Spam beeing sent, cannot pindown source

R

rowan

Verified User
Joined
Sep 26, 2015
Messages
12
I'm searching a few days now for a source of the spammer of the lines added below. i've searched the forums and tried several options so far i disabled popb4smtp, dug trough the phpmail logs, tried to pinpoint the source of the emails and somehow they are not local but sent from hundreds of different IP adresses, with no authentication (?how, there is no open relay).

Please help, i'm no exim hero.

Code: 
2015-09-26 12:38:26 1Zfms6-0005lm-0C <= [email protected] H=([27.74.208.95]) [27.74.208.95] P=esmtp S=1426 id=BB1F35D3D591F93397BD5B5D1971BB1F@GV7K97F T="Hallo, mijn lieve." from <[email protected]> for [email protected]
2015-09-26 12:38:26 1Zfms6-0005lm-0C => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=1545
2015-09-26 12:38:26 1Zfms6-0005lm-0C Completed
2015-09-26 12:38:35 1ZfmsF-0005ly-1E <= [email protected] H=(78.189.59.179.static.ttnet.com.tr) [78.189.59.179] P=esmtp S=1451 id=B2082758BA9D77C57F502FCDEA00B208@8OV192C3XI T="Hallo!" from <[email protected]> for [email protected]
2015-09-26 12:38:35 1ZfmsF-0005ly-1E => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=1572
2015-09-26 12:38:35 1ZfmsF-0005ly-1E Completed
2015-09-26 12:38:38 1ZfmsI-0005m3-CM <= [email protected] H=(78.189.59.179.static.ttnet.com.tr) [78.189.59.179] P=esmtp S=1456 id=9622C6FB54721F69DD3904AB8DE09622@72O959QSQYW T="Hoi!" from <[email protected]> for [email protected]
2015-09-26 12:38:38 1ZfmsI-0005m3-CM => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=1575
2015-09-26 12:38:38 1ZfmsI-0005m3-CM Completed
2015-09-26 12:49:49 1Zfn37-0005pr-0B <= [email protected] H=([118.70.49.109]) [118.70.49.109] P=esmtp S=1404 id=581CF5C812B1212F6B82BF65C656581C@UO3L3X66 T="Hoi!" from <[email protected]> for [email protected]
2015-09-26 12:49:49 1Zfn37-0005pr-0B => info <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=1523
2015-09-26 12:49:49 1Zfn37-0005pr-0B Completed
 
Hello,

You'd better use exigrep to group lines related to one email together, e.g.:

Code: 
exigrep 1ZfmsF-0005ly-1E /var/log/exim/mainlog

this way it would be easier to read logs.

From what I've seen it seems somebody is spamming your server through sockets. So they open a direct connection to your server the same as with telnet:

Code: 
220 btstudios.nl ESMTP Exim 4.76 Sun, 27 Sep 2015 22:49:51 +0200
HELO p****.com
250 btstudios.nl Hello p****.com [109.**.**.**]
MAIL FROM: [email protected]
250 OK
RCPT TO: [email protected]
550 authentication required
RCPT TO: [email protected]
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
.
250 OK id=1ZgIv7-0005Ww-8P
QUIT
221 btstudios.nl closing connection

I've checked with telnet to 25 port of your server. The same way directadmin.com and some other servers are weak. It seems the current config allows anybody to spam your mail boxes from within a direct connection to SMTP port.


ps. at least update exim.conf and exim.pl to have verify sender enabled.
 
zEitEr said:
Hello,

You'd better use exigrep to group lines related to one email together, e.g.:

Code: 
exigrep 1ZfmsF-0005ly-1E /var/log/exim/mainlog

this way it would be easier to read logs.

From what I've seen it seems somebody is spamming your server through sockets. So they open a direct connection to your server the same as with telnet:

Code: 
220 btstudios.nl ESMTP Exim 4.76 Sun, 27 Sep 2015 22:49:51 +0200
HELO p****.com
250 btstudios.nl Hello p****.com [109.**.**.**]
MAIL FROM: [email protected]
250 OK
RCPT TO: [email protected]
550 authentication required
RCPT TO: [email protected]
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
.
250 OK id=1ZgIv7-0005Ww-8P
QUIT
221 btstudios.nl closing connection

I've checked with telnet to 25 port of your server. The same way directadmin.com and some other servers are weak. It seems the current config allows anybody to spam your mail boxes from within a direct connection to SMTP port.


ps. at least update exim.conf and exim.pl to have verify sender enabled.
Click to expand...


Thank you very much for your response, i didnt have a clue that that was possible. it was a basic setup from the ISP which im renting it from. i will inform them of it.

however, it seems the spamming continues, and it strangely is not authorised...

ps. my appologies for the re-post, the captcha is tough for us foreigners. i thought something went wrong when it wasn't showing up
 
zEitEr,

Thanks, your fix was the base of the issue. it seemed that the user was still there in (i thought it wasnt authenticated):
/etc/virtual/pophosts_user
/etc/virtual/pophosts

And i blocked one ip where i think the spam came from. it has been silent for 2,5hrs now.
 
Arieh said:
But I believe the most standard DA installation does not give you an open relay exim? Or now that I think about it, maybe it depends if you let CB install Exim (I always select yes).
Click to expand...

Hello Arieh,

Sure, it's not an open relay. I wrote John about it, he says there is nothing wrong here. A way for improvement as far as I see it is to force using only encrypted connections (TLS/SSL) for SMTP with disabling plain unencrypted connections.


rowan said:
zEitEr,

Thanks, your fix was the base of the issue. it seemed that the user was still there in (i thought it wasnt authenticated):
And i blocked one ip where i think the spam came from. it has been silent for 2,5hrs now.
Click to expand...

Hello rowan,

I'm glad to have been of a service for you.
 
zEitEr said:
Hello Arieh,

Sure, it's not an open relay. I wrote John about it, he says there is nothing wrong here. A way for improvement as far as I see it is to force using only encrypted connections (TLS/SSL) for SMTP with disabling plain unencrypted connections.
Click to expand...

I'm a bit confused though, it seems you are saying that you can send mail, unauthenticated? Or are you saying that it's easier to send spam once you have credentials, as you can send an e-mail in plain text which doesn't require any encryption libraries.
 
Arieh,

OK, let me try to explain. Probably I"m not clear because of the fact that I'm too confused about it.

Haven't you ever seen SPAM to your box [email protected] sent from [email protected] ? I've seen such SPAM in my inbox.

What I want to say is the following.

1. I connected to 5 DA servers with telnet without authentication.
2. And sent an email from anything@domain.com to [email protected].

Of course instead of domain.com I used a domain which were hosted on such a server.
And instead of [email protected] I used an existing email which was hosted on the domain.
And exim accepted those emails for delivery. This way anybody can connect to 25 port and send SPAM email where FROM: and TO: emails will be the same, hosted on your server if you use the same settings as I've got:

Exim: 4.86
exim.conf update: yes, release 4.3
BlockCracking: no
Easy Spam Fighter no
SpamAssassin: 3.4.1

We could think that SPF check of Easy Spam Fighter would stop such an email. I did test it, and it did not stop it:

SPFCheck: Soft Fail, 30 Spam score
SpamTally: Final spam score: 30

tested with:

Exim: 4.86
exim.conf update: yes, release 4.3
BlockCracking: no
Easy Spam Fighter yes
SpamAssassin: no

With enabled both SpamAssassin and Easy Spam Fighter I've ended with:

550-Your message was classified as SPAM. Please add more content, cut down on
550-HTML links, use fewer naughty words etc. Also, ask your IT dept to make
550-sure your mailserver has REVERSEDNS, SPF and is not on any black lists.
550 Your score: 107
Click to expand...

with settings:

Exim: 4.86
exim.conf update: yes, release 4.3
BlockCracking: no
Easy Spam Fighter yes
SpamAssassin: 3.4.1

Thus servers without ESF and SpamAssassin would be in a higher risk for getting much SPAM.




Then I tried to do the same with a public mail service (one of those giants which offers free mail boxes), and I found out they do not allow unencrypted connections at all:

Code: 
MAIL FROM: [email protected]
250 2.0.0 OK
RCPT TO: [email protected]
550 SMTP is available only with SSL or TLS connection enabled

That's why I wrote, that a way for improvement as far as I see it is to force using only encrypted connections (TLS/SSL) for SMTP with disabling plain unencrypted connections. You still are quite safe with default settings if you use SA+ESF+RBL.

You can try it yourself.
 
I tried it and it works indeed, I have been at it for a good period of time until I realized that this is just how e-mail works. If you send a legitimate e-mail, the smtp will do the same commands as you do through telnet. What I've found out is that if you got 'require verify = sender' enabled, you need to put a from: address that has a working smtp, else you can enter any syntax valid address in there. I'm guessing spammers simply use your own domain as then you are sure you pass the verify sender part. When I entered a gmail.com from address, domain_filter blocked it.

I've tried the plain mail also on gmail.com, it accepts it (you need to put <> around the addresses), but finally the smtp rejects it because its not RFC 2822 compliant. Also tried hotmail, it got delivered into the spam folder. I've tried my servers own e-mail because I don't want to tamper with public smpts too much. But those two do allow plain text. I recently mentioned in another thread that requiring TLS for SMTPs are not recommended as the RFC still states that you simply shouldn't require it. May I ask which smtp you tried that does require it?

Anyway I get your point that it's very easy to get a mail delivered through your default DA box, without any RFC checks or spam checks, holding it back, but at the end that's just your personal spam handling preferences I guess.
 
Yes, telnet commands are just the same which SMTP server usually does and this is really how e-mail works. I've tested @mail.ru.
 
I checked some things with mail.ru, if you connect to smtp.mail.ru, which is the smtp for customers/users, then TLS is required, which is also allowed by the RFC standard. However if you connect to the public address mxs.mail.ru (it's the MX record from mail.ru), you can send a mail unencrypted.
 
I've tried the plain mail also on gmail.com, it accepts it (you need to put <> around the addresses), but finally the smtp rejects it because its not RFC 2822 compliant.
Click to expand...
There is a way passed this just send your telnet mail like MTA's do by satisfying the RFC's requirements by adding a from address before the subject line so also Google (and probably hotmail too) will accept your telnet mail. At least gmail will, just tested it.
It arrived in my gmail spamfolder though, probably because I used a fake helo and spoofed email address to test, the spoofed addres has a working SPF record..

However, it makes life more difficult for spammers.
From the other side... my spamfolder also containt legitimate mail which I already was receiving many days (a daily report), which was suddenly gone. No idea why that went into my spamfolder since some time.
 
You must log in or register to reply here.
Back
Top