Skip navigation

Spam Email Server Account Hijacked

2562 Views 9 Replies Latest reply: Mar 4, 2013 2:06 PM by jpm^_^ RSS
Moises R - OMTBA Level 1 Level 1 (0 points)
Currently Being Moderated
Dec 4, 2012 5:57 AM

Hello everyone,

 

I've been having a lot of trouble with one particular email server. I've posted a couple of questions but nobody has answered me so I went and re-installed the whole server by changing it's static IP and adding an Airport Extreme in between so that the server only does DNS, Open Directory, File Sharing and Email.

Everything it's been going well until one user started receiving email notifications about mail returned messages.

 

I've tried several things:

- Removed the non SSL website so I only left the Webmail on 443

- Changed to more secure passwords

- Lock the account after 10 bad passwords (the user gets blocked every couple of hours)

- Deactivate the POP protocol as nobody is using it, we are only using

- Tried blocking some Russian IPs because I noticed that all the emails are Reply To the domain ngs.ru but from the logs it looks like it's going through locally.

 

My user has only Macs and iOS products so even though it's a mixed environment I don't think there could be a Malware doing this.

 

I don't know what else can I do, I really want to avoid the server getting blacklisted and I've been looking for help so I would really appreciate if someone can provide me some guidance.

 

Here's the postconf -n:

 

server:~ administrator$ sudo postconf -n

biff = no

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

enable_server_options = yes

header_checks = pcre:/etc/postfix/custom_header_checks

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mail_owner = _postfix

mailbox_size_limit = 0

mailbox_transport = dovecot

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

maps_rbl_domains =

message_size_limit = 0

mydestination = $myhostname, localhost.$mydomain, localhost, ecogenia.ca, server.ecogenia.ca, localhost.localdomain, $mydomain

mydomain = ecogenia.ca

mydomain_fallback = localhost

mynetworks = 127.0.0.0/8,192.168.1.0/24,207.115.108.190

newaliases_path = /usr/bin/newaliases

queue_directory = /private/var/spool/postfix

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relayhost =

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = _postdrop

smtpd_client_restrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit

smtpd_enforce_tls = no

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname

smtpd_pw_server_security_options = cram-md5,gssapi,login,plain

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks  reject_unauth_destination check_policy_service unix:private/policy permit

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c hain.pem

smtpd_tls_cert_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.c ert.pem

smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

smtpd_tls_key_file = /etc/certificates/server.ecogenia.ca.B9BEBCFA9A643188A6A20932B602BC15FBEB0C4F.k ey.pem

smtpd_use_pw_server = yes

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains

virtual_alias_maps = hash:/etc/postfix/virtual_users

 

These are some of the logs I've been seeing:

 

Dec  4 04:06:51 server postfix/smtpd[19291]: NOQUEUE: reject: RCPT from unknown[95.65.176.14]: 554 5.7.1 Service unavailable; Client host [95.65.176.14] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=95.65.176.14; from=<reports@rapidfax.com> to=<gcrasnier@ecogenia.ca> proto=ESMTP helo=<[95.65.176.14]>

Dec  4 04:08:54 server postfix/smtp[19353]: 7897321698B: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=21, delays=10/0/0/10, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as F0C1121699B)

Dec  4 05:08:14 server postfix/smtp[21213]: 43A6E216C47: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0/5.8, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17722-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A6914216C55)

Dec  4 05:16:28 server postfix/smtp[21479]: 6A7D8216CB8: to=<guycrasnier@server.ecogenia.ca>, orig_to=<gcrasnier@ecogenia.ca>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=11/0.02/0.01/5.6, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17723-04, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B435E216CC4)

 

Here is an example of the emails returned that the user has never sent:

 

From: "Mail Delivery System" <MAILER-DAEMON@orange.fr>

Subject: Undelivered Mail Returned to Sender

Date: 3 December, 2012 1:08:42 PM EST

To: gcrasnier@ecogenia.ca


Nous sommes desoles de vous informer que votre message n a pas
pu etre remis a un ou plusieurs de ses destinataires.
Ceci est un message automatique genere par le serveur mwinf5d38.orange.fr.
Merci de ne pas y repondre.

 

This is the mail system at host mwinf5d38.orange.fr.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients.

 

                 The mail system

 

<titulk@mail.ru>: host mail.ru[94.100.176.20] said: 550
spam message discarded. Please visit http://mail.ru/notspam/abuse?c=dK3Cqtwc2M_u_NHfPpZdr5kaLTUE1R6jDAAAAPoyAAATz4o6 or report details to abuse@corp.mail.ru. Error code: AAC2AD74CFD81CDCDFD1FCEEAF5D963E352D1A99A31ED504. ID: 0000000C000032FA3A8ACF13.

 


From: Вера Краснова <gcrasnier@ecogenia.ca>

Subject: Кредит под конец года каждому, успевайте оставить заявку на кредит в декабре.

Date: 3 December, 2012 12:59:23 PM EST

To: Дина <diandpaul@ntlworld.com>

Reply-To: Вера Краснова <spencer1986placek@ngs.ru>

 

 

Доброе время суток, в четвертом квартале 2012 года Вы проявляли интерес к нашим кредитным программам, сообщаем Вам, что Ваша заявка получила одобрение от службы безопасности нескольких банков и мы просим заполнить заявку на кредит на сайтеhttp://renessanscapital.ru/

 

--
С уважением, Вера Краснова
т. +7 (913) 574-24-76
skype: credit.skype
ICQ: 6573118

 

Внимание! Для того, чтобы отписаться от рассылки нужно один раз отправить заявку на получение кредита на странице http://renessanscapital.ru/ после чего на Ваш e-mail больше не будут отправляться письма.

 

 

I'll really appreciate anyone's help.

  • pterobyte Level 6 Level 6 (10,910 points)
    Currently Being Moderated
    Dec 4, 2012 9:29 AM (in response to Moises R - OMTBA)

    Hi

     

    Are you actually sure these mails are originating on your server? To me it looks more like backscatter (Some spammer through some other server(s) sends out spam with a faked from header impersonating your user. These messages bounce on the receiving end and are sent back to your server because of the faked header).

     

    Unless you have found any evidence in your logs that your server is sending this kind of spam OUTbound, then I'd say it is backscatter (the logs and headers you show are INbound).

     

    I did a quick and non exhaustive check of your IP and server and I do not see it being blacklisted an any major RBL. Furthermore your configuration, while not perfect, and the fact that you have changed passwords should protect you from this type of problem.

     

    If you can't find evidence of outgoing spam in the logs, open terminal and try this:

    sudo grep -i "sasl_username=" /var/log/mail.log

    If you see the same username over and over in short succession (like every second or so - in other words not humanly possible to send mails that quickly), then you might have a compromised account, but I doubt it.

     

    If you come to the conclusion it is backscatter, then all you can do is sit it out. It's part of life in the internet. Just make very very sure that you do not bounce backscatter. As a rule of thumb, incoming rogue mail should be either rejected or accepted, but never bounced (to avoid backscatter).

     

    HTH,

    Alex

  • UptimeJeff Level 4 Level 4 (3,390 points)
    Currently Being Moderated
    Dec 5, 2012 6:24 PM (in response to Moises R - OMTBA)

    Just wanted to add.....

    I did a quick portscan and you likely have many more services/ports exposed than you require.

    This may be where you are seeing brute-force attempt.

  • pterobyte Level 6 Level 6 (10,910 points)
    Currently Being Moderated
    Dec 6, 2012 2:02 AM (in response to Moises R - OMTBA)

    Since you mention that the account gets locked over and over again, it seems unlikely it was actually compromised. Looks more like a dictionary attack (which provided the password is strong has little chance of succeeding) or a user repeatedly locking him-/herself out.

     

    Based on your description, I am still inclined to think it is backscatter, but I can't be sure without log information. Last month's incident might have been completely unrelated and since you wiped and re-installed it is impossible to tell.

     

    If you don't want or can't invest the time monitoring your logs, there is little you can do other than speculate or hire somebody to do it for you. No offense meant, it's just the way it is.

  • pterobyte Level 6 Level 6 (10,910 points)
    Currently Being Moderated
    Dec 7, 2012 9:07 AM (in response to Moises R - OMTBA)

    Are you a hundred percent sure the user isn't making any mistakes? Any chance the user has a second e-mail client with an incorrect password set up and is locking him-herself out?

    I ask because dictionary attacks usually don't last long. Maybe a day or two and then they move on.

     

    If you are certain this is not the case, then some in-depth analysis is probably necessary, but I would need to see the logs. If you need help, you can contact me via my site. Not much around these days, but will try to help.

  • jpm^_^ Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 4, 2013 2:06 PM (in response to Moises R - OMTBA)

    I've been getting a lot of bounce backs from the same SMTP server as you to our email domain as well.

     

    The offending server mwinf5d55.orange.fr is sending "backscatter" spam which should be simply dropped by them instead of bouncing back to the "FROM" address.

     

    Because of this problem of bounced emails, I've tweaked our SPF (Sender Policy Framework) DNS TXT entry for our email domain to help receiving mailservers know what our legitimate OUTBOUND smtp mail servers actually are.  This should allow correctly configured email servers to drop any email from mwinf5d55.orange.fr because it is not a valid source of email for our domain.

     

    (See http://www.openspf.org/SPF_Record_Syntax for some syntax)

     

     

    Some details that I've dug up:

     

    The SMTP server at orange.fr is accepting mail based on forged FROM: addresses which bounce back to you by the receiving target TO: address mailservers. 

     

    Eg. From your email bounce back message:  host mail.ru[94.100.176.20] said: 550 spam message discarded.

     

     

    I'm not sure if the spammer is using the mwinf5d55.orange.fr smtp server as an open relay or if it's using someone else's smtp username and password to send mail.

     

    If you look at the email headers of the original bounced (spam) email that caused the backscatter it shows for example (from one of our bounces that I've received):

     

    Received: from Unknown ([92.46.248.56])

    by mwinf5d55 with ME

    id 7XfA1l00l1Dkwus03XfJsw; Mon, 04 Mar 2013 20:39:43 +0100

    X-ME-IP: 92.46.248.56

    X-ME-Entity: ofr

     

    When you look up the IP address source of that email it shows that it is coming from "JSC Kazakhtelecom, West Kazakhstan Affiliate".

     

     

    http://en.utrace.de/whois/92.46.248.56

     

     

    If you lookup the original source email and find that it's from your original user's computer then you have a problem.  If it's from a compromised machine overseas that's sending forged spam on your user's behalf, then there's not too much you can do about it short of publishing a correct SPF record.

     

    Hope that helps.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.