IPv6? Where should I check for logs, because my mail logs are not showing anything. Why the mail was sent over IPv6 instead of IPv4?

What are the possible solutions?

  • How to configure postfix to tackle this situation?

  • Should I use SPF for IPv6? If so, how would I configure it?

  • Should I just disable all IPv6 addresses? Are there any disadvantages if I turn off IPv6?

  • Any better solutions?

Any help is greatly appreciated.

Comments

  • edit /etc/gai.conf
    put (uncomment) this line:
    precedence ::ffff:0:0/96 100

    This will make ipv4 preferred over ipv6.

    Thanked by 1Atomic7
  • @rds100 said:
    edit /etc/gai.conf
    put (uncomment) this line:
    precedence ::ffff:0:0/96 100

    This will make ipv4 preferred over ipv6.

    Thank you! Does it mean my system is compromised or it it just my IPv6 being used as spam relay? If so, how to prevent them from being used as spam relays?

  • rds100rds100 Member
    edited December 2013

    Could be someone from the same netblock as you sending spam and google is penalizing the whole range. Or you don't have rdns setup for the ipv6 address, etc.
    It doesn't hurt to investigate your mail activity though. Check logs, run tcpdump for port 25, etc.

    Thanked by 1Atomic7
  • Atomic7Atomic7 Member
    edited December 2013

    @rds100 said:
    Could be someone from the same netblock as you sending spam and google is penalizing the whole range. Or you don't have rdns setup for the ipv6 address, etc.
    It doesn't hurt to investigate your mail activity though. Check logs, run tcpdump for port 25, etc.

    Yes, I don't have rdns setup for my ipv6. Is it a security risk and can it be responsible for my IPv6 being used as spam relays? I have gone through the entire logs, but I couldn't find any evidence or anything suspicious. I suppose my mail logs are showing activity only for IPv4. Maybe I should do the tcpdump for port 25 and I'll find something. Any suggestions on how to prevent my IPv6 addresses from sending spam?

  • Who is "them" ? What is the server used for?

  • My IPv6 addresses. It's a webserver.

  • Addresses are not sending emails alone. Processes can send emails.
    You can tcpdump -n port 25 to see if there is any smtp activity going on

    Thanked by 1Atomic7
  • skagerrakskagerrak Member
    edited December 2013

    @Atomic7 said:
    Any suggestions on how to prevent my IPv6 addresses from sending spam?

    As @rds100 stated, give IPv4 precedence. Or disable IPv6 in your MTA completely. Or make sure you apply the same rules and restrictions you have for IPv4 for your IPv6-addresses.

    Yes, I don't have rdns setup for my ipv6. Is it a security risk and can it be responsible for my IPv6 being used as spam relays?

    No, but it's one of the reasons why Google classifies your mails as spam. They even poke you right to this fact by giving your the URL to the document to read in their error message.

    --8<--schnipp--

    Additional guidelines for IPv6

    • The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
    • The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

    -->8--schnapp--

    Thanked by 1Atomic7
  • Atomic7Atomic7 Member
    edited December 2013

    @rds100 said:
    Addresses are not sending emails alone. Processes can send emails.
    You can tcpdump -n port 25 to see if there is any smtp activity going on

    No, I mean from acting as spam relays. Can someone exploit my IPv6 addresses as spam relays without my system being compromised? Because I haven't configured them at all. And if they are sending spam, why my logs aren't showing anything? It's less likely that my system is compromised or any malicious scripts are sending spam.

    skagerrak said: As @rds100 stated, give IPv4 precedence. Or disable IPv6 in your MTA completely. Or make sure you apply the same rules and restrictions you have for IPv4 for your IPv6-addresses.

    Yes, I think I should do that. But how to configure postfix to prevent IPv6 from being used as spam relays or other exploits without disabling it?

    skagerrak said: Additional guidelines for IPv6

    The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.

    The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.

    How to configure SPF record for IPv6? Is it same as Ipv4?

  • A modern mail server software with it's default configuration will not act as an open mail relay and mail/spam cannot be blindly relayed through it - doesn't matter if it's over ipv4 or ipv6.
    If you have a spam problem (due to insecure website, etc.), the ipv6 has nothing to do with it.

    Thanked by 1Atomic7
  • @rds100 said:
    A modern mail server software with it's default configuration will not act as an open mail relay and mail/spam cannot be blindly relayed through it - doesn't matter if it's over ipv4 or ipv6.
    If you have a spam problem (due to insecure website, etc.), the ipv6 has nothing to do with it.

    Thanks for clearing my doubt, that's exactly what I wanted to know if my mail server is acting as an open relay over IPv6 or not. I don't have spam problem, infact it's the first time my mail is blocked and that's why I was worried. I haven't configured IPv6 for my server and if my server was compromised, my IPv4 would also have been blocked. I have looked thoroughly but I couldn't find anything suspicious. Can I just disable my IPv6? Are there any disadvantages if I turn off IPv6?

  • The only disadvantage of turning ipv6 off that i can think off, is that certain ipv6-fan people will hate you for it.
    And they will hate me too, for telling you that you can safely disable ipv6 if you don't need it :)

    Thanked by 1Atomic7
  • Thanks for clearing all my doubts. I still need to figure out why my mail was blocked and whether any spam was sent from my IPs. I also need to configure my mailserver for IPv6. Just one last question: How to configure SPF record for IPv6? Is it same as IPv4 and can it prevent/stop the mail server abuse over IPv6?

  • Thanks for the link. I really appreciate all your help. Thank you! :)

  • Might want to run some sort of security scan, half the time I see this error it's because a website has been compromised and there's a PHP Shell or such sending out spsm.

    Thanked by 1Atomic7
  • @nunim said:
    Might want to run some sort of security scan, half the time I see this error it's because a website has been compromised and there's a PHP Shell or such sending out spsm.

    Yes, I'll definitely investigate this matter further and will closely observe the server for any abuse/exploits. I just wanted to clear my doubts about certain things. Thank you. Any suggestions/help are appreciated.

Sign In or Register to comment.