On the hunt - My ASL'd server used to send out spam
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
On the hunt - My ASL'd server used to send out spam
Hello,
My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.
Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/
Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 82.128.62.45 ([82.128.62.45]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400
Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.
Next:
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (82.128.84.58) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15
This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?
I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 82.128.0.0/16. Will that prevent any connections from them? I also geoblocked Nigeria.
I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?
Thanks!
My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.
Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/
Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 82.128.62.45 ([82.128.62.45]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400
Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.
Next:
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (82.128.84.58) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15
This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?
I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 82.128.0.0/16. Will that prevent any connections from them? I also geoblocked Nigeria.
I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?
Thanks!
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: On the hunt - My ASL'd server used to send out spam
So bad passwords is one good thing to swash (ASL will report weak passwords, and if ASL reports then as weak they are WEAK, change them fast) - so just to understand is the spam going through your MTA to the outside world? (You're the source of the spam, not the recipient)
If so, and if its going thru your MTA - do you have spamassassin scanning all outgoing mail?
Also, have you enabled dazuko in ASL? It can detect spamming tools and will prevent them from running.
Just a few thoughts off the top of my head.
If so, and if its going thru your MTA - do you have spamassassin scanning all outgoing mail?
Also, have you enabled dazuko in ASL? It can detect spamming tools and will prevent them from running.
Just a few thoughts off the top of my head.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: On the hunt - My ASL'd server used to send out spam
for investigate who or what might be sending you could try to create a sendmail-wrapper with that content:
This will write an extra header in the mail and a logfile in /tmp/mail.send. "dirname" is set to ensure no confidential informations are put in.
After that hook the wrapper in the mail routine:
Hope this helps
EDIT: just found a similar tut from parallels: http://kb.parallels.com/article_22_1711_en.html
Code: Select all
#!/bin/sh
TODAY=`date -Iseconds`
echo $TODAY sendmail-wrapper called $USER from $PWD >>/tmp/mail.send
(echo X-Additional-Header: $(dirname $PWD);cat) | /usr/lib/sendmail-real "$@"
After that hook the wrapper in the mail routine:
Code: Select all
chmod +x sendmail-wrapper
mv /usr/lib/sendmail /usr/lib/sendmail-real
mv sendmail-wrapper /usr/lib/sendmail
EDIT: just found a similar tut from parallels: http://kb.parallels.com/article_22_1711_en.html
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: On the hunt - My ASL'd server used to send out spam
If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: On the hunt - My ASL'd server used to send out spam
Thanks guys. I've been using the ASL php mail logger for a while now, this isn't coming through PHP. I just added the sendmail wrapper. Looks like this system is symlinking /usr/sbin/sendmail over to /etc/alternatives/mta. /usr/lib/sendmail also symlinked to there so I did a little extra linking to make sure all sendmail calls are logged.
We'll see if this helps.
We'll see if this helps.
Re: On the hunt - My ASL'd server used to send out spam
Scott -- I think ASL should include a script to enable and disable a wrapper like this. Kind of like a security blanket - "I know it is there if I need it, and I know the script is being updated regularly, so it will always be ready when the time comes" sort of thing.
It would take 5 minutes and add another tick box to the feature list
Faris.
It would take 5 minutes and add another tick box to the feature list
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: On the hunt - My ASL'd server used to send out spam
I used the method above found it http://kb.parallels.com/article_22_1711_en.html
It looks like /var/tmp/mail.send is logging messages sent through horde but not through other php sources, specifically several Drupal installs. Any ideas why this might be ?
It looks like /var/tmp/mail.send is logging messages sent through horde but not through other php sources, specifically several Drupal installs. Any ideas why this might be ?
Re: On the hunt - My ASL'd server used to send out spam
see above post:
If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.
Re: On the hunt - My ASL'd server used to send out spam
>> If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.
How can I do this? Is there a global solution in php.ini ? I can't really hack into individuals client's code.
Also - Wondering why the sendmail wrapper solution logs horde but not other php. Running Plesk v8.4.0
Thanks
How can I do this? Is there a global solution in php.ini ? I can't really hack into individuals client's code.
Also - Wondering why the sendmail wrapper solution logs horde but not other php. Running Plesk v8.4.0
Thanks
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: On the hunt - My ASL'd server used to send out spam
The same mail header / logging capability in php 5.3 was backported into 5.2.x
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: On the hunt - My ASL'd server used to send out spam
If you are using our PHP rpms.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: On the hunt - My ASL'd server used to send out spam
By wrapping sendmail I was able to track it to one particular domain on the system. At first they were using Horde, so I shut off webmail to that domain. Then they were using the same account, but by SMTP. For that I reset the password to something stronger and the problem stopped.
Prior to all of this I locked down all the email passwords that ASL said were weak. The password in question was pretty crappy, but it didn't trip that switch. Perhaps a more thorough weakness test would help.
How do you make Spam Assassin scan outgoing email?
mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
I'm looking into dazuko, I'm not sure off the top of my head on that one. I'm reading about it and am not sure how this helps spam.
Prior to all of this I locked down all the email passwords that ASL said were weak. The password in question was pretty crappy, but it didn't trip that switch. Perhaps a more thorough weakness test would help.
How do you make Spam Assassin scan outgoing email?
mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
I'm looking into dazuko, I'm not sure off the top of my head on that one. I'm reading about it and am not sure how this helps spam.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: On the hunt - My ASL'd server used to send out spam
Sure, what was the password that account was using?
-
- Forum Regular
- Posts: 257
- Joined: Wed Aug 04, 2010 2:52 pm
Re: On the hunt - My ASL'd server used to send out spam
I didn't save it. Shoot. From memory, it may have been the same as the username or same as domain name or something like that.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: On the hunt - My ASL'd server used to send out spam
Was the spam tool running on your box, or were they just relaying through you? If the former, any chance you have the spamming tools? We can check to see if there are sigs for them.mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone