[Issue] Server accept email without SMTP Auth

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
Hi all,

These few months, lot of client report that there are a lot of scam email saying their email account has been hacked and looking for bitcoin payment.
Those email header said it sent by client email (e.g. info@company.com) and sent to client email as well.
It is strange that email server does not block these kind of fake sender email.

We also tested all of our servers by using the following command, the email get passed and sent to user account.

Is it any setting that we can fix this issue? (anyone from anywhere can send spam email to any customer email box)

Code:
telnet mail.company.com 25

   Trying mail.company.com...
   Connected to mail.company.com.
   Escape character is '^]'.
   220 mail.company.com ESMTP Exim 4.92 Tue, 23 Apr 2019 23:54:02 +0800

ehlo mail.company.com

   250-mail.company.com Hello
   250-SIZE 52428800
   250-8BITMIME
   250-PIPELINING
   250-AUTH PLAIN LOGIN
   250-STARTTLS
   250 HELP

mail from: <test@company.com>
   250 OK

rcpt to: <test@company.com>
   250 Accepted

DATA
   354 Enter message, ending with "." on a line by itself

From: <test@company.com>
To: <test@company.com>
Date: 23 Apr 2019 23:35:50 +0800
Subject: Security Alert. Your accounts was compromised. You need change password!
MIME-Version: 1.0
Content-Type: text/plain;
        charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912

Hello!

I hacked your device, because I sent you this message from your account.
If you have already changed your password, my malware will be intercepts it every time.

You may not know me, and you are most likely wondering why you are receiving this email, right?
In fact, I posted a malicious program on adults (pornography) of some websites, and you know that you visited these websites to enjoy
(you know what I mean).

.

   250 OK id=1hIxkU-003su7-M2

quit
This is our server versions.
Code:
Installed version of DirectAdmin: 1.55.0
Installed version of dovecot: 2.3.3
Installed version of dovecot.conf: 0.3
Installed version of Exim: 4.92
Installed version of exim.conf: 4.5.12
Installed version of BlockCracking: 1.10
Installed version of Easy Spam Fighter: 1.24
Installed version of SpamAssassin: 3.4.2
Installed version of ClamAV: 0.100.2
Installed version of PHP 5.3: 5.3.29
Installed version of RoundCube webmail: 1.0.3
Thank you very much.
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
Server accept email without SMTP Auth

delete due to duplicated content
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

I saw many of such emails too. The emails's sender and recipient address match, and it Directadmin allows such incoming emails. This behavior of exim+exim.conf has been discussed here many times.

Potentially strict rules for SPF (with hardfail -all) and ESF should help.

Example of another thread with the same reported issue: https://forum.directadmin.com/showthread.php?t=52044
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
Hello,

Would you please share about strict rules for SPF (with hardfail -all) and ESF?
We did installed latest exim_conf, SpamAssassin, ESF.

From my understanding, the SMTP server should prevent spam email which pretend someone (e.g. test@company.com) who actually a valid virtual user of the local server.
If email sending from test@company.com, server should ask for SMTP Auth. I remember that this way was working fine before when I learnt telnet SMTP troubleshooting some years before.
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
In addition, these few months, the SPAM start to using hacked email server and domain name. The email come from valid SPF server IP such that increase the SPF_SOFTFAIL score of spamd in our server does not help.
And they use an image in the message body which bypass spamd text checking as well.

Image attached => 1.png
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
SPF: change ~all to -all for your domains: https://help.directadmin.com/item.php?id=592

SMTP server does not know anything on whether or not anyone pretends to be a legitimate user or is a real legitimate user. Port 25 is opened for any incoming emails, even without authorization. The only mechanism possible here is to check SPF.
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
I used the same method to test my @gmail.com account.
Gmail accept my telnet email. However, is this really normal that SMTP server ask for SMTP auth only for external email address while accept mail from and to the local virtual user email?

This is strange
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
SMTP is designed the way to accept incoming emails for local virtual users. And it does not really matter which email address they specified in "From", that can even be even Bill Gates' email address.

The same way they can specify any email/domain from your server, your company's email as well.

That's why SPF was introduced.
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
it does not really matter which email address they specified in "From", that can even be even Bill Gates' email address.
I understand the "From: " can be anything. However, I think the SMTP server should check and ask for SMTP auth after "Mail from: <xxx@xxx.com>" command.

That's why SPF was introduced.
Understand the SPF may help.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
A lot of MTA's do not use and/or check SPF, so it's only a partly solution. At least your own customers can benefit from this. Even the biggest ISP in the Netherlands does not use it. Or at least I can spoof mails from bill.gates@microsoft.com to others looking as if it was original. Or Microsoft does not use SPF, also possible. ;)
They do however block smtp mail not coming from their own domain.
Anyway, I came across enough sites and organisations which do not do an SPF check on incoming mail.

Note that there are customers getting and sending their mail via another system. Maybe like for example Gmail of Gmail. In some of those cases you need to include those in the according SPF line.

But I agree with Tim that the MTA should do a check for the authentication on smtp. If possible. This would probably also be beneficial for isp's not using spf.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
My very first concern on the matter happened in 2015 if to believe Directadmin tickets system. The forums might suggest older threads. Nothing changed since then to address the issue. More to say I don't need it for my own, I don't recall my clients ever asking for a solution for this "issue", and I don't have a solution ready in my notes. If anybody has it please share it.

If you think Exim should fix it, then feel free and send a feature request to Exim's developers.

If you think Directadmin developers should fix it, then feel free and report it to John via tickets.
 

tim874536

Verified User
Joined
Nov 24, 2006
Messages
65
I tested some of the system including Gmail personal (xx@gmail.com), Gmail business (yy@business.com), Proxmox Mail Gateway (test@testDomain.com)
All of them accept email that the "mail from:" "RCPT to:" "From:" and "To:" are set to the valid email address.

It seems that this is allow in Email standard. But for me and my client, it is an abnormal situation that email server accept spam email that pretend to be the local virtual user and not asking for SMTP Auth.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
You can always make Directadmin/CustomBuild to skip updates for exim.conf and customize the Exim configuration per your needs.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
All of them accept email that the "mail from:" "RCPT to:" "From:" and "To:" are set to the valid email address.
If that is the case then we don't need to worry about it imho.

it is an abnormal situation that email server accept spam email that pretend to be the local virtual user and not asking for SMTP Auth.
This is also a default situation as the email client could also send mail as himself to himself via another provider.
For example, you can setup your mail so you connect to your hosting server where your domain resides, and then you need SMTP auth.
But you can also send mail (at least I can and lots of people can) by using my domain email and send it via the smtp server from my ISP, for which I then only have to authenticate with my ISP and then the mail is send to the server my domain resides on.
In that case exactly what you describe will happen. A mail from your customer to your customer is coming in without smtp authentication on your server. Which is logical, because that is incoming mail and not smtp (outgoing mail).

So that's why SPF can fix these things for you and this way you can prevent your server to accept those kinds of mails.

I see now I got confused before and mixed it up with smtp traffic, so via the server.
But this is something indeed DA should not need to fix. Exim maybe could be able to, but I guess it's allmost undoable to build in these kind of checks without breaking things or messing things up. It's not important enough for all that fuzz.
Next to that, this kind of spam is generally very little used and easy to prevent with changing SPF preferences.
 
Top