i think my server is sending spam mail
 

i have a mail server, i can see from the router that the network activity is more than usual.

after running netstat i see that it is making many smtp connections all over the place.

below is only a small snippet.

i have done the relay test, and my email server is not relaying. how can i determine if my system has been compromised and what can i do to fix the problem ?

==========================

tcp 0 0 192.168.0.70:43611 mail0.abel.net.uk:smtp TIME_WAIT
tcp 0 0 192.168.0.70:58254 mtain-md.r1000.mx.aol.:smtp TIME_WAIT
tcp 0 0 192.168.0.70:58008 mtain-md.r1000.mx.aol.:smtp TIME_WAIT
tcp 0 0 192.168.0.70:58011 mtain-md.r1000.mx.aol.:smtp TIME_WAIT
tcp 0 0 192.168.0.70:58092 mtain-md.r1000.mx.aol.:smtp TIME_WAIT
tcp 0 0 192.168.0.70:49326 mx1.earthlink.net:smtp ESTABLISHED
tcp 0 0 192.168.0.70:58059 mtain-md.r1000.mx.aol.:smtp TIME_WAIT
tcp 0 0 192.168.0.70:34635 mx1.isp.kq.no:smtp TIME_WAIT
tcp 0 1 192.168.0.70:43053 hrndva-smtpin01.mail.r:smtp SYN_SENT
tcp 0 0 192.168.0.70:47896 ppagent2.ad.uab.edu:smtp TIME_WAIT
tcp 0 0 192.168.0.70:41655 ff-mx-vip3b.prodigy.ne:smtp TIME_WAIT
tcp 0 0 192.168.0.70:41605 ff-mx-vip3b.prodigy.ne:smtp TIME_WAIT
tcp 0 0 192.168.0.70:41655 ppagent1.ad.uab.edu:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44367 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44350 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44485 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:48841 mx.scarlet.be:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44264 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44657 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44667 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 0 0 192.168.0.70:44597 mta-v2.mail.vip.ac4.ya:smtp TIME_WAIT
tcp 1 38 192.168.0.70:50649 yokota-mail2.afnoc.af.:smtp CLOSING
tcp 0 0 192.168.0.70:59712 mx2.electric.net:smtp ESTABLISHED

======================================

Hi,

Better check the mail logs (usually /var/log/maillog) and see what's happening.

Regards

+1 on check the logs. The netstat output only tells a partial picture. If you do see something that looks suspicious in the logs, please respond with details and facts. In addition to some relevant log information, include at least the following:

1 - what distribution you are running and at what revision
2 - what email application are you using (again what version)
3 - what other email accessories are you using, e.g. spamassassin, dspam, amavis.
4 - what other server applications are you running, e.g. Apache and do you use a CMS and if so which one?
5 - do you use any PHP based configuration applications, like webmin (again include version information).

I realize that the above list may be jumping the gun a bit. The point I am trying to make is that if it does appear that you have a problem, please gather and respond with as much detail as possible and we will help analyze it.

i think there is a problem.

email log snippet
=====================
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 75.180.132.243 for domain ad$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 75.180.132.244 for domain ad$
02-28 18:31:39 +0800 08 dns1 PROCESSING:0038D7CF: Start mail delivery
02-28 18:31:39 +0800 08 dns1 RELAY:0000E02E: Bad greeting code from server: Error - Blocked for abuse. See $
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: no more relays for bellsouth.net
02-28 18:31:39 +0800 08 dns1 PROCESSING:003B4D5B: Max retry reached; giving up delivery for mail 3B4D5B
02-28 18:31:39 +0800 08 dns1 RELAY:0000E030: Connected to 212.52.84.174
02-28 18:31:39 +0800 08 dns1 RELAY:0000E031: Connected to 75.180.132.243
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.137.54.237 for domain yah$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.137.54.238 for domain yah$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.236.34 for domain yaho$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.140.64 for domain yahoo$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.237.64 for domain yaho$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 98.139.54.60 for domain yaho$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.136.244 for domain yaho$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 66.94.238.147 for domain yah$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 67.195.168.31 for domain yah$
02-28 18:31:39 +0800 08 dns1 RELAY:00000000: Relay mail 3B4D5B: found MX entry 74.6.136.65 for domain yahoo$

1 - what distribution you are running and at what revision

2.6.11-1.1369_FC4smp


2 - what email application are you using (again what version)

it is called AXIGEN
Axigen server version: 1.1.1 (Linux/i686)
i have been using the same thing since 2005

3 - what other email accessories are you using, e.g. spamassassin, dspam, amavis.

spamassassin, but i have disabled it

4 - what other server applications are you running, e.g. Apache and do you use a CMS and if so which one?

only DNS and MAIL server on this machine

5 - do you use any PHP based configuration applications, like webmin (again include version information).

only the interface to configure the email server, but is only accessable via local ip addresses

---------- Post added 02-28-11 at 06:18 AM ----------

more stats from the mail server

MTP_InboundConnection 447
SMTP_InboundConnectionAuthenticated 428
SMTP_InboundConnectionAuthenticatedSuccess 428
SMTP_InboundConnectionReceivedBytes 1424177
SMTP_InboundConnectionSentBytes 722858
SMTP_InboundMessage 449
SMTP_InboundMessageBDATAccepted 0
SMTP_InboundMessageBodyAccepted 438
SMTP_InboundMessageDATAAccepted 438
SMTP_InboundMessageDATAUsed 438
SMTP_InboundMessageFROMAccepted 449
SMTP_InboundMessageMessageBytes 685211
SMTP_InboundMessageTOcommandsAccepted 21027
SMTP_InboundMessageTOcommandsRejected 6
SMTP_OutboundConnection 69859
SMTP_OutboundConnectionAuthenticated 0
SMTP_OutboundConnectionAuthenticatedSuccess 0
SMTP_OutboundConnectionErrorFinish 60304
SMTP_OutboundConnectionReceivedBytes 0
SMTP_OutboundConnectionSentBytes 7792745
SMTP_OutboundMessage 8984
SMTP_OutboundMessageBDATAccepted 8943
SMTP_OutboundMessageBodyAccepted 3000
SMTP_OutboundMessageDATAAccepted 8153
SMTP_OutboundMessageDATAUsed 5930
SMTP_OutboundMessageFROMAccepted 7724
SMTP_OutboundMessageMessageBytes 6604053
SMTP_OutboundMessageTOcommandsAccepted 5577
SMTP_OutboundMessageTOcommandsRejected 4293

more suspicious logs
=============================

Message: 646282
age 17460
id 0x9DC8A
nextSchedule Mon, 28 Feb 2011 14:17:24 GMT
rcptCount 50
rcptList roadrunner@postmaster.co.uk[expand]
roadrunner72@eudoramail.com[expand]
roadshow@vicnet.net.au[expand]
roadsidesitter@hotmail.com[expand]
roadtraffic@pondy.com[expand]
roamcom@ig.com.br[expand]
roamytx@webtv.net[expand]
roan70@ec-red.com[expand]
roan747@sbcglobal.net[expand]
roanngiron@yahoo.com[expand]
roaper444@yahoo.com[expand]
rob.cairns@chemergi.com[expand]
rob.erickson@intel.com[expand]
rob.hinchcliffe@gmail.com[expand]
rob.hirtz@duke.edu[expand]
rob.inglis@blueyonder.co.uk[expand]
rob.kerby@eudoramail.com[expand]
rob.kh@ntlworld.com[expand]
rob.lemos@cnet.com[expand]
rob.lockhart@mot.com[expand]
rob.michell@sonybpe.com[expand]
rob.shaw@dsl.pipex.com[expand]
rob.widmann@gmail.com[expand]
rob@alice.net[expand]
rob@automagic.org[expand]
rob@gangrene.berkeley.edu[expand]
rob@greatphotorgaphy.com[expand]
rob@hpcmo.hpc.mil[expand]
rob@ksco.com[expand]
rob@natinst.com[expand]
rob@nonsequitur.ca[expand]
rob@robhayes.net[expand]
rob@seaclypse.com[expand]
rob@sys3.pe1chl.ampr.org[expand]
rob@vortimac.com[expand]
rob@wombat.echidna.id.au[expand]
rob_foshee@adp.com[expand]
rob_helle@hotmail.com[expand]
rob_krebs@plastics.org[expand]
rob_motren@hotmail.com[expand]
rob_russell@mailexcite.com[expand]
rob1038@yahoo.com[expand]
rob21@netscape.com[expand]
rob8@netvigator.com[expand]
robabrah@online.no[expand]
robafowler@aol.com[expand]
robaiate@tv2m.co.maikaat[expand]
robaking@hotmail.com[expand]
roballo@premiumpesca.com.br[expand]
robandsteph@optusnet.com.au[expand]
receiveDate Mon, 28 Feb 2011 07:09:33 GMT
retryCount 3
returnPath www@xj121.com
size 1741
status SEND FAILURE

It's definitively spam, so better stop your server from running and clean the queue from the spam messages.
I have never used that axigen mail server, but from the logs posted:
looks like www@xj121.com was used to send out spam and gets back the DSNs. Is that xj121.com your domain served by the axigen mail server?

looks like www@xj121.com was used to send out spam and gets back the DSNs. Is that xj121.com your domain served by the axigen mail server?
===========================================

no ... not my domains.

i have cleared the queues .. so netstat now is not showing much activity.

but how can i check that they dont load rubbish into the queues again ?

As told you, I'm not familiar with axigen so I can give only generic advice:
Check the logs to see from which user account were all these mails of post #6 sent, or the IP of the sender. Since your server is not an open relay, then most probably it's a user account with a weak password that was compromised.
Also note that both your distro and the mail software you're using are quite old and maybe they need upgrading.

Regards

hi bathory, if it just a matter of locating the weak password, we can change all the email passwords.

because this is an internal server with not many email addresses.

easy to fix. my concern was that they have managed to install some script on the server it self which is harder to fix since my linux admin knowledge is limited.

i will monitor the logs and see if the email blast start again tomorrow.

thanks

You said that this server runs only mail and dns, that's why I told you it could be a weak mail user password. Of course it could be that someone gained access through ssh or other means in your box (given it's running an aged and obsoleted distro) and installed some sort of spam bot.
Why monitor the logs and wait to happen again and not look at the existing logs to see who start spamming and from what IP? I guess your server is already blacklisted by yahoo and other mail providers and if it happens again it will be difficult to whitelist it.
And once again you should consider upgrading OS and mail software

Why monitor the logs and wait to happen again and not look at the existing logs to see who start spamming and from what IP?

=====================================================================

possible to give me some pointers on what logs to look at and how to see who is spamming and from what ip ?

thanks

I cannot, as I've never used this mail server.
You can ask axigen support for help, as it's a proprietary software and you should pay support for it.

Regards

For somebody to have accessed the machine and dropping some script 0) requires a web stack component or service that allows access or an account, 1) with possibly a weak password in case of the latter and 2) enough rights for the service or account to drop files and execute them. If you want to explore that avenue you should review system and daemon logs, user shell history and verify integrity and purpose of any file system contents.

That said Axigen Mail Server 1.1.1 was released in 2006 (!) and this and subsequent versions may be or have been vulnerable (see the [url="http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Gecad+AXIGEN+Mail+Server"]CVE). Version 7.6.1 seems current. If there's no support available for free then indeed asking the vendor for help seems the logical way.

well rightly predicted, i believe it was an account with a weak password.

i believe the system root password is strong enough not to have been broken into, and we have changed it to be safe.

after deleting some unused email accounts, the spamming seems to have stopped.

but i need to keep a watch on the system for another few days to check if it comes back again.

axigen does not seem to maintain user logs. so i did not manage to tell which user is generating the most traffic.