Topic: Unauthorized Mail Relay - Spam

[prasad.talasila]

Hi All
I use SME 7.5 as mail server for our organization. A strange thing happened on 22.12.2010. My qmail server suddenly started relaying SMTP messages of third party (obviously spammers) to the mail accounts of all the popular email service providers. There was a massive flood of junk mail relay through our mail server on 22.11.2010, 23.11.2010, 29.11.2010 and on daily basis from 01.12.2010.

The obvious thing to ask is what kind of administration I am doing if I have not detected the pattern for well over three weeks. The trouble is probably just confidence. The system and the configuration settings have been working well for us for over a year. I am just guessing that some one just found a loophole in the authentication system or the Horde frame work.

The strangest thing is that all the bounced emails have the

Code: [Select]

MAILER-DAEMON@mail.domain.com as the sender. How can that be? If any one faced this problem before, please let me know the causes for this kind of security breach.

Any help in this matter is highly appreciated. Thanks.



The very first spam email to bounce looks as shown below. For obvious reasons, I have redacted our domain name.

Code: [Select]

Return-Path: <#@[]>
Delivered-To: postmaster@iris.mail.domain.com
Received: (qmail 14862 invoked by alias); 22 Nov 2010 14:00:26 -0000
Delivered-To: alias-localdelivery-postmaster@mail.domain.com
Received: (qmail 14858 invoked for bounce); 22 Nov 2010 14:00:26 -0000
Date: 22 Nov 2010 14:00:26 -0000
From: MAILER-DAEMON@mail.domain.com
To: postmaster@mail.domain.com
Subject: failure notice

Hi. This is the qmail-send program at mail.domain.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

:
69.89.17.13 does not like recipient.
Remote host said: 550 No Such User Here
Giving up on 69.89.17.13.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 11737 invoked for bounce); 22 Nov 2010 13:52:42 -0000
Date: 22 Nov 2010 13:52:42 -0000
From: MAILER-DAEMON@mail.domain.com
To: info@henninghansen.com
Subject: failure notice

Hi. This is the qmail-send program at mail.domain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
65.54.188.126 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.54.188.126.

:
65.54.188.110 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.54.188.110.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 5973 invoked by uid 453); 22 Nov 2010 13:36:11 -0000
X-Virus-Checked: Checked by ClamAV on mail.domain.com
Received: from localhost (HELO localhost) (127.0.0.1)
    by mail.domain.com (qpsmtpd/0.83) with ESMTP; Mon, 22 Nov 2010 19:06:11 +0530
Received: from 12.184.220.87.dynamic.jazztel.es
 (12.184.220.87.dynamic.jazztel.es [87.220.184.12]) by mail.domain.com
 (Horde Framework) with HTTP; Mon, 22 Nov 2010 19:06:11 +0530
Message-ID: <20101122190611.7468170x16583a2o@mail.domain.com>
Date: Mon, 22 Nov 2010 19:06:11 +0530
From: HENNING HANSEN
Reply-to: sgthenninghansenmil@yahoo.com.hk
To: undisclosed-recipients:;
Subject: Hello friend
MIME-Version: 1.0
Content-Type: text/plain;
 charset=ISO-8859-1;
 DelSp="Yes";
 format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.6)

Hello friend,
My name is Sgt Henning Hansen,I am in the Engineering military unit 
herein Ba'qubah  in Iraq,we have some amount of funds that we want to 
move out of the country.But we are moving it through Diplomatic means, 
to send it to your house  directly or a bank of your choice using 
Diplomatic Courier Service, Once the funds  get to you, you take your 
30% out and keep our own70%.The most important thing is that can we   
trust you? Waiting for your urgent response via my 
privateemail;sgthenninghansenmil@yahoo.com.hk
Regards,
Sgt Henning Hansen


Prasad Talasila

[cactus]

I think one of the systems on your domain is infected by a bot and is sending SPAM (through your mail server) or someone is sending mail spoofing your domain. Messages that turn out undeliverable are returned to your server.

Do you have custom odifications in your SME Server? Normally SME Server is configured to not relay for domains unknown to the server, only domains configured on your SME Server are allowed to use your mail server as a mail server.

[prasad.talasila]

Thanks for the quick reply.

You may be right about the compromised host / account. I am scanning through the latest set of bounce messages and they all seem to originate from one mailbox / user. I will investigate further in this direction.

There is only one domain extra domain in the "Domains" category of the server manager. I pretty much trust and maintain that server too.

There are no custom modifications to the mail server. The Horde themes have been modified for graphics at a very minimal level. The welcome page of the Horde Webmail has been modified to contain links to other parts of the organizations webpage.

Other than the links there are no custom modifications to the SME server's standard configuration.

- Prasad Talasila.

[cactus]

You may be right about the compromised host / account. I am scanning through the latest set of bounce messages and they all seem to originate from one mailbox / user. I will investigate further in this direction.

Please let us know if this is the case.

There are no custom modifications to the mail server. The Horde themes have been modified for graphics at a very minimal level. The welcome page of the Horde Webmail has been modified to contain links to other parts of the organizations webpage.

Other than the links there are no custom modifications to the SME server's standard configuration.

Those customizations should normally not be harmful.

[CharlieBrady]

There was a massive flood of junk mail relay through our mail server on 22.11.2010, 23.11.2010, 29.11.2010 and on daily basis from 01.12.2010.

The first thing you must do is to immediately shut down qmail, so that the sending is spam ceases. You should not re-enable qmail until after you have identified the source of the problem and cleared the mail queue.

I am just guessing that some one just found a loophole in the authentication system or the Horde frame work.

Better not to guess, but to examine the evidence and make an informed decision.

I would suggest you look through httpd access logs and see who and from where /webmail was accessed around that time.

Send mail to security at lists.contribs.org if you have doubts as to how to proceed, or you think there might be a security flaw.

[CharlieBrady]

I am just guessing that some one just found a loophole in the authentication system or the Horde frame work

Did you solve this problem? Was it anything other than a compromised account password?

[prasad.talasila]

Thank you Mr. Charlie Brady for the useful suggestions. I have shut down the qmail and deleted the queue contents. There were about 26,000 messages waiting in queue to be delivered.

A lot of messages originated through Horde frame work. Almost 9700 messages were sent between 22.11.2010 and 29.10.2010. These many messages are way unusual for our organization. This can only be done through some sort of script that exploits the Horde framework loophole. The access log clearly shows almost 9700 accesses to compose page of the Horde framework. No further automated sending took place after 29.12.2010. Hence the qmail stored all the past messages still trying to deliver them. I have deleted all the queue contents as I said before.

One thing that needs to be concluded is that if the intruder broke an account or just exploited a loop hole in the Horde frame work. Any suggestions to come to a proper conclusion regarding this matter is highly appreciated.

I have the list of IP addresses from the access logs. I will extract them from the access logs and publish them here soon so that these offending IP ranges can be blocked through the firewall.

I will look more into this problem. So far no qmail vulnerabilities came out of my examination.

Thanks again for the informed replies. I will post the IP addresses soon.

-Prasad Talasila.