Topic: Spammer is hacking my boxes - spam is flowing...

[JonB]

Texasboy,

It could be either. If you do not have SMTP Auth enabled and there is nothing in the CVM logs then they are not getting in that way.

Are you using FormMail on a web site on your server. If so and it is not the updated version then this can be hacked by spammers. Check your http access logs

However I would more suspect a spam sending Trojan on one of your client machines. If it sending that much spam you should be able to see it on the network hub/switch. Look for unusual amounts of traffic activity coming from one machine.

Disconnect all machines from the network and see if the mail sending stops. You will have to give it some time for the queue to clear.

It doesn't matter that the clients are not using the SME server as their mail server, the Trojans generally install their own SMTP server.

However SME 6.0.1 has SMTP Proxy enabled by default so any SMTP traffic no matter where it comes from on the local network will go via the SME SMTP server even if you have the mail client SMTP server setting as your ISP.

In the mean time I seriously suggest that you disconnect your server from the internet. You will very quickly find yourself on one or more of the SPAM Block lists.

Jon

[CharlieBrady]

It was not internal - all workstations were checked.

Checking workstations will not tell you that it was not internal. It might only tell you something  about your checking procedure.

Examining your smtpfront-qmail logs *will* tell you whether it was internal. Instead of guessing, identify where the mail is coming from.

[CharlieBrady]

I found this thread after experiencing the same problems. I have a spammer on my office network and I can't find him.

Do you have any wireless access in your office? If you have an open access point, it wouldn't be surprising if you couldn't find the offender.

[Texasboy]

Hello everyone, Thanks for all the suggestion. I have post my smtpfront-qmail logs below because I am not the best on deciphering what all this means. I have also remoted into the SME server and downed the eth0 interface or the LAN. I will keep it down this weekend and see if I receive anymore bounced e-mails. I also do not have any wireless access on the network. It is cable modem to SME 6.0.1 - Gateway, then to switch and the rest of the network. I will also post a few other log files and if anybody sees something please let me know, like I said I am not always the best at deciphering what all the log file mean.

Thanks again to the SME community for the help and the learning experience.
Texasboy  --- log are below ---


smtpfront-qmail log

2005-09-24 10:12:32.309807500 tcpserver: status: 0/40
2005-09-24 10:15:49.283061500 tcpserver: status: 1/40
2005-09-24 10:15:49.284192500 tcpserver: pid 4407 from 192.147.171.15
2005-09-24 10:15:50.159366500 tcpserver: ok 4407 0:70.185.74.182:25 belgarath.linfield.edu:192.147.171.15::54509
2005-09-24 10:15:50.456841500 smtpfront-qmail[4407]: MAIL FROM:<>
2005-09-24 10:15:50.457466500 smtpfront-qmail[4407]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:15:51.092245500 smtpfront-qmail[4407]: Accepted message qp 4408 bytes 17002
2005-09-24 10:15:51.093005500 smtpfront-qmail[4407]: bytes in: 17481 bytes out: 213
2005-09-24 10:15:51.094461500 tcpserver: end 4407 status 0
2005-09-24 10:15:51.094474500 tcpserver: status: 0/40
2005-09-24 10:21:39.263172500 tcpserver: status: 1/40
2005-09-24 10:21:39.264310500 tcpserver: pid 4481 from 66.76.2.51
2005-09-24 10:21:39.539527500 tcpserver: ok 4481 0:70.185.74.182:25 fe6.cox-internet.com:66.76.2.51::62120
2005-09-24 10:21:39.697124500 smtpfront-qmail[4481]: MAIL FROM:<>
2005-09-24 10:21:39.710057500 smtpfront-qmail[4481]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:21:39.930045500 smtpfront-qmail[4481]: Accepted message qp 4482 bytes 15901
2005-09-24 10:21:39.944626500 smtpfront-qmail[4481]: bytes in: 16365 bytes out: 213
2005-09-24 10:21:39.945920500 tcpserver: end 4481 status 0
2005-09-24 10:21:39.946127500 tcpserver: status: 0/40
2005-09-24 10:23:14.233676500 tcpserver: status: 1/40
2005-09-24 10:23:14.234807500 tcpserver: pid 4538 from 209.184.44.144
2005-09-24 10:23:14.239312500 tcpserver: ok 4538 0:70.185.74.182:25 mail-ecsn09.twotrees.com:209.184.44.144::58880
2005-09-24 10:23:14.335708500 smtpfront-qmail[4538]: MAIL FROM:<>
2005-09-24 10:23:14.372129500 smtpfront-qmail[4538]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:23:14.444639500 smtpfront-qmail[4538]: MAIL FROM:<>
2005-09-24 10:23:14.479254500 smtpfront-qmail[4538]: RCPT TO:<postmaster@mondini.dyndns.org>
2005-09-24 10:23:14.512130500 smtpfront-qmail[4538]: bytes in: 147 bytes out: 195
2005-09-24 10:23:14.513744500 tcpserver: end 4538 status 0
2005-09-24 10:23:14.513760500 tcpserver: status: 0/40

Sender uids --- log

 mess      bytes     sbytes     rbytes  recips  tries        xdelay  uid
14310  219774543     124802  219774543   14310  24831   9972.497404  101
14419  219704829  219704829  219704829   14419  14419  10003.909998  400
  508    7526299    7526299    7526299     508    508    317.852642  401
13911  210268591  210268591  210268591   13911  13911  10742.130520  406

CVM ---- log

Viewed at Sat 24 Sep 2005 10:39:42 AM CDT.

2005-09-20 08:03:17.046747500 Starting.

[CharlieBrady]

I have post my smtpfront-qmail logs below because I am not the best on deciphering what all this means.
...
smtpfront-qmail log

2005-09-24 10:12:32.309807500 tcpserver: status: 0/40
2005-09-24 10:15:49.283061500 tcpserver: status: 1/40
2005-09-24 10:15:49.284192500 tcpserver: pid 4407 from 192.147.171.15
2005-09-24 10:15:50.159366500 tcpserver: ok 4407 0:70.185.74.182:25 belgarath.linfield.edu:192.147.171.15::54509
2005-09-24 10:15:50.456841500 smtpfront-qmail[4407]: MAIL FROM:<>
2005-09-24 10:15:50.457466500 smtpfront-qmail[4407]: RCPT TO:<root@mondini.dyndns.org>
2005-09-24 10:15:51.092245500 smtpfront-qmail[4407]: Accepted message qp 4408 bytes 17002
2005-09-24 10:15:51.093005500 smtpfront-qmail[4407]: bytes in: 17481 bytes out: 213
2005-09-24 10:15:51.094461500 tcpserver: end 4407 status 0
2005-09-24 10:15:51.094474500 tcpserver: status: 0/40

I assume that your domain name is mondini.dyndns.org. These messages are all bounce messages coming from various sites, returning messages to root and postmaster addresses. Someone sent mail with a from address of root@mondini.dyndns.org to various sites which didn't accept it, and returned a bounce message. That could have been your box, or it could have been someone (a virus, a spammer) who forged the address. If you look at the bounce messages, you will probably find remnants of the returned message, and determine which of those is true.

These log files don't indicate that there is anything wrong with your box.

[Texasboy]

Hay Charliebrady thanks for the ideal. I total over looked the internet header of the e-mail. Some times when you are looking for the forest you bump into some trees  

I have also noticed that after disabling the LAN interface all has been quite today. I also setup my "yum" and updated the server. I have attached a mail header from some of the bounced mail for documentation of what is going on and I also noticed that the mail seems to have a common theme of "update your ebay account ---- click here"

mail header

Received: from fe7.cox-internet.com ([66.76.2.52])
 by spike2.scsu.edu (SMSSMTP 4.1.7.33) with SMTP id M2005092321180322727
 for <cmjohnson@scsu.edu>; Fri, 23 Sep 2005 21:18:03 -0400
Received: from mondini.dyndns.org ([70.185.74.182]) by fe7.cox-internet.com
          (InterMail vK.4.04.00.03 201-232-140-20030416 license c6744489d3c0f75228b0e65fdc3f0157)
          with SMTP id <20050924011714.QRFZ1483.fe7@mondini.dyndns.org>
          for <cmjohnson@scsu.edu>; Fri, 23 Sep 2005 20:17:14 -0500
Received: (qmail 9140 invoked by uid 0); 19 Sep 2005 12:04:14 -0000
Date: 19 Sep 2005 12:04:14 -0000
Message-ID: <20050919120414.9139.qmail@mondini.dyndns.org>
To: cmjohnson@scsu.edu
Subject: Unauthorized transactions on your account
From: security@ebay.com <security@ebay.com>
Content-Type: text/html

thanks
texasboy

[raem]

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/double%20bounce%20message%20deletion%20HOWTO%20for%20sme%20server.htm

http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm

[Texasboy]

Well the bad news is it isn't coming from a workstation because I got another round of bounced mail today. With the LAN interface down it makes it imposable for a workstation to be sending mail. I do not think it is a hijacked e-mail address because when I check my mail logs I see sender UID 401 and 101 message counts have grown to 10551 mail messages. Is their any way to tie the UID 401 under the mail log "senders UID" to something useful? If I can tie the 401 UID to something I will be real close to stopping the spammer. I have done a "ps -aux" hoping that the PID was the same a UID but nothing. I am guessing that Monday morning I will reload the SME server or pull it out of production.

Texasboy

[Curly]

The uid's can be found in /etc/passwd:
401 - qmaild
101 - admin

[arne]

I had a little bit simular problem for some time ago. It was not not a SME server and it was not Qmail but Redhat with Postfix.

Well something happened with the mail server, it produced mail log files that filled up gigabytes on the server. I believed it was hacked. I also found different wariants of IIS specific buffer flow attacs and I thought this might be a part of the problem.

I then tried to look into the trafic using the iptraf trafic monitor and ethereal. (As I did not understand completely the mail and web log.)

What appear to be the case were that there were no realy faults on the mail server at all. The mail server recieved a stream of thousends of mail to false user accounts, and every time one were denyed this produced a log entry.

I think this stream of false mail vere running a week or so before I noticed it because of logfiles that filled gigs of data. I then applied some firewall rules that locked it out.

Don't know if this can have anything to do with the case mentioned above. Just some ideas ..

[arne]

By the way, this was a server on a server farm so I guess the spam came from some Windows neighbours or from internet.

[raem]

Texasboy

Charlie gave you the answer, it's mail being sent by other systems who are using your return address and sending messages to real and not real email addresses.
You WILL GET all the undelivered messages bounces. Use the tip I posted to auto delete all of these. The problem is most likely external and there is nothing much you can do about it !