LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-20-2007, 07:43 AM   #1
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Rep: Reputation: 0
My server is being used for spamming - Help!


Server running RHEL 3, PLESK 7.5, qmail

The server is hosting several domains and IP addresses all through a single ethernet interface.

Server is closed to relaying. People reporting my server as an abuser are giving me email headers like this:

Code:
Received: from <myserver>  (<myserver> [<mymainip>]) by rly-mc05.mail.aol.com (v119.12)  with ESMTP id MAILRELAYINMC52-124471819fd11d; Thu, 18 Oct 2007 22:44:14  -0400
Received: (qmail 4486 invoked from network); 18 Oct 2007 18:59:29  +0000
Received: from unknown (HELO User) (<abusingIP>) by  <anotherofmyips> with SMTP; 18 Oct 2007 18:59:29 +0000
My interpretation of this is that people are connecting anonymously through one of my IPs, their email is being transferred internally on my server, then sent from my main IP.

What can I do to stop this please?
 
Old 10-20-2007, 01:13 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well clearly your server is *NOT* closed to relaying otherwise thus wouldn't be happening would it? try scanning yourself at http://www.abuse.net/relay.html and see what they say you are vulnerable to. they'll also tell you how to fix it for your MTA. obviosuly we can't tell you exactly what to change on your MTA as you've not provided your config for us to check.
 
Old 10-20-2007, 01:42 PM   #3
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
Question

Quote:
Originally Posted by acid_kewpie View Post
obviosuly we can't tell you exactly what to change on your MTA as you've not provided your config for us to check.
Thanks for your feedback. On my server PLESK controls qmail, and from PLESK I have specified that it should be closed to relaying. I've also checked the rcpthosts file [which I believe is managed through the PLESK interface], and it contains only the domains that are hosted on the server.

Please tell me what else you need to know about my config.

Last edited by soaked; 10-20-2007 at 01:45 PM.
 
Old 10-20-2007, 01:44 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well i have no experience of plesk whatsoever, so i could only look over the actual real qmail config files.
 
Old 10-20-2007, 02:10 PM   #5
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
From what I have read, the config files seem to be the same as for standard qmail, but on a different path.

Given that I know there is a rcpthosts file, is there a setting somewhere that would override that? Where would that setting *normally* be stored please?
 
Old 10-20-2007, 04:46 PM   #6
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
Getting closer to the cause now

First off, let me say I'm a newbie when it comes to Linux. So I'm learning from my mistakes.

I disabled mail on every domain, and kept checking maillog file but qmail was still sending out loads of spam.

Then I stopped Apache, hoping that maybe there was a PHP script injection going on, and checked maillog again. Still there was spam going out.

Then I stopped qmail itself. The maillog entries stopped.

Then I ran ps aux and saw lots of qmail entries.

Knowing that my server is being used to send phishing emails from email address service@ppl.com I then ran ps aux | grep ppl.com

There were lots of entries, which have gardually died over time. They are of the form:

Code:
qmailr PID 0.0 0.1 3428 972 ? S <HH:MM> 0:00 qmail-remote <targetdomain> service@ppl.com <address>@<target>domain>
Due to my lack of knowledge, that's about as far as my diagnosis can get. How can I find out how these qmail-remote processes belonging to user qmailr are being started?

Last edited by soaked; 10-20-2007 at 04:49 PM.
 
Old 10-21-2007, 02:27 AM   #7
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
Question Relay test results from abuse.net

Quote:
Connecting to mail.mydomain.com for anonymous test ...

<<< 220 host.mydomain.com ESMTP
>>> HELO www.abuse.net
<<< 250 host.mydomain.com
Relay test 1
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 2
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 3
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 4
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 5
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@[xxx.xxx.xxx.xxx]>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 6
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@mydomain.com>
<<< 550 sorry, no mailbox here by that name. (#5.7.17)
Relay test 7
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@[xxx.xxx.xxx.xxx]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 8
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<"securitytest@abuse.net">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 9
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<"securitytest%abuse.net">
<<< 250 ok
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.

THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.

Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.

You cannot tell if it is really an open relay without sending a test message; this anonymous user test DID NOT send a test message.
So "securitytest%abuse.net" seems to have got past the rcpthosts file? What should my next steps be please?

Last edited by soaked; 10-21-2007 at 02:30 AM.
 
Old 10-21-2007, 02:39 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
have you got the percenthack options disabled? I assume it would be appending your local domain to what is initially percieved to be a local user name, which could then be spun round and rewritten.
 
Old 10-21-2007, 05:28 AM   #9
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
Arrow Boy this is a steep learning curve!

There is no file called percenthack on my system.

Now I have learned how to telnet onto port 25 and type in SMTP commands.

The sender "Security%abuse.net" is accepted, then the DATA command then some text and a '.' [period]. I get the SMTP response

250 ok 119xxxxx qp 12112

I quickly dived into the tail of the maillog file and saw that a message from spamtest@mydomain.com qp 12112 had been tried but delivery was deferred because the remote_host_could_not_complete_sender_verify_callout

Using the message id in the log message I then checked the recipient address which was "Security%abuse.net@host.mydomain.com"

So clearly my server is handling mail for badly formed email addresses that it shouldn't.

HOWEVER, my problem is the other away around. The above is deferred email is a sender in mydomain.com, but somehow an:

SMTP MAIL FROM:somebody@NOTmydomain.com command is getting injected into my mail queues, getting around my rcpthosts file, and is being sent from my server.

If I:

ps aux | grep qmail-remote I'm seeing lots of lines of mail being sent from email address "Service@ppl.com" such as:

Code:
qmailr PID 0.0 0.1 3428 972 ? S <HH:MM> 0:00 qmail-remote <targetdomain> service@ppl.com <address>@<target>domain>
Right now, qmail is handling just emails from service@ppl.com, no other addresses, but I also see entries where the sender field is blank, it doesn't contain any email addresses at all.

Last edited by soaked; 10-21-2007 at 05:31 AM.
 
Old 10-21-2007, 06:46 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
ok, so it looks like this could be percenthack related, and oddly i only found out that it existed the other day... so someone sent you an email to "Security%abuse.net" this contained no FQDN so qmail expanded it to "Security%abuse.net@your.domain.com" qmail then applies the percenthack "feature" to convert that to "Security@abuse.net" and off it goes.
 
Old 10-21-2007, 09:13 AM   #11
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
More diagnosis

Regarding the email to "security%abuse.net" that I built in a telnet session, described above, the qmail-send program has now sent a fail message to the server admin email address.

Quote:
Hi. This is the qmail-send program at host.mydomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<securitytest%abuse.net@host.mydomain.com>:
Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6)
So the email address with the % sign in, is having the domain added to the end, and then the message is being rejected.

This doesn't explain then how MAIL TO:<somebody@not_in_my_rcpthosts_file.com> is getting past my rcpthosts file. I'm beginning to think that there must be some rogue script on the server that is bypassing the rcpthosts file, or that a genuine email address has been hijacked on the client side and is being used to piggy back sending these phishing emails.

Any advice of how to look for rogue scripts please?

Last edited by soaked; 10-21-2007 at 09:17 AM.
 
Old 10-21-2007, 10:13 AM   #12
ghostdancer
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 266

Rep: Reputation: 30
It is very unlikely for qmail to be setup as open relay, since its default configuration is not suppose to be so. Can you check your mail log, not just one or two lines, is best to show more, say last 10 or 20 lines. It will be easier for us to understand the situation.

If you are using qmail-smtpd, you should check your qmail-smtpd startup script? If you are using qpsmptd, then you need to be careful to your plug-in configuration. If you are using other SMTP program, you will need to provide that information as well.

From the simulation of SMTP handshaking via telnet, it is possible, the party that spam email is one of your valid user. Which is why, those email able to get through.
 
Old 10-21-2007, 04:45 PM   #13
soaked
LQ Newbie
 
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17

Original Poster
Rep: Reputation: 0
I now have the situation under control.

I have used qmail-remove to remove any spamming/phishing email, or 'bouncing' messages from my mailer daemon. Doing this, I reduced the size of the mail queue from 3500 to 14!
I've added 'bad' email sending addresses [ ppl.com boa.com ] to the badmailfrom file.
I've changed the DNS A record for every mail.<domainX>.com on the server to be a single IP.
For all other IPs that the server uses I've firewalled port 25 [SMTP]

The combination of all of these things has the situaton under control. However, I still haven't found the root cause.
 
  


Reply

Tags
spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I'm still spamming emails teejaytimms Linux - Server 3 11-01-2006 06:01 PM
spamming, cannot find vunerability jon23d Linux - Security 7 09-14-2006 02:51 PM
Spamming E.T. ... AlexV General 1 03-02-2005 09:58 AM
Cron is spamming me reitzell Linux - Newbie 2 12-04-2004 12:00 AM
sorry for spamming csspcman Linux - Laptop and Netbook 1 08-11-2003 02:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration