Spam Email Server Account Hijacked

Question

Spam Email Server Account Hijacked

Hello everyone,

I've been having a lot of trouble with one particular email server. I've posted a couple of questions but nobody has answered me so I went and re-installed the whole server by changing it's static IP and adding an Airport Extreme in between so that the server only does DNS, Open Directory, File Sharing and Email.

Everything it's been going well until one user started receiving email notifications about mail returned messages.

I've tried several things:

- Removed the non SSL website so I only left the Webmail on 443

- Changed to more secure passwords

- Lock the account after 10 bad passwords (the user gets blocked every couple of hours)

- Deactivate the POP protocol as nobody is using it, we are only using

- Tried blocking some Russian IPs because I noticed that all the emails are Reply To the domain ngs.ru but from the logs it looks like it's going through locally.

My user has only Macs and iOS products so even though it's a mixed environment I don't think there could be a Malware doing this.

I don't know what else can I do, I really want to avoid the server getting blacklisted and I've been looking for help so I would really appreciate if someone can provide me some guidance.

Here's the postconf -n:

server:~ administrator$ sudo postconf -n

biff = no

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

enable_server_options = yes

header_checks = pcre:/etc/postfix/custom_header_checks

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mail_owner = _postfix

mailbox_size_limit = 0

mailbox_transport = dovecot

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

maps_rbl_domains =

message_size_limit = 0

mydestination = $myhostname, localhost.$mydomain, localhost, ecogenia.ca, server.ecogenia.ca, localhost.localdomain, $mydomain

mydomain = ecogenia.ca

mydomain_fallback = localhost

mynetworks = 127.0.0.0/8,192.168.1.0/24,207.115.108.190

newaliases_path = /usr/bin/newaliases

queue_directory = /private/var/spool/postfix

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relayhost =

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = _postdrop

smtpd_client_restrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit

smtpd_enforce_tls = no

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname

smtpd_pw_server_security_options = cram-md5,gssapi,login,plain

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c hain.pem

smtpd_tls_cert_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c ert.pem

smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

smtpd_tls_key_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.k ey.pem

smtpd_use_pw_server = yes

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains

virtual_alias_maps = hash:/etc/postfix/virtual_users

These are some of the logs I've been seeing:

Dec 4 04:06:51 server postfix/smtpd[19291]: NOQUEUE: reject: RCPT from unknown[95.65.176.14]: 554 5.7.1 Service unavailable; Client host [95.65.176.14] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=95.65.176.14; from=<reports@rapidfax.com> to=<gcrasnier@ecogenia.ca> proto=ESMTP helo=<[95.65.176.14]>

Dec 4 04:08:54 server postfix/smtp[19353]: 7897321698B: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=10/0/0/10, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F0C1121699B)

Dec 4 05:08:14 server postfix/smtp[21213]: 43A6E216C47: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0/5.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A6914216C55)

Dec 4 05:16:28 server postfix/smtp[21479]: 6A7D8216CB8: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0.01/5.6, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17723-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B435E216CC4)

Here is an example of the emails returned that the user has never sent:

From: "Mail Delivery System" <MAILER-DAEMON@orange.fr>

Subject: Undelivered Mail Returned to Sender

Date: 3 December, 2012 1:08:42 PM EST

To: gcrasnier@ecogenia.ca

Nous sommes desoles de vous informer que votre message n a pas
pu etre remis a un ou plusieurs de ses destinataires.
Ceci est un message automatique genere par le serveur mwinf5d38.orange.fr.
Merci de ne pas y repondre.

This is the mail system at host mwinf5d38.orange.fr.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients.

The mail system

< titulk@mail.ru>: host mail.ru[94.100.176.20] said: 550
spam message discarded. Please visit http://mail.ru/notspam/abuse?c=dK3Cqtwc2M_u_NHfPpZdr5kaLTUE1R6jDAAAAPoyAAATz4o6 or report details to abuse@corp.mail.ru. Error code: AAC2AD74CFD81CDCDFD1FCEEAF5D963E352D1A99A31ED504. ID: 0000000C000032FA3A8ACF13.

From: Вера Краснова <gcrasnier@ecogenia.ca>

Subject: Кредит под конец года каждому, успевайте оставить заявку на кредит в декабре.

Date: 3 December, 2012 12:59:23 PM EST

To: Дина <diandpaul@ntlworld.com>

Reply-To: Вера Краснова <spencer1986placek@ngs.ru>

Доброе время суток, в четвертом квартале 2012 года Вы проявляли интерес к нашим кредитным программам, сообщаем Вам, что Ваша заявка получила одобрение от службы безопасности нескольких банков и мы просим заполнить заявку на кредит на сайтеhttp://renessanscapital.ru/

--
С уважением, Вера Краснова
т. +7 (913) 574-24-76
skype: credit.skype
ICQ: 6573118

Внимание! Для того, чтобы отписаться от рассылки нужно один раз отправить заявку на получение кредита на странице http://renessanscapital.ru/ после чего на Ваш e-mail больше не будут отправляться письма.

I'll really appreciate anyone's help.

Posted on Dec 4, 2012 5:57 AM

Reply

Answer 1

Best reply

pterobyte

Level 6

11,098 points

Dec 4, 2012 9:29 AM in response to Moises R - OMTBA

Hi

Are you actually sure these mails are originating on your server? To me it looks more like backscatter (Some spammer through some other server(s) sends out spam with a faked from header impersonating your user. These messages bounce on the receiving end and are sent back to your server because of the faked header).

Unless you have found any evidence in your logs that your server is sending this kind of spam OUTbound, then I'd say it is backscatter (the logs and headers you show are INbound).

I did a quick and non exhaustive check of your IP and server and I do not see it being blacklisted an any major RBL. Furthermore your configuration, while not perfect, and the fact that you have changed passwords should protect you from this type of problem.

If you can't find evidence of outgoing spam in the logs, open terminal and try this:

sudo grep -i "sasl_username=" /var/log/mail.log

If you see the same username over and over in short succession (like every second or so - in other words not humanly possible to send mails that quickly), then you might have a compromised account, but I doubt it.

If you come to the conclusion it is backscatter, then all you can do is sit it out. It's part of life in the internet. Just make very very sure that you do not bounce backscatter. As a rule of thumb, incoming rogue mail should be either rejected or accepted, but never bounced (to avoid backscatter).

HTH,

Alex

Reply

Answer 2

Dec 5, 2012 3:04 PM in response to pterobyte

Hi Alex,

I'm sorry for the delay in answering but I really appreciate your quick response. It hasn't been an easy week.

I don't know if these emails are originating on my server and I don't know how to find that out. I'll love to learn how to effectively read the logs but spending hours on going through them, unfortunately is not an option for me right now, what would you recommend?

I have identified one problematic account because only this user is having the problem, I tried changing his password but he was still getting undelivered messages.

Since I set the policy to block the account if they try 10 times the wrong password, the account is getting disabled every 2 - 4 hours. I believe the undelivered messages are still coming but less frequently. The user is still receiving a bunch of emails everytime I unlock the account he gets 10-15 emails of undelivered messages.

I did the command and I don't see any weird behaviour so I guess my accounts are not compromised ok but why would the account get disabled so often? Does it mean that somebody is trying a brute-force attack?

I tend to believe it's backscatter but I'm not comfortable sitting it out, last month I had to re-install the whole server because it kept getting blacklisted that's why I'm so desperate for help. I don't want to get to that point so I'm open to any suggestions.

Thanks a lot Alex, looking forward for replies.

Reply

Answer 3

UptimeJeff

Level 4

3,479 points

Dec 5, 2012 6:24 PM in response to Moises R - OMTBA

Just wanted to add.....

I did a quick portscan and you likely have many more services/ports exposed than you require.

This may be where you are seeing brute-force attempt.

Reply

Answer 4

pterobyte

Level 6

11,098 points

Dec 6, 2012 2:02 AM in response to Moises R - OMTBA

Since you mention that the account gets locked over and over again, it seems unlikely it was actually compromised. Looks more like a dictionary attack (which provided the password is strong has little chance of succeeding) or a user repeatedly locking him-/herself out.

Based on your description, I am still inclined to think it is backscatter, but I can't be sure without log information. Last month's incident might have been completely unrelated and since you wiped and re-installed it is impossible to tell.

If you don't want or can't invest the time monitoring your logs, there is little you can do other than speculate or hire somebody to do it for you. No offense meant, it's just the way it is.

Reply

Answer 5

Dec 6, 2012 6:33 AM in response to UptimeJeff

Thanks Jeff,

How did you do the port scan? I am just going to Network Utility, is that the way you did it?

I will block unnecessary ports.

Reply

Answer 6

Dec 6, 2012 6:32 AM in response to pterobyte

Alex,

Would it ever stop? Right now I have to keep unblocking the account every 2 - 4 hours which is kind of painful for me and my client.

I would love to learn how to identify and read the important logs but I need someone to show me or provide me some guidance, someone with experience so that the time spent is efficient. If you can help me, let's find a way to do it and if not, could you recommend someone?

I prefer to have the piece of mind and be able to tell my client that his email server is safe than having to pass through what I did last month...

Reply

Answer 7

pterobyte

Level 6

11,098 points

Dec 7, 2012 9:07 AM in response to Moises R - OMTBA

Are you a hundred percent sure the user isn't making any mistakes? Any chance the user has a second e-mail client with an incorrect password set up and is locking him-herself out?

I ask because dictionary attacks usually don't last long. Maybe a day or two and then they move on.

If you are certain this is not the case, then some in-depth analysis is probably necessary, but I would need to see the logs. If you need help, you can contact me via my site. Not much around these days, but will try to help.

Reply

Answer 8

Dec 10, 2012 2:01 PM in response to pterobyte

Hi Alex,

Yes, the user makes mistakes every so often but this is becoming ridiculous, the account gets locked very often and I believe that when I unlock the account, he gets email of wrong delivery back. I really don't understand what's going on and it's been 2 weeks now...

Which logs should we be looking at?

I've sent you a message through your support form.

Reply

Answer 9

jpm^_^

Level 1

0 points

Mar 4, 2013 2:06 PM in response to Moises R - OMTBA

I've been getting a lot of bounce backs from the same SMTP server as you to our email domain as well.

The offending server mwinf5d55.orange.fr is sending "backscatter" spam which should be simply dropped by them instead of bouncing back to the "FROM" address.

Because of this problem of bounced emails, I've tweaked our SPF (Sender Policy Framework) DNS TXT entry for our email domain to help receiving mailservers know what our legitimate OUTBOUND smtp mail servers actually are. This should allow correctly configured email servers to drop any email from mwinf5d55.orange.fr because it is not a valid source of email for our domain.

(See http://www.openspf.org/SPF_Record_Syntax for some syntax)

Some details that I've dug up:

The SMTP server at orange.fr is accepting mail based on forged FROM: addresses which bounce back to you by the receiving target TO: address mailservers.

Eg. From your email bounce back message: host mail.ru[94.100.176.20] said: 550 spam message discarded.

I'm not sure if the spammer is using the mwinf5d55.orange.fr smtp server as an open relay or if it's using someone else's smtp username and password to send mail.

If you look at the email headers of the original bounced (spam) email that caused the backscatter it shows for example (from one of our bounces that I've received):

Received: from Unknown ([92.46.248.56])

by mwinf5d55 with ME

id 7XfA1l00l1Dkwus03XfJsw; Mon, 04 Mar 2013 20:39:43 +0100

X-ME-IP: 92.46.248.56

X-ME-Entity: ofr

When you look up the IP address source of that email it shows that it is coming from "JSC Kazakhtelecom, West Kazakhstan Affiliate".

http://en.utrace.de/whois/92.46.248.56

If you lookup the original source email and find that it's from your original user's computer then you have a problem. If it's from a compromised machine overseas that's sending forged spam on your user's behalf, then there's not too much you can do about it short of publishing a correct SPF record.

Hope that helps.

Reply