Topic: Machine sending worm mail from my server, NOT an open relay

[mapangojoe]

Hello All.  This morning I started to get a bunch of MAILER-DAEMON, returned Email errors.  They all were from a non real user on my network to chineese sites.  Specifically, they were from one of my domains@mydomain.com (spcomputers@spcomputers.com).  Again, this user does not exist.  below is an example header.

****************************************************
Hi. This is the qmail-send program at mapango.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<joonlove0125@hanmail.net>:
211.43.197.153 does not like recipient.
Remote host said: 550 5.1.1 <joonlove0125@hanmail.net>... Inactive mbox
Giving up on 211.43.197.153.

--- Below this line is a copy of the message.

Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
  by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
To: joonlove0125@hanmail.net
Subject: =?ks_c_5601?q?<=B1=A4=B0=ED>=C3=EB=C1=F7=20100%=20=20"=BB=E7=C8=B8=20=BA=B9=C1=F6=BB=E7"=C0=DA=B7=E1=B4=C2=20=B9=AB=B7=E1"=20@oyt553@?=
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-Priority: 5
X-MSMail-Priority: Low
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-type: text/html
****************************************************

I am running SME 6X, fully patched, and rkhunter.  All but one of the PC's in my office run Linux or OSX.  This seems to come from a worm called w32.jubon@mm.  It also seems to originate from a user running Outlook Express, which non of us run.  It could come from someone whom I host, but I'm having trouble finding a way to trace the mail back to the actual sender, via the log files.  What is more funkey, is that we are ALL receiving the MAILER-DAEMON error.

Any ideas all you guru's out there, or is there a qmail log file that will tell the IP of the machine sending the Email?

Chris Curtis

[CharlieBrady]

Hello All.  This morning I started to get a bunch of MAILER-DAEMON, returned Email errors.

That's called backscatter. Google will find you an explanation.

Any ideas all you guru's out there, or is there a qmail log file that will tell the IP of the machine sending the Email?

You don't need to look in any log file - it's right in the text of the bounce message you've quoted - 66.225.16.170 - which accepted the mail from 61.96.188.159 and tried to relay it.

...
Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
...

[mapangojoe]

You write that:

>66.225.16.170 - which accepted the mail from >61.96.188.159 and tried to relay it.

I am 66.225.16.170, and I have tested it, and it is not an open relay.  So, are you saying that 61.96.188.159 asked me to relay mail?  Normally, when that happens, I get an error saying something about "no in my rcp list" or something like that.  

Is this something comming from my network (I can't see it if it is) or is this spam pretending to be me, and I'm getting the bounced messages?

I did read about backscatter, but I'm still not clear if this is something that came from my network, or like a jo job using my domain?

Please elaborate!

Chris Curtis



...
Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
...[/quote]

[mapangojoe]

I took the advise of the kind responder and have been spending all day reading about Qmail and backscatter.  

From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

I'm hoping someone here can post an actual solution for someone running SME.  If not, this will be and ongoing and worseining problem for SME users, because this is a problem for anyone running Qmail

[thethinman]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

[CharlieBrady]

From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

The issues with qmail and backscatter all relate to the lack of filtering capabilities in qmail-smtpd. But SME server hasn't used qmail-smtpd since early 2002!

There is little you can do to prevent backscatter from other sites being sent to your users. That's what you are complaining about here.

You can do something to prevent your site from sending backscatter to other sites. To do that you need to accept only mail which you are going to deliver to legitimate users' mailboxes. For versions 6.x, you'll need a variety of contribs to do that. For 7.0 (currently in beta) all required measures (recipient checking, virus and spam detection) are built in.

[CharlieBrady]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

That will only take care of undeliverable bounces ending up in the admin mailbox. This is a deliverable bounce, but it's to an innocent party, not to the real sender of the original message.

[alejandro]

.......
From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

I'm hoping someone here can post an actual solution for someone running SME.  If not, this will be and ongoing and worseining problem for SME users, because this is a problem for anyone running Qmail

Allow me to disagree with this.
You could try to fix backscatter issue...
(from http://blog.centresource.com/2005/05/03/backscatter/ )

 "by simply configuring your mailserver to reject mail for unknown users right off the bat at the SMTP “RCPT TO” command, rather than accepting, queueing and generating NDRs. Any modern mailserver (as well as qmail and sendmail) will let you configure it in this way, and there’s an excellent list of resources for doing this on many mailservers that you can find herehttp://spamlinks.net/prevent-secure-backscatter.htm#reject.
Where you'll find this:

goodrcptto - www.chater.demon.co.uk/qmail/
LDAP with qmail - www.lifewithqmail.org/ldap/
bad-rcpt-noisy-patch - www.iecc.com/bad-rcpt-noisy-patch.txt
qmail-realrcptto - code.dogmap.org./qmail/
Spamming for Qmail - postmaster.gtcs.com/QMailSpammers.php
Recipient checking - http.netdevice.com:9080/qmail/rcptck/
of course any modifications should be done through the custom templates procedure
Hope this can help.
regards

[raem]

> They all were from a non real user on my network to chineese sites...

> configuring your mailserver to reject mail for
> unknown users right off the bat at the SMTP “RCPT > TO” command

The free dungog mailblocking contrib (by default) will reject all mail sent to invalid users (no need to configure anything just install it).

[thethinman]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

That will only take care of undeliverable bounces ending up in the admin mailbox. This is a deliverable bounce, but it's to an innocent party, not to the real sender of the original message.

Sorry, my bad.

[mapangojoe]

Hello All.  And thanks to all who replied and offered assistance.  I have the dungog mail-block RPM installed, but that did not help.  It could be that I have not configured it correctly.

My solution (if you can call it that) was to create an iptables rule to block the IP to the server my server was trying to reply to.  This has worked for now, even though it is a completely  inelegant solution.

Thanks again for your replies!

Have a great weekend.

Chris Curtis

[CharlieBrady]

My solution (if you can call it that) was to create an iptables rule to block the IP to the server my server was trying to reply to.  This has worked for now, even though it is a completely  inelegant solution.

It's not really a solution. You'll still receive those bounce messages - but in a week's time, not immediately.

You'd be much better off to change your doublebounce configuration. And better again to get inbound mail filtering correctly configurated. (In fact, it is possible that it is already correctly configurated, and you are just seeing doublebounces from messages which have been stuck in your queue for a while).

[nate]

The free dungog mailblocking contrib (by default) will reject all mail sent to invalid users (no need to configure anything just install it).

 
Is there a way around this?

Jan 3, 2005 - Commented out dungog-mailblocking - it must be disabled to allow the fetchmail pop3 contrib to work...

[GPete]

I'm getting bounce traffic from all over the world and the mail log indicates a spike in messages. I assume that confirms that my server has been used as a relay for spamming.

These are the settings from my server.  Are there any changes I can make to prevent relays?

E-mail settings
POP3 server access    Allow private
IMAP server access    Allow private
Webmail access    Allow HTTPS (secure)

Virus scanning    Enabled
Spam filtering    Enabled
Executable content blocking    Enabled

E-mail retrieval mode    Standard (SMTP)
SMTP authentication    Allow SSMTP (secure)


Forwarding address for administrative notices “me”@yahoo.com
E-mail to unknown users    Send to “me”
Address of internal mail server    
Address of Internet provider's mail server

[raem]

GPete

> I'm getting bounce traffic from all over the world ...
> I assume that confirms that my server has been used as a relay..

Probably a wrong assumption.
Someone (or a virus) is sending spam or virus infected messages to invalid addresses on other peoples servers, and using your return email address.
The other servers send the undeliverable message to you or valid users on your server, or even invalid users on your server.

These "undeliverable message" messages are what you are now receiving lots of.


> E-mail to unknown users    Send to “me”

I'd change that to Return to sender and then you won't be bothered by that rubbish.
You then will probably receive a fair bit of doublebounce messages, see below.
I assume you are using sme6 without mailblocking installed, as sme7 will reject messages to invalid addresses.
On sme6 you can install the dungog mailblocking contrib which will reject all messages sent to invalid addresses, by default, and also install the dungog doublebounce contrib.

Better still upgrade to sme7 if you are not using that.

[GPete]

Maybe you missed the part about a spike in email messages. (More than a thousand messages that didn't come from inside my system. )

Turning off the backsplatter is like burying my head in the sand. I wouldn't know that my system was being used for a spam relay.

I'm really looking for a way to prevent the relay, not a way to hide from it.

I'm running SME 7, and  I'm hoping that my settings are incorrect and someone can tell me what to change.

E-mail settings
POP3 server access  Allow private
IMAP server access  Allow private
Webmail access  Allow HTTPS (secure)

 
Virus scanning  Enabled
Spam filtering  Enabled
Executable content blocking  Enabled
 
 
E-mail retrieval mode  Standard (SMTP)
SMTP authentication  Allow SSMTP (secure)

 
Forwarding address for administrative notices  “me”@yahoo.com
E-mail to unknown users  Send to “me”
Address of internal mail server    
Address of Internet provider's mail server

[christian]

I've noticed a spike in the last two days as well. But in my case, it definitely looks like back spatter.

The last time this happened, I enabled an SPF record in my DNS record (my ISP allows me to add this). I also dealt with the double bounce.

Back spatter went to almost 0 for about a year until about two days ago. I'm assuming a spike an activity somewhere plus the fact they got hold of my legitimate addresses.

BTW on SPF, I know there is some controversy about it being heavy weight but it is a start.

[raem]

GPete

> Maybe you missed the part about a spike in email messages.

No I didn't.

> I'm getting bounce traffic from all over the world and the mail log indicates a spike in messages.

You identified the mail as bounces, and clearly that is external traffic coming into your server, so of course you would see more activity in the mail log.

> I assume that confirms that my server has been used as a relay for spamming.

You provided no details about the messages. If you provided the message headers it would tell us something. If you quoted the exact message you received then that would also tell us something.
As you provided none of that detail then I made the most likely conclusion, and that was that your assumption was incorrect.

You have provided no evidence to support your assumption that your server is a relay. All the settings look satisfactory and would not normally allow "spam relaying" as you call it.

Read my previous post for the mechanics of how it works.

Turning on the option to "return undeliverable messages to sender" is not burying your head in the sand, it's simply an administrative decision.
Ultimately it's whether you consider there is any value in reading emails sent to unknown users etc. Personally I think there is no value in doing that.

Deleting doublebounce messages is a very effective way of dealing with that type of traffic, which is more often related to other servers using your return email address and sending spam and virus infected messages to (often) invalid users on other servers, thus generating bounces.

What you are most probably seeing is simply a busy spam server somewhere, which has harvested your domain addresses.

Absorb what I'm saying and you will see it makes sense.

There was a recent posting which detailed how to configure doublebounce deletion on sme7.