SPAM sent, is it from Roundcube?

Discussion in 'ISPConfig 3 Priority Support' started by Taleman, Sep 14, 2020.

  1. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My server is sending spam. This snippet postcat shows for a mail in mailq:
    Code:
    regular_text: Date: Mon, 14 Sep 2020 03:53:24 -0700
    regular_text: From: Lucian Dumitrescu <[email protected]>
    regular_text: To: undisclosed-recipients:;
    regular_text: Subject: Inquiry_Autoitalia 567892
    regular_text: Message-ID: <[email protected]>
    regular_text: X-Sender: [email protected]
    regular_text: User-Agent: Roundcube Webmail/1.2.3
    pointer_record:         1118311
    regular_text: X-Spam: Yes
    
    Is it Roundcube that sends the e-mail? It does not say which account is sender, if that is the case. Or is it the website that is cracked to send spam? I have not managed to force the user to update that Wordpress site, so am considering shutting it down until it is updated.
    Another thing: how come my e-mail server sends e-mail where the sender domain is not on my server? pflogsumm shows in "Senders by message count" 12 messages by [email protected] Can I make RSPAM or someting to block sending messages like those?
    ISPConfig 3.1.15p3 on Debian GNU/Linux 9.13 (stretch).
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be roundcube but might also be a faked user agent. If it's sent trough roundcube, then you should see matching POST requests in the global web server access.log for each mail for RoundCube. Beside that, there should be more mail headers, or is that's all?
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    There was 14000 lines in that poscat output, I posted the part I was most curious about. I can send complete output in private message if desired.
    I use Debian 9, where the latest version available is installed:
    Code:
    # LANG=C apt policy roundcube
    roundcube:
      Installed: 1.2.3+dfsg.1-4+deb9u7
      Candidate: 1.2.3+dfsg.1-4+deb9u7
      Version table:
     *** 1.2.3+dfsg.1-4+deb9u7 500
            500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages
            100 /var/lib/dpkg/status
         1.2.3+dfsg.1-4+deb9u6 500
            500 http://debian.mirrors.ovh.net/debian stretch/main amd64 Packages
    
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Looking at database, the roundcube database in table identities has today added user with e-mail address [email protected]. That is the sender in the spam messages I have seen today. So some cracking has been happening.
    Is it a problem if I just remove that identity in PHPMYadmin?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Not sure if that table is connected with other tables. I would make a backup of the database and then remove it.
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I assume this website access log lines is when the cracker makes that extra identity to roundcube:
    Code:
    193.176.87.250 - - [14/Sep/2020:12:37:16 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.
    4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:38:17 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.
    4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:16 +0300] "POST /webmail/?_task=settings&_action=refresh HTTP/1.1" 200 1858 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:46 +0300] "POST /webmail/ HTTP/1.1" 200 4863 "http://www.customerdomain.fi/webmail/?_task=settings&_action=edit-identity&_iid=87&_framed=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:56 +0300] "GET /webmail/?_task=mail&_mbox=INBOX HTTP/1.1" 200 10537 "http://www.customerdomain.fi/webmail/?_task=settings&_action=identities" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:57 +0300] "GET /webmail/?_task=mail&_action=getunread&_page=1&_remote=1&_unlock=0&_=1600076396085 HTTP/1.1" 200 793 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:57 +0300] "GET /webmail/?_task=mail&_action=list&_refresh=1&_mbox=INBOX&_remote=1&_unlock=loading1600076396255&_=1600076396084 HTTP/1.1" 200 3605 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:39:59 +0300] "GET /webmail/?_task=mail&_action=list&_refresh=1&_mbox=Trash&_page=1&_remote=1&_unlock=loading1600076398361&_=1600076396086 HTTP/1.1" 200 3301 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
    193.176.87.250 - - [14/Sep/2020:12:40:02 +0300] "GET /webmail/?_task=mail&_mbox=Trash&_action=compose HTTP/1.1" 302 612 "http://www.customerdomain.fi/webmail/?_task=mail&_mbox=Trash" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What I do not understand is how nothing in logs shows what e-mail account is used for sending. I think I can see what website is used, but that user has several mailboxes. And the identity the cracker created to Roundcube (I removed that identity with PHPMyadmin after taking a backup of the roundcube db, so far I have not seen any side effects).
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You might find something in the mail.log file, when the spam sender authenticates at roundcube, then roundcube authenticates him via imap. Beside that, roundcube might provide logs as well and the identity that you find in roundcube might be linked to an account in roundcube via some kind of ID.
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Note the "Reject sender and login mismatch" setting in Server Config won't work for this until 3.2 (or recent 3.1dev), as it actually used reject_authenticated_sender_login_mismatch.

    If you set mail.add_x_header = On in your php.ini, mail sent with php's mail() function will include the script filename. I don't know if roundcube uses that at all, or only smtp (where it wouldn't help). But if eg. a bug in roundcube is being exploited to send mail, rather than an account being abused, it might prove useful.

    Ensure you have roundcube set to send via authenticated smtp, and the mail server should add a Received header showing what account authenticated to send the message. (Also mail log will show the sender as @till mentioned.)
     
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I found the sending mailbox account reading /var/lib/roundcube/logs/sendmail. I should have read that log first, but did not find it until now.
     
    Last edited: Sep 15, 2020
    till likes this.
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I checked my /etc/roundcube/config.inc.php. It has
    Code:
    // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
    // deprecated SSL over SMTP (aka SMTPS))
    $config['smtp_port'] = 25;
    
    // SMTP username (if required) if you use %u as the username Roundcube
    // will use the current username for login
    $config['smtp_user'] = '';
    
    // SMTP password (if required) if you use %p as the password Roundcube
    // will use the current user's password for login
    $config['smtp_pass'] = '';
    
    I tried to find in Roundcube wiki what those settings mean, but did not find it. Does roundcube not authenticate at all when smtp_user is set to empty?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, as far as I know. But you can also use placeholders there for the currently logged in user %u and %p in the password field. We had a thread here in the priority forum in the past weeks where Thom posted his example config, if I remember correctly.
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

Share This Page