Atomicorp

Hello,

My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.

Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/

Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 82.128.62.45 ([82.128.62.45]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400

Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.

Next:
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (82.128.84.58) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15

This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?

I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 82.128.0.0/16. Will that prevent any connections from them? I also geoblocked Nigeria.

I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?

Thanks!

So bad passwords is one good thing to swash (ASL will report weak passwords, and if ASL reports then as weak they are WEAK, change them fast) - so just to understand is the spam going through your MTA to the outside world? (You're the source of the spam, not the recipient)

If so, and if its going thru your MTA - do you have spamassassin scanning all outgoing mail?

Also, have you enabled dazuko in ASL? It can detect spamming tools and will prevent them from running.

Just a few thoughts off the top of my head.

for investigate who or what might be sending you could try to create a sendmail-wrapper with that content:
This will write an extra header in the mail and a logfile in /tmp/mail.send. "dirname" is set to ensure no confidential informations are put in.

After that hook the wrapper in the mail routine: Hope this helps

EDIT: just found a similar tut from parallels: http://kb.parallels.com/article_22_1711_en.html

If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.

Thanks guys. I've been using the ASL php mail logger for a while now, this isn't coming through PHP. I just added the sendmail wrapper. Looks like this system is symlinking /usr/sbin/sendmail over to /etc/alternatives/mta. /usr/lib/sendmail also symlinked to there so I did a little extra linking to make sure all sendmail calls are logged.

We'll see if this helps.

Scott -- I think ASL should include a script to enable and disable a wrapper like this. Kind of like a security blanket - "I know it is there if I need it, and I know the script is being updated regularly, so it will always be ready when the time comes" sort of thing.

It would take 5 minutes and add another tick box to the feature list

Faris.

I used the method above found it http://kb.parallels.com/article_22_1711_en.html

It looks like /var/tmp/mail.send is logging messages sent through horde but not through other php sources, specifically several Drupal installs. Any ideas why this might be ?

see above post:

If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.

>> If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.

How can I do this? Is there a global solution in php.ini ? I can't really hack into individuals client's code.

Also - Wondering why the sendmail wrapper solution logs horde but not other php. Running Plesk v8.4.0

Thanks

The same mail header / logging capability in php 5.3 was backported into 5.2.x

If you are using our PHP rpms.

By wrapping sendmail I was able to track it to one particular domain on the system. At first they were using Horde, so I shut off webmail to that domain. Then they were using the same account, but by SMTP. For that I reset the password to something stronger and the problem stopped.

Prior to all of this I locked down all the email passwords that ASL said were weak. The password in question was pretty crappy, but it didn't trip that switch. Perhaps a more thorough weakness test would help.

How do you make Spam Assassin scan outgoing email?

mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
I'm looking into dazuko, I'm not sure off the top of my head on that one. I'm reading about it and am not sure how this helps spam.

Sure, what was the password that account was using?

I didn't save it. Shoot. From memory, it may have been the same as the username or same as domain name or something like that.

mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.

Was the spam tool running on your box, or were they just relaying through you? If the former, any chance you have the spamming tools? We can check to see if there are sigs for them.