Server sending spam from another host - how to track down? #2

Pezmc · Jan 29, 2013

Hi all,

Previous thread at here

My server appears to be sending spam out, I've followed all the steps in the guide, including putting limits in place, adding DKIM and I've even completely disabled DoveCot

I just can't figure out where the spam is coming from, I've changed all passwords, checked the lfd logs for others logging in (nothing out of the ordinary) and been through the exim logs for users authenticating (none).

I'm seeing the limit emails coming out so I know which user is "compromised", but I can't understand how this mail is getting sent.

The limit emails report the following:

The admin account has just finished sending 500 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/admin.bytes file, it was found that the highest sender was uujcgpvy@[host].com, at 10 emails.

The top sending host was 187.23.170.133, at 501 emails (100%).

I believe the important part is "187.23.170.133, at 501 emails (100%)", how is another host (this IP is nothing to do with my web server) sending emails from my web server? This problem has exceeded my knowledge of how email works!

Have I overlooked something simple or is there anything else I can look at? Any help is appreciated.

Thank you,

P.s. The host in question is found at http://tent.pezcuckow.com/ (no website though)

---

Here's a header from one of the emails (how is user-pc authenticated?):

1U0Etk-0004AQ-RS-H
mail 8 12
<myfs0o@[host].com>
1359480184 0
-helo_name User-PC
-host_address 187.23.174.173.59410
-interface_address 78.129.132.155.25
-received_protocol esmtp
-body_linecount 17
-max_received_linelength 200
-host_lookup_failed
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
10
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

173P Received: from [187.23.174.173] (helo=User-PC)
by tent with esmtp (Exim 4.72)
(envelope-from <myfs0o@[host].com>)
id 1U0Etk-0004AQ-RS; Tue, 29 Jan 2013 17:23:05 +0000
045F From: "Rafaela Gomes" <myfs0o@[host].com>
045 Subject: Queda de cabelo? Podemos te ajudar!
028T To: [email protected]
024 Content-Type: text/html
039R Reply-To: [email protected]
038 Date: Tue, 29 Jan 2013 15:23:07 -0200

zEitEr · Jan 29, 2013

Hello,

You might want to use exigrep to find and gather all related lines to the particular email.

as an example:

Code:

exigrep 1U0Etk-0004AQ-RS-H /var/log/exim/mainlog

That might give some clues.

how is user-pc authenticated?

Why do you think he is? ESMTP does not determines that.

Pezmc · Jan 29, 2013

Hi Alex,

Thanks for the reply, I'll post the exigrep results when I get home.

With reference to who this user is, this connection is completely unexpected and originating from Brazil, there should be no users sending email via SMTP (I haven't see any evidence of authentication or which user they are logging in as - though the mail's being sent from 'admin').

Pez,

Pezmc · Jan 29, 2013

No results for exigrep, I'm not sure why nothing is found:

$ /usr/sbin/exigrep 1U0Etk-0004AQ-RS-H /var/log/exim/mainlog
$ /usr/sbin/exigrep 1U0Etk-0004AQ-RS-H /var/log/exim/*
$ /usr/sbin/exigrep 1U0FS4-0003An-LU-H /var/log/exim/*

----

I'm thrown now, another email was just sent out:

1U0IfU-0001u3-Gm-H
mail 8 12
<[email protected]>
1359494676 0
-helo_name Smkt
-host_address 189.35.74.233.49320
-interface_address 78.129.132.155.25

But nothing in the exim log?

$ /usr/sbin/exigrep 1U0IfU-0001u3-Gm-H /var/log/exim/mainlog
$ grep 1U0IfU-0001u3-Gm-H /var/log/exim/mainlog

However searching for the IP address shows results:

$ grep "189.35.74.233" /var/log/exim/mainlog*

Code:

/var/log/exim/mainlog:2013-01-29 17:54:45 1U0FON-00022Y-S9 <= [email][email protected][/email] H=(Smkt) [189.35.74.233] P=esmtp S=1518 T="Ganhe Dinheiro Trabalhando em Casa ou nas Horas Vagas." from <[email protected]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]
/var/log/exim/mainlog:2013-01-29 17:54:45 1U0FOO-00022r-SY <= [email][email protected][/email] H=(Smkt) [189.35.74.233] P=esmtp S=1563 T="Queda de cabelo? Podemos te ajudar!" from <[email protected]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]
/var/log/exim/mainlog:2013-01-29 17:54:51 1U0FOU-00023U-9A <= [email][email protected][/email] H=(Smkt) [189.35.74.233] P=esmtp S=1553 T="Queda de cabelo? Podemos te ajudar!" from <[email protected]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]

----

I've managed to find a full log for an email just sent out "1U0IfU-0001u3-Gm"

Header:

Code:

1U0IfU-0001u3-Gm-H
mail 8 12
<[email protected]>
1359494676 0
-helo_name Smkt
-host_address 189.35.74.233.49320
-interface_address 78.129.132.155.25
-received_protocol esmtp
-body_linecount 15
-max_received_linelength 200
-host_lookup_failed
YY [email][email protected][/email]
YY [email][email protected][/email]
NN [email][email protected][/email]
NN [email][email protected][/email]
YY [email][email protected][/email]
NN [email][email protected][/email]
NN [email][email protected][/email]
10
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]
[email][email protected][/email]

188P Received: from [189.35.74.233] (helo=Smkt)
	by tent.pegproductions.com with esmtp (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1U0IfU-0001u3-Gm; Tue, 29 Jan 2013 21:24:37 +0000
045F From: "Rafaela Gomes" <[email protected]>
062  Subject: BBB13 ao VIVO, CANAIS ADULTOS em HD, FILMES, FUTEBOL
030T To: [email][email protected][/email]
024  Content-Type: text/html
038R Reply-To: [email][email protected][/email]
038  Date: Tue, 29 Jan 2013 19:24:30 -0200

Log:

Code:

/var/log/exim/mainlog:2013-01-29 21:24:37 1U0IfU-0001u3-Gm <= [email][email protected][/email] H=(Smkt) [189.35.74.233] P=esmtp S=1493 T="BBB13 ao VIVO, CANAIS ADULTOS em HD, FILMES, FUTEBOL" from <[email protected]> for [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email] [email][email protected][/email]
/var/log/exim/mainlog:2013-01-29 21:24:40 1U0IfU-0001u3-Gm => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=1522 H=mx1.hotmail.com [65.55.37.88] C="250 <[email protected]> Queued mail for delivery"
/var/log/exim/mainlog:2013-01-29 21:24:40 1U0IfU-0001u3-Gm -> [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=1522 H=mx1.hotmail.com [65.55.37.88] C="250 <[email protected]> Queued mail for delivery"
/var/log/exim/mainlog:2013-01-29 21:24:40 1U0IfU-0001u3-Gm ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host ALT2.ASPMX.L.GOOGLE.COM [173.194.69.26]: 550-5.7.1 [78.129.132.155       7] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 [url]http://support.google.com/mail/bin/answer.py?hl=en&answer=188131[/url] for\n550 5.7.1 more information. iv5si10688051bkc.275 - gsmtp
/var/log/exim/mainlog:2013-01-29 21:24:41 1U0IfU-0001u3-Gm SMTP error from remote mail server after end of data: host mta7.am0.yahoodns.net [66.94.237.64]: 451 Message temporarily deferred - [70]
/var/log/exim/mainlog:2013-01-29 21:24:41 1U0IfU-0001u3-Gm ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.67.26]: 550-5.7.1 [78.129.132.155       7] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 [url]http://support.google.com/mail/bin/answer.py?hl=en&answer=188131[/url] for\n550 5.7.1 more information. hj12si1261283wib.48 - gsmtp
/var/log/exim/mainlog:2013-01-29 21:24:43 1U0IfU-0001u3-Gm SMTP error from remote mail server after end of data: host mta6.am0.yahoodns.net [66.94.237.64]: 451 Message temporarily deferred - [70]
/var/log/exim/mainlog:2013-01-29 21:24:43 1U0IfU-0001u3-Gm ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mta7.am0.yahoodns.net [66.196.118.35]: 554 delivery error: dd Sorry your message to [email][email protected][/email] cannot be delivered. This account has been disabled or discontinued [#102]. - mta1303.mail.bf1.yahoo.com
/var/log/exim/mainlog:2013-01-29 21:24:44 1U0IfU-0001u3-Gm SMTP error from remote mail server after end of data: host mta6.am0.yahoodns.net [66.196.118.35]: 451 Message temporarily deferred - [70]
/var/log/exim/mainlog:2013-01-29 21:24:45 1U0IfU-0001u3-Gm SMTP error from remote mail server after end of data: host mta6.am0.yahoodns.net [66.196.118.33]: 451 Message temporarily deferred - [70]
/var/log/exim/mainlog:2013-01-29 21:24:47 1U0IfU-0001u3-Gm => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=1522 H=mta6.am0.yahoodns.net [74.6.136.244] C="250 ok dirdel"
/var/log/exim/mainlog:2013-01-29 21:24:50 1U0IfU-0001u3-Gm == [email][email protected][/email] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx3.bol.com.br [200.147.36.13]: 450 4.7.1 <pezcuckow.com[78.129.132.155]>: Client host rejected: Try again later
/var/log/exim/mainlog:2013-01-29 21:24:51 1U0IfU-0001u3-Gm => [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp S=1522 H=mx2.hotmail.com [65.55.92.136] C="250 <[email protected]> Queued mail for delivery"
/var/log/exim/mainlog:2013-01-29 21:25:29 1U0IfU-0001u3-Gm == [email][email protected][/email] R=lookuphost T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host vip-us-br-mx.terra.com [208.84.244.133]: 450 4.7.1 You've exceeded your sending limit to this domain.
/var/log/exim/mainlog:2013-01-29 21:25:29 1U0IfU-0001u3-Gm == [email][email protected][/email] R=lookuphost T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host vip-us-br-mx.terra.com [208.84.244.133]: 450 4.7.1 You've exceeded your sending limit to this domain.
/var/log/exim/mainlog:2013-01-29 21:25:29 1U0IgL-0001ur-Em <= <> R=1U0IfU-0001u3-Gm U=mail P=local S=3689 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]

P.s. I'm now manually blocking the ip's in iptable but would like to solve the problem

zEitEr · Jan 30, 2013

No results for exigrep, I'm not sure why nothing is found:

$ /usr/sbin/exigrep 1U0Etk-0004AQ-RS-H /var/log/exim/mainlog
$ /usr/sbin/exigrep 1U0Etk-0004AQ-RS-H /var/log/exim/*
$ /usr/sbin/exigrep 1U0FS4-0003An-LU-H /var/log/exim/*

The log file with the relevant data must have been already rotated.

However searching for the IP address shows results:

$ grep "189.35.74.233" /var/log/exim/mainlog*

You can use exigrep with any search word, as if you would use simply grep. Note I did not read your logs, maybe somebody will do that.

Please, put the logs lines (found with exigrep) between [_CODE_] and [_/CODE_] tags (use them without underscores). It would make it easy to read them.

Pezmc · Jan 30, 2013

Hi Alex,

I've done some digging through the logs files and note that the message came with "P=esmtp"; if the user were authenticated i'd expect to see "P=esmtpa A=login:username", how it it possible for a user to send a message without authentication?

Does DirectAdmin by default not deny open relay? Or perhaps allow unauthenticated email?

The only other way I can think of a client being allowed to send unauthenticated email would be as a result of popb4smtp which I thought I'd previously disabled (how is this user getting in the pophosts list anyway if this is the case?)

Note I have DoveCot disabled and my pophosts file is empty:

Code:

admin@tent:~$ less /etc/virtual/pophosts                                        
/etc/virtual/pophosts (END)

I've got the latest exim and exim.conf as per this faq

P.s. what's the key difference between exigrep and grep? Does it just show multiple lines per ID instead of lines with that match?

zEitEr · Jan 30, 2013

how it it possible for a user to send a message without authentication?

Forwarders?

Does DirectAdmin by default not deny open relay?

It's denied.

Or perhaps allow unauthenticated email?

More logs should be analyzed.

The exigrep utility is a Perl script that searches one or more main log files for entries that match a given pattern. When it finds a match, it extracts all the log entries for the relevant message, not just those that match the pattern. Thus, exigrep can extract complete log entries for a given message, or all mail for a given user, or for a given host, for example.

http://www.cs.vassar.edu/cgi-bin/man/man2html?exigrep+8

Pezmc · Jan 31, 2013

A full exigrep on an email that was sent out

Code:

admin@tent:~$ /usr/sbin/exigrep 1U0zlf-00059L-23 /var/log/exim/*
2013-01-31 19:25:52 1U0zlf-00059L-23 <= [email protected] H=(User-PC) [189.35.78.196] P=esmtp S=1577 T="BBB13 ao VIVO, CANAIS ADULTOS em HD, FILMES, FUTEBOL" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (admin) have reached your daily email limit of 100 emails
2013-01-31 19:25:52 1U0zlf-00059L-23 ** [email protected] F=<[email protected]>: Unrouteable address
2013-01-31 19:25:52 1U0zlf-00059L-23 Completed

I've tried testing the mail server with https://www.wormly.com/test_smtp_server
And it appears you can send email from the domain without auth.

e.g. 78.129.132.155, [email protected], [email protected]

Code:

Connecting...
SMTP -> FROM SERVER:
220 tent.pegproductions.com ESMTP Exim 4.72 Thu, 31 Jan 2013 20:18:55 +0000
SMTP -> FROM SERVER: 
250-tent.pegproductions.com Hello node-mec2.wormly.com [184.72.226.23]
250-SIZE 20971520
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
MAIL FROM: [email protected]
SMTP -> FROM SERVER:
250 OK
RCPT TO: [email protected]
SMTP -> FROM SERVER:
250 Accepted
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 Enter message, ending with "." on a line by itself
SMTP -> FROM SERVER:
250 OK id=1U10b1-0002T6-TU
Message completed successfully.

zEitEr · Feb 1, 2013

Check that you have no whitelisted that domain in :
/etc/virtual/whitelist_domains
/etc/virtual/whitelist_from

and these can be also checked for unusual records:
/etc/virtual/whitelist_hosts
/etc/virtual/whitelist_hosts_ip
/etc/virtual/whitelist_senders

nobaloney · Feb 2, 2013

The contents of helo shows someone is connecting. If they're not logging in, then they're likely being whitelisted. Whitelisting any domain name which is hosted on the server opens your server as an open relay. So I'd check for this.

Jeff

Server sending spam from another host - how to track down? #2

Pezmc

Verified User

zEitEr

Super Moderator

Pezmc

Verified User

Pezmc

Verified User

zEitEr

Super Moderator

Pezmc

Verified User

zEitEr

Super Moderator

Pezmc

Verified User

zEitEr

Super Moderator

nobaloney

NoBaloney Internet Svcs - In Memoriam †