Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I received today a spam message apparently sent from an unexistant account in my virtual server.
The email was sent to some real and some random adresses, all of them belonging to my domain. I've checked a bit (logs, access ...) and there are no clear signs of intrusion (but I am no security expert).
I've edited the personal data. server.vhost.interdominios.com is my vserver and server.es the domain name. The apparent sender is pablo@server.es (non existant). The email was sent to my mail group, group@server.es which points to info@server.es and redirected to my gmail account at XXXX@gmail.com. That is how I arranged it, so it is perfectly normal.
Partial message header:
Code:
Delivered-To: XXXX@gmail.com
Received: by 10.205.68.3 with SMTP id xw3csp55484bkb;
Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
X-Received: by 10.194.103.72 with SMTP id fu8mr28247392wjb.42.1365977127748;
Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
Return-Path: <gentleab91@google.com>
Received: from server.vhost.interdominios.com ([89.248.100.21])
by mx.google.com with ESMTPS id a4si2230151wic.64.2013.04.14.15.05.27
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Sun, 14 Apr 2013 15:05:27 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning gentleab91@google.com does not designate 89.248.100.21 as permitted sender) client-ip=89.248.100.21;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning gentleab91@google.com does not designate 89.248.100.21 as permitted sender) smtp.mail=gentleab91@google.com
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
by server.vhost.interdominios.com (Postfix) with ESMTP id 0125023400B9
for <XXXX@gmail.com>; Sun, 14 Apr 2013 23:52:43 +0200 (CEST)
Received: by server.vhost.interdominios.com (Postfix, from userid 110)
id E94782340148; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
X-Original-To: info@server.es
Delivered-To: info@server.es
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
by server.vhost.interdominios.com (Postfix) with ESMTP id D392A6080A6
for <info@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: by server.vhost.interdominios.com (Postfix, from userid 110)
id BE8C56080A5; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
X-Original-To: group@server.es
Delivered-To: group@server.es
Received: from server.vhost.interdominios.com (localhost.localdomain [127.0.0.1])
by server.vhost.interdominios.com (Postfix) with ESMTP id 3C5CB23400B9
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
by server.vhost.interdominios.com (Postfix) with ESMTP
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from [221.197.51.196] (account expostulationx8@google.com HELO kwyqzwvysh.pnvqsitm.tv)
by pc-82-137-44-190.cm.vtr.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 853941885 for pablo@server.es; Sun, 14 Apr 2013 19:05:24 -0300
Date: Sun, 14 Apr 2013 19:05:24 -0300
From: <pablo@server.es>
Cc: <proair@server.es>,
<admin@server.es>,
<abernardos@server.es>,
<arancha@server.es>,
<jose@server.es>,
<jairo@server.es>,
X-Mailer: The Bat! (v2.00.0) Educational
X-Priority: 3 (Normal)
Message-ID: <7137911244.NEG05YX0597699@rdtpooyzf.fmpmjje.net>
To: <pablo@server.es>
...
As I understand, the message was faked to look like it had been sent from my server but the original address is (somehow, probably faked too) expostulationx8@google.com and the "answer adress" is gentleab91@google.com
Is this so?
I know it is not very difficult to tailor an email, but is it SOOO easy that you can fake any domain name you want? Or has my server been seriously hacked into?
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
by server.vhost.interdominios.com (Postfix) with ESMTP
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Received: from [221.197.51.196] (account expostulationx8@google.com HELO kwyqzwvysh.pnvqsitm.tv)
by pc-82-137-44-190.cm.vtr.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 853941885 for pablo@server.es; Sun, 14 Apr 2013 19:05:24 -0300
Traffic that claims to come from you but actually arrives from elsewhere is a good candidate for deleting.
Also if they are guessing multiple names that don't exist at your server that suggests spam.
If you're really concerned about this, ask the moderators to move your thread to the security sub-forum, or just go there and read the various threads about "how to secure ..."
If you're really concerned about this, ask the moderators to move your thread to the security sub-forum, or just go there and read the various threads about "how to secure ..."
I know it is not very difficult to tailor an email, but is it SOOO easy that you can fake any domain name you want?
As you have experienced, yes.
Quote:
Originally Posted by Mikro
Or has my server been seriously hacked into?
If you think your vserver has been compromised you can investigate. Even if it isn't it should be a good exercise should you ever need it for real.
Quote:
Originally Posted by Mikro
How can I stop this?
If you run one, decide if you need to run a (publicly accessible?) MTA, review the standard Postfix documentation, RBL configuration and add greylisting.
Look at the email headers. In particular notice this one:
Quote:
Received: from pc-82-137-44-190.cm.vtr.net (pc-82-137-44-190.cm.vtr.net [190.44.137.82])
by server.vhost.interdominios.com (Postfix) with ESMTP
for <group@server.es>; Sun, 14 Apr 2013 23:52:42 +0200 (CEST)
Your machine, server.vhost.interdominios.com, received the message from 190.44.137.82. This IP address is a known spam source. It is currently listed by Sorbs, CASA-CBL, and others. You can have Postifx automatically check these lists and reject the message if they banned, which this message should have been.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.