Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-20-2007, 07:43 AM
|
#1
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Rep:
|
My server is being used for spamming - Help!
Server running RHEL 3, PLESK 7.5, qmail
The server is hosting several domains and IP addresses all through a single ethernet interface.
Server is closed to relaying. People reporting my server as an abuser are giving me email headers like this:
Code:
Received: from <myserver> (<myserver> [<mymainip>]) by rly-mc05.mail.aol.com (v119.12) with ESMTP id MAILRELAYINMC52-124471819fd11d; Thu, 18 Oct 2007 22:44:14 -0400
Received: (qmail 4486 invoked from network); 18 Oct 2007 18:59:29 +0000
Received: from unknown (HELO User) (<abusingIP>) by <anotherofmyips> with SMTP; 18 Oct 2007 18:59:29 +0000
My interpretation of this is that people are connecting anonymously through one of my IPs, their email is being transferred internally on my server, then sent from my main IP.
What can I do to stop this please?
|
|
|
10-20-2007, 01:13 PM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well clearly your server is *NOT* closed to relaying otherwise thus wouldn't be happening would it? try scanning yourself at http://www.abuse.net/relay.html and see what they say you are vulnerable to. they'll also tell you how to fix it for your MTA. obviosuly we can't tell you exactly what to change on your MTA as you've not provided your config for us to check.
|
|
|
10-20-2007, 01:42 PM
|
#3
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
obviosuly we can't tell you exactly what to change on your MTA as you've not provided your config for us to check.
|
Thanks for your feedback. On my server PLESK controls qmail, and from PLESK I have specified that it should be closed to relaying. I've also checked the rcpthosts file [which I believe is managed through the PLESK interface], and it contains only the domains that are hosted on the server.
Please tell me what else you need to know about my config.
Last edited by soaked; 10-20-2007 at 01:45 PM.
|
|
|
10-20-2007, 01:44 PM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well i have no experience of plesk whatsoever, so i could only look over the actual real qmail config files.
|
|
|
10-20-2007, 02:10 PM
|
#5
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
From what I have read, the config files seem to be the same as for standard qmail, but on a different path.
Given that I know there is a rcpthosts file, is there a setting somewhere that would override that? Where would that setting *normally* be stored please?
|
|
|
10-20-2007, 04:46 PM
|
#6
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
Getting closer to the cause now
First off, let me say I'm a newbie when it comes to Linux. So I'm learning from my mistakes.
I disabled mail on every domain, and kept checking maillog file but qmail was still sending out loads of spam.
Then I stopped Apache, hoping that maybe there was a PHP script injection going on, and checked maillog again. Still there was spam going out.
Then I stopped qmail itself. The maillog entries stopped.
Then I ran ps aux and saw lots of qmail entries.
Knowing that my server is being used to send phishing emails from email address service@ppl.com I then ran ps aux | grep ppl.com
There were lots of entries, which have gardually died over time. They are of the form:
Code:
qmailr PID 0.0 0.1 3428 972 ? S <HH:MM> 0:00 qmail-remote <targetdomain> service@ppl.com <address>@<target>domain>
Due to my lack of knowledge, that's about as far as my diagnosis can get. How can I find out how these qmail-remote processes belonging to user qmailr are being started?
Last edited by soaked; 10-20-2007 at 04:49 PM.
|
|
|
10-21-2007, 02:27 AM
|
#7
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
Relay test results from abuse.net
Quote:
Connecting to mail.mydomain.com for anonymous test ...
<<< 220 host.mydomain.com ESMTP
>>> HELO www.abuse.net
<<< 250 host.mydomain.com
Relay test 1
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 2
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 3
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 4
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 5
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@[xxx.xxx.xxx.xxx]>
<<< 250 ok
>>> RCPT TO:<securitytest@abuse.net>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 6
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@mydomain.com>
<<< 550 sorry, no mailbox here by that name. (#5.7.17)
Relay test 7
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<securitytest%abuse.net@[xxx.xxx.xxx.xxx]>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 8
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<"securitytest@abuse.net">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
Relay test 9
>>> RSET
<<< 250 flushed
>>> MAIL FROM:<spamtest@mydomain.com>
<<< 250 ok
>>> RCPT TO:<"securitytest%abuse.net">
<<< 250 ok
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.
You cannot tell if it is really an open relay without sending a test message; this anonymous user test DID NOT send a test message.
|
So "securitytest%abuse.net" seems to have got past the rcpthosts file? What should my next steps be please?
Last edited by soaked; 10-21-2007 at 02:30 AM.
|
|
|
10-21-2007, 02:39 AM
|
#8
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
have you got the percenthack options disabled? I assume it would be appending your local domain to what is initially percieved to be a local user name, which could then be spun round and rewritten.
|
|
|
10-21-2007, 05:28 AM
|
#9
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
Boy this is a steep learning curve!
There is no file called percenthack on my system.
Now I have learned how to telnet onto port 25 and type in SMTP commands.
The sender "Security%abuse.net" is accepted, then the DATA command then some text and a '.' [period]. I get the SMTP response
250 ok 119xxxxx qp 12112
I quickly dived into the tail of the maillog file and saw that a message from spamtest@mydomain.com qp 12112 had been tried but delivery was deferred because the remote_host_could_not_complete_sender_verify_callout
Using the message id in the log message I then checked the recipient address which was "Security%abuse.net@host.mydomain.com"
So clearly my server is handling mail for badly formed email addresses that it shouldn't.
HOWEVER, my problem is the other away around. The above is deferred email is a sender in mydomain.com, but somehow an:
SMTP MAIL FROM:somebody@NOTmydomain.com command is getting injected into my mail queues, getting around my rcpthosts file, and is being sent from my server.
If I:
ps aux | grep qmail-remote I'm seeing lots of lines of mail being sent from email address "Service@ppl.com" such as:
Code:
qmailr PID 0.0 0.1 3428 972 ? S <HH:MM> 0:00 qmail-remote <targetdomain> service@ppl.com <address>@<target>domain>
Right now, qmail is handling just emails from service@ppl.com, no other addresses, but I also see entries where the sender field is blank, it doesn't contain any email addresses at all.
Last edited by soaked; 10-21-2007 at 05:31 AM.
|
|
|
10-21-2007, 06:46 AM
|
#10
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
ok, so it looks like this could be percenthack related, and oddly i only found out that it existed the other day... so someone sent you an email to "Security%abuse.net" this contained no FQDN so qmail expanded it to "Security%abuse.net@your.domain.com" qmail then applies the percenthack "feature" to convert that to "Security@abuse.net" and off it goes.
|
|
|
10-21-2007, 09:13 AM
|
#11
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
More diagnosis
Regarding the email to "security%abuse.net" that I built in a telnet session, described above, the qmail-send program has now sent a fail message to the server admin email address.
Quote:
Hi. This is the qmail-send program at host.mydomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<securitytest%abuse.net@host.mydomain.com>:
Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6)
|
So the email address with the % sign in, is having the domain added to the end, and then the message is being rejected.
This doesn't explain then how MAIL TO:<somebody@not_in_my_rcpthosts_file.com> is getting past my rcpthosts file. I'm beginning to think that there must be some rogue script on the server that is bypassing the rcpthosts file, or that a genuine email address has been hijacked on the client side and is being used to piggy back sending these phishing emails.
Any advice of how to look for rogue scripts please?
Last edited by soaked; 10-21-2007 at 09:17 AM.
|
|
|
10-21-2007, 10:13 AM
|
#12
|
Member
Registered: Apr 2002
Distribution: Slackware
Posts: 266
Rep:
|
It is very unlikely for qmail to be setup as open relay, since its default configuration is not suppose to be so. Can you check your mail log, not just one or two lines, is best to show more, say last 10 or 20 lines. It will be easier for us to understand the situation.
If you are using qmail-smtpd, you should check your qmail-smtpd startup script? If you are using qpsmptd, then you need to be careful to your plug-in configuration. If you are using other SMTP program, you will need to provide that information as well.
From the simulation of SMTP handshaking via telnet, it is possible, the party that spam email is one of your valid user. Which is why, those email able to get through.
|
|
|
10-21-2007, 04:45 PM
|
#13
|
LQ Newbie
Registered: Jul 2005
Distribution: RHEL v3
Posts: 17
Original Poster
Rep:
|
I now have the situation under control.
I have used qmail-remove to remove any spamming/phishing email, or 'bouncing' messages from my mailer daemon. Doing this, I reduced the size of the mail queue from 3500 to 14!
I've added 'bad' email sending addresses [ ppl.com boa.com ] to the badmailfrom file.
I've changed the DNS A record for every mail.<domainX>.com on the server to be a single IP.
For all other IPs that the server uses I've firewalled port 25 [SMTP]
The combination of all of these things has the situaton under control. However, I still haven't found the root cause.
|
|
|
All times are GMT -5. The time now is 08:29 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|