Exim spam through esmtp

[aquila]

Hello,

I have been having problems with a user account. There is a lot of spam being relayed through our server from an IP of our client. Here is the header of an email sent via our server:

1M5wIB-0005AE-Bt-H
mail 8 12
<[email protected]>
1242627943 0
-helo_name ourclientdomain.com
-host_address client's ip.40432
-interface_address server ip.25
-received_protocol esmtp
-body_linecount 48
-max_received_linelength 103
-deliver_firsttime
-host_lookup_failed
XX
7
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

188P Received: from [client's ip] (helo=ourclientdomain.com)
	by ourserver.com with esmtp (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1M5wIB-0005AE-Bt; Mon, 18 May 2009 11:55:43 +0530
138P Received: from msg-g09pmirpcam ([122.89.60.35]) by ourclientdomain.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Mon, 18 May 2009 07:22:59 +0530
048F From: =?BIG5?B?wHW0ZqfWs/g=?= <[email protected]>
036T To: "shen71" <[email protected]>
053  Subject: =?BIG5?B?t1HF/avIpOGlRLDKp+SkV6r5ttyhSA==?=
038  Date: Tue, 19 Jan 2038 11:14:07 +0800
018  MIME-Version: 1.0
041  Content-Type: text/html;
	charset="Big5"
034  Content-Transfer-Encoding: base64
014  X-Priority: 3
026  X-MSMail-Priority: Normal
051  X-Mailer: Microsoft Outlook Express 6.00.2800.1106
057  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
029* Return-Path: [email protected]
056I Message-ID: <[email protected]>
084  X-OriginalArrivalTime: 18 May 2009 01:53:01.0203 (UTC) FILETIME=[60287630:01C9D75B]
078  X-Antivirus-Scanner: Scanned with Exiscan. You should still use an antivirus.

Does the "-received_protocol esmtp" line say that it was delivered via esmtp, without authentication? Because every other email that is sent shows emstpa or esmtpsa.

Is this really a problem with our server or with our client? How can we resolve this problem?

Thank you in advance.

 

[nobaloney]

Do you mean the client's IP# on your server? Or their client's IP# at their location?

Jeff

 

[aquila]

Do you mean the client's IP# on your server? Or their client's IP# at their location?

Jeff

Client's IP I meant was not on the server. It is the IP at their office.

 

[nobaloney]

If the spam is coming from their IP# and they can't block it, then block that IP#. If that means they leave you, well it appears they're a spammer. They may not be an intentional spammer, but fixing their problem should be their responsibility.

Jeff

 

[aquila]

Thanks Jeff. They are one of my friends and I need to find a way to sort this out for them. I would really like to know if the spam is being sent through on authenticated session or not. If not, could it be a serious problem on the server which acts as an open relay or something? And if yes, how do we find out which user was it authenticated against?

 

[nobaloney]

If it's coming from their IP# then it's most likely authenticated; you can check your exim logs for the patht the spam takes to the server.

We had a similar problem recently; the user changed to a DirectAdmin-generated random password instead of the name of his dog (or whatever) and the spam stopped.

Jeff

 

[aquila]

Thanks Jeff. They had an intranet MS exchange server from which the spam originated. It was most likely due to a malware. The MSE server was infected with lot of malware and virus. Now the spam has stopped.

If it's coming from their IP# then it's most likely authenticated; you can check your exim logs for the patht the spam takes to the server.

What do you mean by the path here? Will exim log show which user was authenticated to send that spam email?

 

[floyd]

Will exim log show which user was authenticated to send that spam email?

Yes.





.

 

[aquila]

By looking at this log, can you help me identify the user who was authenticated?

2009-05-18 11:50:00 1M5wCd-0003Zv-J0 no immediate delivery: more than 10 messages received in one connection
2009-05-18 11:50:00 1M5wCd-0003f0-MU <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=2996 [email protected] T="±z¬O§_ªá¤F¤@°ï¿ú½T¤£¨£±o¦³«Å¶Ç®ÄªG¡H" from <[email protected]> for [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:00 1M5wCd-0003f0-MU no immediate delivery: more than 10 messages received in one connection
2009-05-18 11:50:00 1M5wCd-0003a1-MU <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=4385 [email protected] T="¦U¦æ¦U·~³£¥i³z¹Lºô¸ô¦æ¾P¨Ó«Å¶Ç¡I§K¶O¿Ô¸ß¡I" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:00 1M5wCd-0003a1-MU no immediate delivery: more than 10 messages received in one connection
2009-05-18 11:50:00 1M5wCd-0003hh-Rm <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=2638 [email protected] T="À°±zªº²£«~§@³Ì¤jªºÃn¥ú" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCd-0003hh-Rm
2009-05-18 11:50:00 1M5wCe-0003gq-4I <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=2365 [email protected] T="§i¶D±z*q³æ¡B¬y¶q«ç»ò¨Ó¡H" from <[email protected]> for [email protected] [email protected] [email protected]
2009-05-18 11:50:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCe-0003gq-4I
2009-05-18 11:50:00 1M5wCe-0003ff-7e <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=4888 [email protected] T="§Aªººô¯¸¦³¿ì¬¡°Ê«o¨S¤Hª¾¹D¶Ü?" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCe-0003ff-7e
2009-05-18 11:50:00 1M5wCe-0003gX-7m <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=4384 [email protected] T="½Ö»¡ºô¸ô¦æ¾P¨S®ÄªG¡I¬O±z¨S§ä¨ì±M·~ªº§Ú*Ì¡I" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCe-0003gX-7m
2009-05-18 11:50:01 1M5wCe-0003fh-AM <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=1933 [email protected] T="³z¹Lºô¸ô¦æ¾P±N±zªº²£«~¤j¶q¨Ã§Ö³tªºÃn¥ú¦b®ø¶OªÌ*±«e" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCe-0003fh-AM

 

[floyd]

grep 1M5wCe-0003fh-AM /var/log/exim/mainlog

 

[aquila]

2009-05-18 11:50:01 1M5wCe-0003fh-AM <= [email protected] H=(clientdomain.com) [xx.xx.xx.xx] P=esmtp S=1933 [email protected] T="³z¹Lºô¸ô¦æ¾P±N±zªº²£«~¤j¶q¨Ã§Ö³tªºÃn¥ú¦b®ø¶OªÌ*±«e" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected]
2009-05-18 11:50:01 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1M5wCe-0003fh-AM
2009-05-18 11:55:09 cwd=/root 3 args: exim -Mrm 1M5wCe-0003fh-AM
2009-05-18 11:55:09 1M5wCe-0003fh-AM removed by root
2009-05-18 11:55:09 1M5wCe-0003fh-AM Completed

Obviously I deleted the all the emails in queue in few minutes. But will that stop us from knowing who authenticated?

 

[tillo]

"P=esmtp" means that there was no authentication, which means that there probably is open relay from that IP. If it were authenticated the log line would have shown "P=esmtpa A=login:username".

 

[floyd]

It does not appear he logged in through smtp. But I not an exim expert. Try grep'ing the ip address in maillog.

 

[aquila]

"P=esmtp" means that there was no authentication, which means that there probably is open relay from that IP. If it were authenticated the log line would have shown "P=esmtpa A=login:username".

Exactly that is my concern. The spam was sent via estmp (non-authenticated). So it looks like our server is an open relay? Any idea how I can figure it out and fix?

Many thanks in advance

 

[aquila]

It does not appear he logged in through smtp. But I not an exim expert. Try grep'ing the ip address in maillog.

Thanks. grep'ing the IP has a lot of results. Valid users have authenticated and all these spams have not been authenticated.

 

[tillo]

I think that all this is caused by popb4smtp. There is a reason I said "open relay from that IP": exim on DA saves for some time (don't remember how many hours, maybe a day) the IP and usename of every authentication made via IMAP and POP3 in /etc/virtual/pophosts_user, then anyone from those IP addresses can relay without restrictions.

To solve this problem you can either turn the da-popb4smtp service off (and wiping the content of /etc/virtual/pophosts) or ask the customer at that IP address to make the spam stop by finding the cause (it probably is a worm/virus).

 

[aquila]

I think that all this is caused by popb4smtp. There is a reason I said "open relay from that IP": exim on DA saves for some time (don't remember how many hours, maybe a day) the IP and usename of every authentication made via IMAP and POP3 in /etc/virtual/pophosts_user, then anyone from those IP addresses can relay without restrictions.

To solve this problem you can either turn the da-popb4smtp service off (and wiping the content of /etc/virtual/pophosts) or ask the customer at that IP address to make the spam stop by finding the cause (it probably is a worm/virus).

Does that mean DA's popb4smtp is a vulnerability?

 

[tillo]

There is no right answer to that; yes and no.

Comfort/ease-of-use and security do not play along: either you deactivate popb4smtp and force everyone of your customer to use SMTP authentication, or you use popb4smtp and let the customer decide.

But know this: there still are a few devices and applications that don't have SMTP authentication support, and a worm that has the same IP as one of your customers could easily steal the authentication data anyway from the original Email application that resides in the given machine.

popb4smtp is a very useful workaround, and a small security threat.

 

[aquila]

Ok, sounds like I'm learning

I will keep popb4smtp as such as it sounds more secure than just smtp with authentication. Well, yes nothing can be 100% secure. Thanks a lot for your help tillo.

 

[floyd]

exim on DA saves for some time (don't remember how many hours, maybe a day) the IP and usename of every authentication made via IMAP and POP3 in /etc/virtual/pophosts_user, then anyone from those IP addresses can relay without restrictions.

Its 30 minutes by default.