On the hunt - My ASL'd server used to send out spam

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

On the hunt - My ASL'd server used to send out spam

Unread post by premierhosting »

Hello,

My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.

Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/

Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 82.128.62.45 ([82.128.62.45]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400

Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.

Next:
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (82.128.84.58) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15

This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?

I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 82.128.0.0/16. Will that prevent any connections from them? I also geoblocked Nigeria.

I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: On the hunt - My ASL'd server used to send out spam

Unread post by mikeshinn »

So bad passwords is one good thing to swash (ASL will report weak passwords, and if ASL reports then as weak they are WEAK, change them fast) - so just to understand is the spam going through your MTA to the outside world? (You're the source of the spam, not the recipient)

If so, and if its going thru your MTA - do you have spamassassin scanning all outgoing mail?

Also, have you enabled dazuko in ASL? It can detect spamming tools and will prevent them from running.

Just a few thoughts off the top of my head.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: On the hunt - My ASL'd server used to send out spam

Unread post by BruceLee »

for investigate who or what might be sending you could try to create a sendmail-wrapper with that content:

Code: Select all

#!/bin/sh
TODAY=`date -Iseconds`
echo $TODAY sendmail-wrapper called $USER from $PWD >>/tmp/mail.send
(echo X-Additional-Header: $(dirname $PWD);cat) | /usr/lib/sendmail-real "$@"
This will write an extra header in the mail and a logfile in /tmp/mail.send. "dirname" is set to ensure no confidential informations are put in.

After that hook the wrapper in the mail routine:

Code: Select all

chmod +x sendmail-wrapper
mv /usr/lib/sendmail /usr/lib/sendmail-real
mv sendmail-wrapper /usr/lib/sendmail
Hope this helps

EDIT: just found a similar tut from parallels: http://kb.parallels.com/article_22_1711_en.html
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: On the hunt - My ASL'd server used to send out spam

Unread post by scott »

If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: On the hunt - My ASL'd server used to send out spam

Unread post by premierhosting »

Thanks guys. I've been using the ASL php mail logger for a while now, this isn't coming through PHP. I just added the sendmail wrapper. Looks like this system is symlinking /usr/sbin/sendmail over to /etc/alternatives/mta. /usr/lib/sendmail also symlinked to there so I did a little extra linking to make sure all sendmail calls are logged.

We'll see if this helps.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: On the hunt - My ASL'd server used to send out spam

Unread post by faris »

Scott -- I think ASL should include a script to enable and disable a wrapper like this. Kind of like a security blanket - "I know it is there if I need it, and I know the script is being updated regularly, so it will always be ready when the time comes" sort of thing.

It would take 5 minutes and add another tick box to the feature list :-)

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
dkopecek
Forum User
Forum User
Posts: 8
Joined: Tue Oct 26, 2010 12:29 pm

Re: On the hunt - My ASL'd server used to send out spam

Unread post by dkopecek »

I used the method above found it http://kb.parallels.com/article_22_1711_en.html

It looks like /var/tmp/mail.send is logging messages sent through horde but not through other php sources, specifically several Drupal installs. Any ideas why this might be ?
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: On the hunt - My ASL'd server used to send out spam

Unread post by BruceLee »

see above post:
If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.
dkopecek
Forum User
Forum User
Posts: 8
Joined: Tue Oct 26, 2010 12:29 pm

Re: On the hunt - My ASL'd server used to send out spam

Unread post by dkopecek »

>> If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.

How can I do this? Is there a global solution in php.ini ? I can't really hack into individuals client's code.

Also - Wondering why the sendmail wrapper solution logs horde but not other php. Running Plesk v8.4.0

Thanks
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: On the hunt - My ASL'd server used to send out spam

Unread post by scott »

The same mail header / logging capability in php 5.3 was backported into 5.2.x
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: On the hunt - My ASL'd server used to send out spam

Unread post by mikeshinn »

If you are using our PHP rpms.
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: On the hunt - My ASL'd server used to send out spam

Unread post by premierhosting »

By wrapping sendmail I was able to track it to one particular domain on the system. At first they were using Horde, so I shut off webmail to that domain. Then they were using the same account, but by SMTP. For that I reset the password to something stronger and the problem stopped.

Prior to all of this I locked down all the email passwords that ASL said were weak. The password in question was pretty crappy, but it didn't trip that switch. Perhaps a more thorough weakness test would help.

How do you make Spam Assassin scan outgoing email?

mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
I'm looking into dazuko, I'm not sure off the top of my head on that one. I'm reading about it and am not sure how this helps spam.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: On the hunt - My ASL'd server used to send out spam

Unread post by scott »

Sure, what was the password that account was using?
premierhosting
Forum Regular
Forum Regular
Posts: 257
Joined: Wed Aug 04, 2010 2:52 pm

Re: On the hunt - My ASL'd server used to send out spam

Unread post by premierhosting »

I didn't save it. Shoot. From memory, it may have been the same as the username or same as domain name or something like that.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: On the hunt - My ASL'd server used to send out spam

Unread post by mikeshinn »

mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
Was the spam tool running on your box, or were they just relaying through you? If the former, any chance you have the spamming tools? We can check to see if there are sigs for them.
Post Reply