Spam maybe with SASL Login?

Discussion in 'General' started by BoMan, Jun 10, 2014.

  1. BoMan

    BoMan New Member

    Hello there.

    Today we got a problem with our mailserver. Installed Debian 6, up to date, ispconfig with perfect server tutorial from howtoforge.

    It does not seem there is any php script sending mails, no php-x header in the mails.

    Here are some anonymised logs and the corresponding emails:
    Code:
    A101954025D4 1060 Tue Jun 10 13:57:16 pedin@**n-**elberg.de
    (host mx.vgs.untd.com[64.136.52.37] refused to talk to me: 550 Access denied...48711c65216509715df98d2c1d3c1da52c812ce135a998755858cd99cd0505cdad75317cad5c...)
    [email protected]
    
    Code:
    mail:~# postcat -q A101954025D4
    *** ENVELOPE RECORDS deferred/A/A101954025D4 ***
    message_size:            1060            1026               5               0            1060
    message_arrival_time: Tue Jun 10 13:57:16 2014
    create_time: Tue Jun 10 13:57:16 2014
    named_attribute: rewrite_context=local
    sender: pedin@**n-**elberg.de
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost.localdomain
    named_attribute: log_client_address=127.0.0.1
    named_attribute: log_client_port=40951
    named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost.localdomain
    named_attribute: reverse_client_name=localhost.localdomain
    named_attribute: client_address=127.0.0.1
    named_attribute: client_port=40951
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    done_recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    done_recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    done_recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    done_recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS deferred/A/A101954025D4 ***
    Received: from localhost (localhost.localdomain [127.0.0.1])
            by mail.**u-**aum.de (Postfix) with ESMTP id A101954025D4;
            Tue, 10 Jun 2014 13:57:16 +0200 (CEST)
    X-Virus-Scanned: Debian amavisd-new at mail.**u-**aum.de
    Received: from mail.**u-**aum.de ([127.0.0.1])
            by localhost (mail.**u-**aum.de [127.0.0.1]) (amavisd-new, port 10024)
            with ESMTP id uPlqdCg+QoeV; Tue, 10 Jun 2014 13:57:07 +0200 (CEST)
    Received: from oibxjrbmtmpn (unknown [178.123.155.131])
            (Authenticated sender: **libor.**sic@**n-**elberg.de)
            by mail.**u-**aum.de (Postfix) with ESMTPA id 2AF17541D651;
            Tue, 10 Jun 2014 13:29:28 +0200 (CEST)
    Subject:
    From: "Pedin" <pedin@**n-**elberg.de>
    Content-Type: text/plain;
            charset=us-ascii
    X-Mailer: iPhone Mail (11B651)
    Message-Id: <TBTJCOVK-SEQ8-LSN3-8DOC-IAOLGHULY50V@**n-**elberg.de>
    Date: Tue, 10 Jun 2014 12:11:06 -0700
    To: "[email protected]" <[email protected]>
    Content-Transfer-Encoding: quoted-printable
    Mime-Version: 1.0 (1.0)
    
    towards
    http://kovru.ru/movie.htm
    outer
    
    
    Sent from my iPhone=
    
    
    *** HEADER EXTRACTED deferred/A/A101954025D4 ***
    named_attribute: encoding=7bit
    *** MESSAGE FILE END deferred/A/A101954025D4 ***
    
    Another one:
    Code:
    73FDA54025E1* 690 Tue Jun 10 15:21:59 runog@**n-**elberg.de
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]
    
    Code:
    mail:~# postcat -q 73FDA54025E1
    *** ENVELOPE RECORDS active/73FDA54025E1 ***
    message_size:             690            1078               5               0             690
    message_arrival_time: Tue Jun 10 15:21:59 2014
    create_time: Tue Jun 10 15:21:59 2014
    content_filter: amavis:[127.0.0.1]:10024
    named_attribute: rewrite_context=remote
    named_attribute: sasl_method=LOGIN
    named_attribute: sasl_username=**libor.**sic@**n-**elberg.de
    sender: runog@**n-**elberg.de
    named_attribute: log_client_name=unknown
    named_attribute: log_client_address=109.161.19.62
    named_attribute: log_client_port=57091
    named_attribute: log_message_origin=unknown[109.161.19.62]
    named_attribute: log_helo_name=okuqzwiqc
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=unknown
    named_attribute: reverse_client_name=pppoe-dyn-109-161-19-62.kosnet.ru
    named_attribute: client_address=109.161.19.62
    named_attribute: client_port=57091
    named_attribute: helo_name=okuqzwiqc
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS active/73FDA54025E1 ***
    Received: from okuqzwiqc (unknown [109.161.19.62])
            (Authenticated sender: **libor.**sic@**n-**elberg.de)
            by mail.**u-**aum.de (Postfix) with ESMTPA id 73FDA54025E1;
            Tue, 10 Jun 2014 15:21:59 +0200 (CEST)
    Subject:
    From: "Runog" <runog@**n-**elberg.de>
    Content-Type: text/plain;
            charset=us-ascii
    X-Mailer: iPhone Mail (11D167)
    Message-Id: <IUKS4PYK-J7JO-K55Z-KLNF-5ATIOQIO2XIZ@**n-**elberg.de>
    Date: Tue, 10 Jun 2014 14:03:37 -0700
    To: "**ltan-502-502-@**tmail.com" <[email protected]>
    Content-Transfer-Encoding: quoted-printable
    Mime-Version: 1.0 (1.0)
    
    wanderer
    fowls preserve http://investethiopia.se/movies.htm anthony
    hive
    
    
    Sent from my iPhone=
    
    
    *** HEADER EXTRACTED active/73FDA54025E1 ***
    *** MESSAGE FILE END active/73FDA54025E1 ***
    
    /etc/postfix/main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = mail.**u-**aum.de
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = mail.**u-**aum.de, localhost, localhost.localdomain
    relayhost = 
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = 
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 209715200
    smtpd_client_message_rate_limit = 100
    owner_request_special = no
    inet_protocols = all
    smtp_tls_security_level = may
    
    The point is that pedin@**n-**elberg.de does not exist but the authenticated user **libor.**sic@**n-**elberg.de exists (I disabled SMTP, IMAP and POP3 over ISPConfig without success).
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The spam si sent over the authenticated user that is listed in the line "Authenticated sender:". Change the password of that user in ispconfig. If the user is currently sending masses of spam, then it might be nescessary to restart postfix, saslauthd and dovecot to clear their caches.
     
  3. yoplait

    yoplait Member

    I had exactly the same problem last week and the problem was one an email account of my server that has been surely compromised for that.

    I think you've got it on the line :
    I blocked this account on my ispconfig, changed the password, and now it seems fine.
     
  4. BoMan

    BoMan New Member

    Thank you for your fast reply guys, it is awesome.

    Currently I stopped postfix and it will be deactivated until tomorrow.

    Already changed password for the user but think the customers PC is compromised. Will check that tomorrow.

    Didn't restart saslauthd and courier, maybe that was my fault.

    Will reply the status after I made the changes.

    UPDATE:

    After changing all passwords and restarting postfix, saslauthd and courier no new spam appeared. A lot of russian failed logins in logfile ;)

    Thank you again and have a nice day.
     
    Last edited: Jun 11, 2014
  5. yoplait

    yoplait Member

    I had the same problem today on another account of my server (without any relation with the first one)...

    I can see 2 more threads about the same problem. Is it something that is happening nowadays especially ?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. There is a huge botnet active at the moment and each of these spam messages contains an attachmet with a trojan, so if a user opens it, this trojan will grap his email account details and starts to send itself over the smtp login of that user. So the problem is on the client side and there is not that much that you can do on your server except of changing the password of the account if you notice that spam and then inform the user to clean his pc.
     

Share This Page