SPAM Attack.

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
sebas
Forum User
Forum User
Posts: 85
Joined: Thu Feb 12, 2009 8:53 pm
Location: Mexico
Contact:

SPAM Attack.

Unread post by sebas »

Hello,

I´m getting a spam attack consisting of lots of mail of the form

gliberishaddress@domain.com

You can see this more clearly in this pdf.

All of them originate from the same IP 88.152.53.155.

I think the spammer has a stolen password for an account on the domain.com and it is using the account to send them.

How can I know which account is login from that IP address?

Or how can I find which account is compromised?

Thanks for your help.
CentOS release 6.5 (Final)
Plesk psa-11.5.30-cos6.build115130819.13
ASL 3.2.18-37
Linux 2.6.32-358.11.1.el6.x86_64
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: SPAM Attack.

Unread post by faris »

Hi Sebas,

I'm unwilling to open a PDF on a strange domain - so I can't see what's happening in detail.

Normally it is quite easily to see which user is authenticating from the maillog, though there are exceptions - and I assume one of those exceptions is that's what's happening here.

One way you can dig a little deeper is to use tcpdump.

For example:

tcpdump -Z root port 25 -v -C 1 -W 10 -w cap-port-25

Will capture important stuff going on on port 25, and dump it to cap-port-25.X where X will go up by one every 1Mb's worth of data captured, for a maximum of 10 files then start at the beginning.

But in your case maybe

tcpdump -Z root net 88.152.53.155 -v -C 1 -W 10 -w cap-net-ip

which will capture all traffic from the bad IP, would be better (WARNING - I have not checked syntax - I think I'm right though).


The resulting files can then be looked at with Wireshark (windows or linux) or with the free Microsoft Network Monitor (windows only. rename files to .cap first).

Another warning: I do not know if you'll see what you need to see from doing this. It may be best to wait until someone else comes along with another suggestion in case there's a better or easier way.

Faris.

p.s. I think spamdyke makes seeing which user is authenticating a bit easier. I don't recall for sure though. Might be worth installing it anyway.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
sebas
Forum User
Forum User
Posts: 85
Joined: Thu Feb 12, 2009 8:53 pm
Location: Mexico
Contact:

Re: SPAM Attack.

Unread post by sebas »

Hi Faris,

Thanks for your suggestion, that sounds like a great idea on how to pick up the information they are using.

This is how the queue looks like:
Image

Looks as you got the syntax right, tcpdump runs and starts waiting for packets.

Have a great day.
CentOS release 6.5 (Final)
Plesk psa-11.5.30-cos6.build115130819.13
ASL 3.2.18-37
Linux 2.6.32-358.11.1.el6.x86_64
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: SPAM Attack.

Unread post by Highland »

Something I would do is turn off is rejections notices. Hard-reject any email that is not in the server. If the email was from a legit user, their server will notify them of the rejection.
"Its not a mac. I run linux... I'm actually cool." - scott
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: SPAM Attack.

Unread post by faris »

You might do better to just look at /usr/local/psa/var/log/maillog (that's what I assumed with be in the PDF).

You should be able top narrow things down from that if you have not already looked.

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply