LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Server being used to relay spam (Pesk + Qmail), how do I stop it? (http://www.linuxquestions.org/questions/linux-security-4/server-being-used-to-relay-spam-pesk-qmail-how-do-i-stop-it-684403/)

nepcw 11-18-2008 02:14 PM

Server being used to relay spam (Pesk + Qmail), how do I stop it?
 
I have a Root server with 1and1. They use Plesk as the control panel so that is what I have been using.
I got a notice from them that our server has been sending spam and they are getting complaints.

The server uses Qmail with spamassassin

In the Plesk control panel I have set (From day 1) for mail relay to be on, but require SMTP authentication.

When I look in the mail queue for the server I see the same sender (not a domain on my server) sending mass emails to a group of 100+ users.

I went through and looked at everything I could to see if I had something setup that was not correct and I just do not see it.

I ran a telnet to the server and attempted to send from a domain not in the RCPT list and it failed.

What logs can I look at or how can I determine if they are sending directly from the server or if I have a site on there that has been compromised?

Thank you for all your help!

nepcw 11-18-2008 03:48 PM

I checked the secure log and see a lot of the lines like the following, some are legit and a lot of not.

Nov 18 15:25:31 u15262964 xinetd[3826]: START: smtp pid=3435 from=202.75.56.43

I checked and this is a AU IP. Some are from Africa, Amsterdam, China, etc



These are obviously the spammers, but are they connecting from the outside world to my server to send?

rjlee 11-18-2008 04:02 PM

First, check your SMTP authentication. I'm not clear on the details of SMTP-AUTH, but Wikipedia suggests that it can use password authentication; this could be a simple matter of someone brute-forcing your password. The first thing I'd do is change your password and see if the problem stops.

If the server has been compromised, then the chances are that it's a known rootkit that's being used to send spam; you should probably try running chkrootkit to test for this. http://www.chkrootkit.org/.

Can you get hold of a sample spam message? This may tell you if they are using your mail system or not (qmail headers) and may even yield something about the upstream message sender, such as an IP address or the mail agent that they are using.

Qmail logs to /var/log/qmail/ (at least, it does on my server, but I'm running quite an old configuration). There are various files in subdirectories, each named current, that hold the main logs for each module. You probably want to look at /var/log/qmail/smtpd/current.

The other thing you really should do is tell your server provider. Most providers are very happy to help track down problems when servers may have been compromised, but they will usually want to re-image your server to be sure, so make sure that you have a backup of anything important on the server.

rjlee 11-18-2008 04:05 PM

Quote:

Originally Posted by nepcw (Post 3346727)
I checked the secure log and see a lot of the lines like the following, some are legit and a lot of not.

Nov 18 15:25:31 u15262964 xinetd[3826]: START: smtp pid=3435 from=202.75.56.43

I checked and this is a AU IP. Some are from Africa, Amsterdam, China, etc



These are obviously the spammers, but are they connecting from the outside world to my server to send?

xinetd is controlled from /etc/xinetd.conf. Generally, it will be configured to spawn a dæmon when an incoming connection arrives on a particular port, so the chances are that this is an incoming connection from the outside world that's forcing its way past your SMTP-AUTH.

nepcw 11-18-2008 04:08 PM

Quote:

Originally Posted by rjlee (Post 3346739)
First, check your SMTP authentication. I'm not clear on the details of SMTP-AUTH, but Wikipedia suggests that it can use password authentication; this could be a simple matter of someone brute-forcing your password. The first thing I'd do is change your password and see if the problem stops.

If the server has been compromised, then the chances are that it's a known rootkit that's being used to send spam; you should probably try running chkrootkit to test for this. http://www.chkrootkit.org/.

Can you get hold of a sample spam message? This may tell you if they are using your mail system or not (qmail headers) and may even yield something about the upstream message sender, such as an IP address or the mail agent that they are using.

Qmail logs to /var/log/qmail/ (at least, it does on my server, but I'm running quite an old configuration). There are various files in subdirectories, each named current, that hold the main logs for each module. You probably want to look at /var/log/qmail/smtpd/current.

The other thing you really should do is tell your server provider. Most providers are very happy to help track down problems when servers may have been compromised, but they will usually want to re-image your server to be sure, so make sure that you have a backup of anything important on the server.

I have SMTP Auth turned on and when I run all my tests it shows the server is not an open relay. I will try to get ahold of a sample spam message so we can take a look at it.
I checked the qmail logs and all they are really telling me is that person@notmydomain.com is attempting to send to person@atnotmydoman.com.
It doesnt really state if it had been delivered and when I check the queue through Plesk I see them sitting there. So I clear them out, then in a few more days they are there again, waiting to be delivered.
I will post up any log you need to see.
I added a boat load of ip's to my host.deny for ssh because I saw there was someone running a dictionary attack on the server as well.

I have spent the last few hours trying to dig deeper into this and it seems I just come up with more questions, lol

nepcw 11-18-2008 04:16 PM

I also ran chkrootkit and the only thing I see that came back infected was:

Checking `bindshell'... INFECTED (PORTS: 465)


Which from what I read might be ok (false negative)

rjlee 11-18-2008 04:24 PM

Quote:

Originally Posted by nepcw (Post 3346750)
I have SMTP Auth turned on and when I run all my tests it shows the server is not an open relay. I will try to get ahold of a sample spam message so we can take a look at it.

Do you know what version of qmail-smtpd-auth you are using? According to the changelog (http://members.elysium.pl/brush/qmail-smtpd-auth/) there was a fix in version 0.26 that could let an attacker get relay access (not sure under what conditions).

Again, SMTP-AUTH isn't worth anything if your password is guessed, so changing your password really might be worth trying.

nepcw 11-18-2008 04:26 PM

Quote:

Originally Posted by rjlee (Post 3346769)
Do you know what version of qmail-smtpd-auth you are using? According to the changelog (http://members.elysium.pl/brush/qmail-smtpd-auth/) there was a fix in version 0.26 that could let an attacker get relay access (not sure under what conditions).

Again, SMTP-AUTH isn't worth anything if your password is guessed, so changing your password really might be worth trying.

I did change my password as soon as I got the email from 1and1 telling me about the spam. I have about 25 domains on the server right now, so in theory anyone of the accounts setup with mail could of had there passwords guessed and they are using that account right? How would I find out what account it is?

How do I check the version of qmail-smtpd-auth?

billymayday 11-18-2008 04:28 PM

It's more likely the password of one of the users that is able to relay. You need to work out which user is being authenticated for spamming purposes.

nepcw 11-18-2008 04:31 PM

Quote:

Originally Posted by billymayday (Post 3346774)
It's more likely the password of one of the users that is able to relay. You need to work out which user is being authenticated for spamming purposes.

How do I go about finding that out? I tried looking in all the logs I have and nothing seems to tell me what AUTH ACCT is sending the spam.

billymayday 11-18-2008 04:34 PM

Don't your maillogs tell you anything useful? Who's the sender of mail? Is there an authentication showing up at the same time? What distro are you using?

rjlee 11-18-2008 04:35 PM

Quote:

Originally Posted by nepcw (Post 3346777)
How do I go about finding that out? I tried looking in all the logs I have and nothing seems to tell me what AUTH ACCT is sending the spam.

You should be able to find this out from the headers of one of the spam messages after qmail has added it's headers.

You may also be able to find the version of smtp-auth from your distribution's package manager.

nepcw 11-18-2008 04:36 PM

The distro is FDC 4
The mail logs show me the sender and the recipients email address but never shows me an account it was sent with.

Nov 18 13:35:48 u15262964 qmail-remote-handlers[31212]: from=alert@abbey.com
Nov 18 13:35:48 u15262964 qmail-remote-handlers[31212]: to=zinch@publiconline.co.uk

The secure log shows me smtp access and from what IP address like above but nothing that shows me what account they are using to send, if in fact it is one of my customers email accounts they are using.

nepcw 11-18-2008 04:39 PM

Quote:

Originally Posted by rjlee (Post 3346783)
You should be able to find this out from the headers of one of the spam messages after qmail has added it's headers.

You may also be able to find the version of smtp-auth from your distribution's package manager.

one of the issues I'm running into is the spam is being sent to people not on our domain so I have no way of getting those headers, unless there is another way from the server level to obtain them.

My customers do get spam from the outside world as most do, we run spamassassin, APF, and a few other security sets to keep that down.

billymayday 11-18-2008 04:39 PM

Do you mean Fedora Core 4?


All times are GMT -5. The time now is 11:53 AM.