Suspended account keeps sending spam emails

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
14,006
Location
Maastricht
Yesterday we had an account which was sending spam so we changed the password. The account is from a friend of mine, he was not spamming himself. Spam was made by Ukraine and Vietnam.
After changing his pass twice, we suspended the account.

Later in the evening again spam was send in spite of the fact that the account was suspended!
So I unsuspended the account, changed the password again and suspended the account again. This made things quiet (except for the returing mail), until today.

Today it started again.

Now I checked one of the spam headers and its like this:
Code: 
1ZV06g-0003Gy-R8-H
mail 8 12
<[email protected]>
1440693174 0
-helo_name [127.0.0.1]
-host_address 95.78.231.79.62386
-host_auth plain
-interface_address 144.76.xxx.xx
-received_protocol esmtpa
-body_linecount 39
-max_received_linelength 77
-auth_id robert
-deliver_firsttime
-host_lookup_failed
XX
8
[email protected]
[email protected]
[email protected]

We got 2 acountnames. Accountname testuser which has the email address [email protected] from which the spam is send.
This account is suspended.

And we have the accountname robert, which is an admin account, is not suspended but has nothing to do with the testuser.nl domain.

Now I'm wondering. as you can see 127.0.0.1 is used. As auth_id robert is used. However... what is that robert, is that the robert of [email protected] (with accountname testuser) or is this coming from the account with the accountname robert?
If it's coming from the account with the name robert, how is it possible he is sending mail via localhost from [email protected]?

I also checked /var/log/html/roundcube/logs/sendmail but the last log in there is from 8/24, so a couple of days ago.

This is a log quote from CSF/LFD:
2015-08-27 18:34:13 1ZV07w-0003Gy-8u <= [email protected] H=([127.0.0.1]) [95.78.231.79] P=esmtpa A=plain:robert S=2371 [email protected] T="Promising love drugs repairing men’s wish to\n become tireless" from <[email protected]> for ... and then the addressees.
Click to expand...

How is this possible and even better... how can this be fixed.

Just to be sure I now also changed the password of accountname wilco, but I have doubts of that will help.
 
Seems fixed now by changing the password for the unix account robert. It looks like they were abusing this account to login and send mail, by spoofing with the email address of the other testuser account.
 
Hi,

---------------------
-interface_address 144.76.xxx.xx
-auth_id robert
---------------------
These 2 derivatives gives lot of information about the situation. Account suspension does not seem to block the connection that has already established, especially when it comes to mail clients.
 
You're a little bit mistaken.
Not the interface address but the host address gives a lot of information. I know my interface address, nothing new there. :)
-host_address 95.78.231.79 <-- which is the spammer logging in.

The 144.76.xx.xx address is the ip from the nic on the server, that's the reason I masked it.

Account suspension does maybe not block running connections instantly but every connection after it.
However it does not help if the wrong unix account is blocked, which was the case.

We blocked the unix account "testuser" (which ownes [email protected] email address), but the login (auth_id robert) was done via unix account "robert".
So they were spoofing the email address and we had to block the account "robert" which fixed the problem, like I explained in my prevous reply.
 
You must log in or register to reply here.
Back
Top