LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-06-2012, 11:46 AM   #1
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Post email spam bot warning


There seems to be a new(?) email spam bot in the wild that is pretty pernicious and anyone who runs an email server will want to be on the lookout for it. The signature of it is like this:
Code:
Relay access denied; from=<test@live.com> to=<therichsheickc@yahoo.com> proto=ESMTP helo=<[192.168.2.33]>
Google searching the email addresses, shows hits dating back about one month. Here is a related blog entry that I found. I've also attached a text file showing the sample entries I have received on one server over the last few days. I am seeing this activity on multiple servers.

While an even moderately configured email server will reject these messages, I do recommend that everyone who is running an email server to be sure that you are using an application like fail2ban because the more we can collectively make traffic like this fall into the void will reduce the reward for the script authors and users.

There are a couple of things to note about this bot that should be mentioned:
1 - the originating IP address changes frequently.
3 - the interval between delivery attempts varies but is typically 10-30 minutes.
4 - the bot does NOT respond to 500 level error codes by ceasing transmission.
5 - the same IP address will be re-used over a periods of time. For example, in the attached log, the first IP 207.237.187.163 scores hits on both Nov 4th and Nov 5th, but there is a LONG delay between them.
6 - the time frame between IP reuse is such that a short BAN time will not be effective. For this reason, you are probably better off to reject the email with a 400 level (try again) error code, which may encourage retransmission from the same IP more frequently allowing for better IP capture. This also means that you will need to use a long ban time to achieve the desired effect of dropping repeat attempts.
7 - If you use Greylisting be sure that your (long delay) filter does not trigger on greylisted entries.

*NOTE: Based upon the rate of change in the IP addresses, it may be necessary to adjust the fail2ban REGEX to specifically target this entry with 1 hit and ban that IP. I have not yet tried tried to implement this but will watch my logs and experiment if normal banning does not show effective. Given the repeatability of the email headers, this should be effective, at least initially.

Lastly, this is another example of a case that demonstrates that security is a process. I discovered thee events because of routine log monitoring. In this particular case, I saw a massive jump in the number of rejected emails via the pflogsum report.
Attached Files
File Type: txt email_log.txt (102.6 KB, 14 views)
 
Old 11-08-2012, 02:55 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Ok, thank you, Noway2. I see it in the logs of my east-coast ec2 instance.
Code:
[root@machine log]# grep -l test@live.com maill*
maillog
maillog-20121028
maillog-20121104
[root@machine log]# grep test@live.com maill* | wc -l
385
[root@machine log]# grep test@live.com maillog| wc -l
353

Last edited by Berhanie; 11-08-2012 at 03:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
spam bot intro yupall LinuxQuestions.org Member Intro 4 10-12-2011 11:45 AM
MSN Messenger - SPAM Bot Increase Lately dudeman41465 General 2 01-21-2009 10:10 PM
Not a spam-bot! GradientDrift LinuxQuestions.org Member Intro 2 08-21-2008 03:03 AM
posible spam bot zurc Linux - Security 0 02-14-2005 07:37 PM
Highjacked my Server. SPAM BOT cxel91a Linux - Software 0 08-14-2004 06:39 PM


All times are GMT -5. The time now is 04:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration