Topic: Is someone using me for spam?

[raymondh]

This morning I have an admin mailbox full of the below messages,  Am I being used for spam?  If so, how can I stop it?



Hi. This is the qmail-send program at BGWireless.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

:
65.54.166.99 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.54.166.99.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 16332 invoked for bounce); 14 Jan 2003 08:05:55 -0000
Date: 14 Jan 2003 08:05:55 -0000
From: MAILER-DAEMON@BGWireless.com
To: david44@hotmail.com
Subject: failure notice

Hi. This is the qmail-send program at BGWireless.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
64.156.215.5 failed after I sent the message.
Remote host said: 554 delivery error: dd Sorry, your message to oliverknip@yahoo.com cannot be delivered.  This account is over quota. - mta100.mail.scd.yahoo.com

:
213.165.64.100 does not like recipient.
Remote host said: 550 {mx012-rz3} The recipient does not accept mails from 'hotmail.com' over foreign mailservers
Giving up on 213.165.64.100.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 16326 invoked from network); 14 Jan 2003 08:05:53 -0000
X-Scanned-By: AMaViS powered
Received: from unknown (HELO hotmail.com) (10.5.20.199)
  by services.BGWireless.com (192.168.1.75) with ESMTP; 14 Jan 2003 08:05:48 -0000
Message-ID: <000075dd0e9c$0000302b$000026d5@hotmail.com>
To:
Cc: ,
,
,

From: "James Peacock MD"
Subject: Repair of cells and metabolic functions
Date: Tue, 14 Jan 2003 09:04:17 -1700
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply-To: david44@hotmail.com




-1">




 
   
 
 
 
 
 
   

 
 
 

 
 

F0000" size=3D"5" face=3D"Geneva, Arial, Helvetica, sans-serif">g> The Anti-Agin= g Power: HGH Products       lvetica, sans-serif">HGH         - Growth HormoneGeneva, Arial, Helvetica, sans-serif">         One of the most highly-researched natural sub= stances         in the world!
ng=3D"3" cellspacing=3D"0">                             FFFF" face=3D"Arial, Helvetica, sans-serif">Clini= cally               Tested Natural HGH Oral Spray Boosts Energy and Immunitynt> "2" face=3D"Verdana, Arial, Helvetica, sans-serif">In             April 2002, the first placebo-controlled study of a natural HG= H oral             spray appeared in the Journal of Longevity. This study reveale= d that             the spray encourages production of the body's "master hormone"= , also             known as HGH or Human Growth Hormone. In conclusion, the resea= rchers             discovered that the high absorption rate provided by the oral = spray             system increased HGH in the body by 30% in only three weeks. A= n increase             of HGH production proves to boost energy and strengthen immuni= ty.
size=3D"3" face=3D"Verdana, Arial, Helvetica, sans-serif">Special!                 For limited time only!3" face=3D"Verdana, Arial, Helvetica, sans-serif">         affid=3Dwb">BUY 2 GET 1 FREE!	"5" cellspacing=3D"0">                   Geneva, Arial, Helvetica, sans-serif"> ORDER NOW!>             f">Save             up to 46% today on HGH!             Your satisfiction is guaranteed!>
"#FFFFCC" cellpadding=3D"5" cellspacing=3D"0">                                 e=3D"Verdana, Arial, Helvetica, sans-serif">Made               from amino acids and herbs, natural HGH can help you: >                           "Verdana, Arial, Helvetica, sans-serif">Increase                 Energy               e=3D"Verdana, Arial, Helvetica, sans-serif">Strengthen                 Immunity               e=3D"Verdana, Arial, Helvetica, sans-serif">Gain                 Lean Muscle               e=3D"Verdana, Arial, Helvetica, sans-serif">Improve                 Sleep Quality               e=3D"Verdana, Arial, Helvetica, sans-serif">Trim                 Your Waistline               e=3D"Verdana, Arial, Helvetica, sans-serif">Smooth                 Your Skin               e=3D"Verdana, Arial, Helvetica, sans-serif">Strengthen                 Hair & Nails	Arial, Helvetica, sans-serif">Read         these testimonials:         =FFFFFF93I am having the most incredible results with HGH . . = =FFFFFF94         C. C. (Female, 58)         Des Moines, IA                 =FFFFFF93HGH has given me energy, improved memory, endurance..=  kept weight         off and controlled my appetite. It=FFFFFF92s helped me a lot!=FFFF= FF94         Rob Smith (Male, 34)         New York, NY                 =FFFFFF93I have energy, great well-being, I=FFFFFF92ve lost we= ight and inches and         my muscles are toned. Prior to HGH, I couldn=FFFFFF92t lose weight=  nor endure         workouts. I feel wonderful all the time!=FFFFFF94         L. S. (Female, 51)         Waldorf, MD elcome.html?affid=3Dwb">I want to start feel better today

To be removed, please ww.98234.com/r/">click here.

[raymondh]

Here is a log:

Completed messages: 8290
Recipients for completed messages: 10978
Total delivery attempts for completed messages: 11045
Average delivery attempts per completed message: 1.33233
Bytes in completed messages: 26492653
Bytes weighted by success: 36981762
Average message qtime (s): 10.0135

Total delivery attempts: 11267
  success: 9960
  failure: 1106
  deferral: 201
Total ddelay (s): 57325.438577
Average ddelay per success (s): 5.755566
Total xdelay (s): 26909.541822
Average xdelay per delivery attempt (s): 2.388350
Time span (days): 9.6754
Average concurrency: 0.0321902


This is a stock install.

[raymondh]

Can someone please help me, I took my server offline because I don't want my IP to get blacklisted.

[Dan Brown]

There's nothing wrong, at least not on the basis of what you've shown here.  Somebody is sending spam, and using an address at your server as the return address.  Nothing you can do about that, and it doesn't indicate any vulnerability with your server.  Of course, if you've done anything unusual with the mail system, it's possible you're an open relay, but not if you've kept it stock.

[Greg Zartman]

Raymondh,

I had a very simular experience a couple of months ago.  Come to find out, someone was exploiting a form mailer script that I had in my cgi-bin.  

If you are using such a script, you can verify the exploit by viewing: /var/log/httpd/error_log and /var/log/httpd/access_log.  You should see MULTIPLE requests for your form mailer script.

A short term fix is to remove it from your server.  Long term, get a new script that is more secure.  

Regards,

Greg Zartman

[raymondh]

My log says that 10,000 messages were sent yesterday and so far I have 600 of these failure notifications.  Does this mean I'm going to get 10,000 failures a day?

Is there another log or config file that I can post to have someone look at to help me?

The server isn't actually bone stock, I did install the clamAV following the howto.  Sorry about that slip up, I'm just stressing a bit.

[raymondh]

A relay test site says that I'm not a relay but here is one of the attempts:

>>> RSET
<<< 250 OK
>>> MAIL FROM:
<<< 250 Sender accepted.
>>> RCPT TO:
<<< 250 Recipient accepted.
>>> DATA
<<< 354 End your message with a period.
>>> (message body)
<<< 250 Accepted message qp 20063 bytes 1044

Why does SME accept this mail?

[Greg Zartman]

I've been told by Mitel folks, and others, that it is VERY unlikely that SME is an open mail relay in a stock configuation.  

Have you checked for other avenues for exploit as I previously pointed out?

Greg Zartman

[Ray]

I have checked and there are no mail forms being used.

The above example attempt did not make it through, my question was why does the server even accept a message from an user that does not exist on the system (spamtest)?

And, why does it accept a message to a user that doesn't exist on the system (ray.hen%cfs.com@bgwireless.com)?

[Charlie Brady]

raymondh wrote:
>
> This morning I have an admin mailbox full of the below
> messages,  Am I being used for spam?

Yes.

>  If so, how can I stop it?

See below.
 
> Hi. This is the qmail-send program at BGWireless.com.
> I tried to deliver a bounce message to this address, but the
> bounce bounced!

Your server tried to send the message to various recipients, some refused, and your server tried to send the bounce to the purported sender at hotmail.com, without success.

Now here's the interesting part:

> Return-Path:
> Received: (qmail 16326 invoked from network); 14 Jan 2003
> 08:05:53 -0000
> X-Scanned-By: AMaViS powered

Hmmm, AMaViS. But you said your server was a stock install.

> Received: from unknown (HELO hotmail.com) (10.5.20.199)
>   by services.BGWireless.com (192.168.1.75) with ESMTP; 14
> Jan 2003 08:05:48 -0000

So the spammer, at 10.5.20.199, is connecting to 192.168.1.75, the internal interface address of your server. Your server normally won't even be able to communicate with such an address, let alone accept mail for relay from it. Again, I suspect that your configuration is not standard. Guessing from your domain name, perhaps you have some wireless equipment attached.

Mail relaying is a security issue, and all security issues should be reported only to smesecurity@mitel.com. At this stage however I'd suggest you contact that address only if you re-install your server (preferably version 5.6) as a stock install and the problem persists.

Regards

Charlie

[Greg Zartman]

> So the spammer, at 10.5.20.199, is connecting to
> 192.168.1.75, the internal interface address of your server.

As a temporary, but immediate, fix why not block that IP address?? From command prompt:

ipchains -A input -j DENY -p all -l -s 10.5.20.199/24 -d 0.0.0.0/0

Regards,
Greg Zartman

[Ari]

Greg Zartman wrote:
>

> As a temporary, but immediate, fix why not block that IP
> address?? From command prompt:
>
> ipchains -A input -j DENY -p all -l -s 10.5.20.199/24 -d
> 0.0.0.0/0

Because it's just like trying to put a bandaid on a severed finger to stop the bleeding (sorry for the analogy but it's the first one that came to mind.)

The problem being that mail spammers usually target a vulnerable server and attack/abuse it from other sources. If you block 10.5.20.199/24, you essentially block all IP's in the 10.5.20.X range, but what if the spammer uses 10.6.x.x or 192.168.x.x instead? Just a thought... it's obvious that they're coming through the inside...

Essentially, the server has likely been compromised - likely through the AMaViS mail virus-scanning... Check to make sure that the AV is properly installed and configured... a good security solution can be a BIG security problem if it's misconfigured.

Another thought... though perhaps scattered - is there any reason that 10.5.20.0/24 would be listed in the local networks panel? I'm going to assume not, but hey... sometimes the answer is so simple that we overlook it....

Ari

[Raymondh]

Hmmm.

This is saying that I'm the spammer then.  the .199 IP is my internal router.  So a machine connected to that router is sending spam.  I'm scanning for a virus now but all windows boxen have antivirus and zone alarm on them.  I'll report back

[raymondh]

I think I figured it out.  I had a user that had a netgear router assigned the 10.5.20.199 address.  A public IP was assigned to this IP address through 1:1 NAT.  This user had entered a rule in the router to forward all port 25 requests to the SME server's 192.168.1.75 address.  I have 10.5.20.199 added to the server as an internal network so it was allowing this address to relay.

Wish there was a way to authenticate even internal users before smtp...