Exim localhost spam sent without authentication

F

felipena

New member
Joined
Dec 14, 2016
Messages
3
Hello,

A few days ago I noticed something strange in the exim mainlog file and soon main server IP was blacklisted on CBL and postmaster.live.com.

Looks like bounce massages created locally are being used for spam. My logs:

2016-12-13 06:37:44 H=localhost (someclientdomain.com) [127.0.0.1] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2016-12-13 06:37:44 H=localhost (someclientdomain.com) [127.0.0.1] incomplete transaction (connection lost) from <[email protected]>
2016-12-13 06:37:44 unexpected disconnection while reading SMTP command from localhost (someclientdomain.com) [127.0.0.1]
2016-12-13 06:37:45 H=server.serverrealhostname.com (someclientdomain.com) [XXX.XXX.XXX.XXX] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2016-12-13 06:37:45 H=server.serverrealhostname.com (someclientdomain.com) [XXX.XXX.XXX.XXX] incomplete transaction (connection lost) from <[email protected]>
2016-12-13 06:37:45 unexpected disconnection while reading SMTP command from server.realserverhostname.com (someclientdomain.com) [XXX.XXX.XXX.XXX]

Where XXX.XXX.XXX.XXX is the server main IP.

At first I didn't think mail was being sent because of the rejected RCPT, but when checking Hotmail SNDS because IP was manually blocked by them the "Sample MAIL FROM" was exactly [email protected].

Anyone knows how to avoid it? This same issue happened with several other domains hosted in the server, but with different mail addresses like [email protected], [email protected], etc..

Thank you.
 
Hi Felipena,

We experienced exactly the same issue and were able to solve this. This isnt related to bounce spam but is caused by a PHP script that is sending email in some kind of way that isnt detected by the system. My guess the script is connecting to the SMTP port directly and trying to send email that isn't accepted because it is unauthenticated.

We contacted CBL and they told us:
The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive.

During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it).

<our IP address> was found to be using several different EHLO/HELO names during multiple connections on or about:

2016:12:12 ~14:30 UTC+/- 15 minutes (approximately 2 hours, 45 minutes ago).

The names seen included:

<some domainnames on our server>

Note that the above list may include one or more names that are not fully qualified DNS names (FQDNs). Host names (ie: Windows node names) without a dot are not FQDNs.

RFC2821 requires that the HELO be either an IP address literal - an IP address surrounded by square brackets (ie: "[1.2.3.4]"), or a FQDN.
Click to expand...

In our investigation we changed the IP address for Exim to another IP to work around the blacklisting. The logfiles however still showed us connections to the old IP address that was now only hosting websites, so it had to be a script or program. Netstat didn't show any program connecting to port 25/587, the exim logfiles didnt give a clue about a script. Maldet didn't find any hack scripts, rkhunter didnt find anything etc. We only saw that the logging of these spam emails stopped when we killed php-fpm, after which the spamming would return after some hours.

We solved this by:
Activate the log_selector "all" in /etc/exim.conf to log all connections (IP and port).
"tail -f /var/log/exim/mainlog" to check the incoming portnumber from a connection that tries to send spam.
While running "watch -n 0.2 'netstat -nap | grep 127.0.0.1:25'" to refresh netstat every 0.2 seconds. Now, at the moment a spam mail is send, quickly make a printscreen.
Match the portnumber of the incoming connection to the portnumber of the connection in netstat (in your printscreen). This will show you which process ID is sending the email. In our case the process ID belongs to a php-fpm process that was running as user X.
Investigate all apache requests for that user and see which POST were send to the website. Some scripts will be the result. In our case the 2 scripts didn't have any hacking code in it but (seems/were) normal Joomla files. However the account did contain many other hacking scripts. We called the customer and together decided to remove the whole website.
 
Was the user the owner of the domain shown in the (hostname) right after the H=localhost in the logs?

In my logs I have a hosted domain between H=localhost and [127.0.0.1]

I believed the abuse was caused by that domain.

Thanks!
 
Took a while but worked as well:

12-0 21324 0/76/937 W 4.50 2459 0 0.0 1.03 22.33 XXX.XXX.XXX.XXX www.XXXXXXXX.com POST /media/session.php HTTP/1.1

Somehow the local hosted domain in the logs was fake.

Thanks again!
 
Solution

felipena said:
Took a while but worked as well:

12-0 21324 0/76/937 W 4.50 2459 0 0.0 1.03 22.33 XXX.XXX.XXX.XXX www.XXXXXXXX.com POST /media/session.php HTTP/1.1

Somehow the local hosted domain in the logs was fake.

Thanks again!
Click to expand...

I am having the exact same problem.

I don't understand how you resolved it. Can you tell me?

Thanks!
 
You must log in or register to reply here.
Back
Top