Topic: Sending SPAM

[EdelingF]

Just got a phonecall from my provider that I a sending SPAM. They've got complaints that I was sending e-mails with "I WILL HELP YOU".
At this moment, I allready have 26.000 returned messages in my inbox

I am still looking for what to do, but this is what I get from one of server-manager's email logs:

Code: [Select]

Senders

One line per sender. Information on each line:
* mess is the number of messages sent by this sender.
* bytes is the number of bytes sent by this sender.
* sbytes is the number of bytes successfully received from this sender.
* rbytes is the number of bytes from this sender, weighted by recipient.
* recips is the number of recipients (success plus failure).
* tries is the number of delivery attempts (success, failure, deferral).
* xdelay is the total xdelay incurred by this sender.

mess  bytes  sbytes  rbytes  recips  tries  xdelay  sender
Is there some with experience who can talk me trought it?
I'm using a virtual SME8b7 with only a few Wordpress installations in opt and nothing else.

[EdelingF]

Closed down the IMAP, POP and SMTP-ports for now.

[mmccarn]

Usually this is caused by a LAN workstation that has been infected, or else by a web form or PHP script with a known security problem.  It could also be caused by a remote attacker who has a valid username/password combination that works for smtp relay.

Infected LAN workstations or remote spam sources would appear in /var/log/qpsmtpd/current or /var/log/sqpsmtpd/current.

I'm not sure where you'd find evidence of a compromised script on the server - possibly in the qpsmtpd logs, possibly in the qmail logs.

Also, when I've seen this in the past there is usually some cleanup required in the qmail queues, for which qmHandle may be helpful (in about ~2002 a rooted lan system left around 60,000 messages in the qmail queue on my SME server...)

[CharlieBrady]

At this moment, I allready have 26.000 returned messages in my inbox

Examining those returned messages should provide clues as to where the messages are originating. Look at the full message headers of the enclosed (quoted) SPAM messages. Either post an extract here, or email one of those returned messages to me.

[CharlieBrady]

I'm not sure where you'd find evidence of a compromised script on the server - possibly in the qpsmtpd logs, possibly in the qmail logs.

Yes, there, but also in httpd access_log.

[EdelingF]

Sorry Charly, I allready removed all of them...
Checked all the Wordpres-websites, changed passwords, updated the server, scanned all the logs for suspicious things. Nothing to be found.

By the way, my server is set to server-only. So no LAN-workstations behind this server. This server is for domain hosting, websites and email only.

I'm going to try to put the mailserver online again to see what happens...

[mmccarn]

In "server only" mode, "LAN Workstation" could be anything else on the same subnet as the SME.

[jameswilson]

can/should you use sme in server only mode and connect it to the internet? I thought it was designed for use on private networks with no public access?

[EdelingF]

That's the way I use it for at least 6 years now. If it's safer to use it another I'll be very interested.

I thought I found it, but it seems I'm still sending emails

[EdelingF]

This is one of the emails in the que:

Code: [Select]

14223872 (5, 5/14223872)
  Return-path: anonymous@myserver.nl
  From: UNITED NATIONS 'enfca@unitednation.org'
  To: globalepro3@yahoo.ca
  Subject: Making the world a better place)
  Date: 20 Apr 2012 19:59:47 -0000
  Size: 1967 bytes


--------------
MESSAGE NUMBER 14223872
 --------------
Received: (qmail 16870 invoked by uid 102); 20 Apr 2012 19:59:47 -0000
Date: 20 Apr 2012 19:59:47 -0000
To: globalepro3@yahoo.ca
Subject: Making the world a better place)
From: UNITED NATIONS
Message-Id: <130746302.93@unitednation.org>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit


Attention: Beneficiary,

How are you today? Hope all is well with you and family? You may not understand why this mail came to you.

We have been having meetings for the past 2 months with the ten secretaries to the UNITED NATIONS.

This email is sent to all the people that have been scammed in every part of  the world, the UNITED NATIONS agreed upon to compensate them with the sum of US$ 4,200,000. This includes every foreign contractors that may have not received their contract sum, and people that have had an unfinished transaction or international businesses that failed due to Government problems and impersonators etc.

We found your name in our list and that is why we are contacting you, this has been agreed upon and has been signed.

You are advised to contact Mrs.Violet  Okeke of Nigeria Security Department, as she is our representative in Nigeria  contact her immediately for your Cheque/ATM CARD of USD$4,200,000

These funds are in International Bank Draft/ATM CARD for security purpose ok? So she will send it to you and you can clear it in any bank of your choice.


Therefore, you should send her your full Name and telephone number/your correct mailing address where you want her to send the Draft/ATM to you.

Contact Mrs.Violet  Okeke immediately for your Bank Draft/ATM CARD
Email: xx.colee2011@hotmail.com
Telephone: +234-705-504-4987

Thanks and God bless you and your family. Hoping to hear from you as soon as you cash your Bank Draft.

Making the world a better place.

Regards,
Ban ki- Moon
UN Secretary (UNITED NATIONS)

[CharlieBrady]

uid 102 is likely 'www' - you can confirm via 'grep 102 /etc/passwd'. You are almost certainly running a vulnerable web application. I would recommend you disable PHP (which will also disable webmail). You may need to hire a consultant to help you find and fix the problem. In the meantime, replace any websites with static HTML content.

[cactus]

You are almost certainly running a vulnerable web application. I would recommend you disable PHP (which will also disable webmail). You may need to hire a consultant to help you find and fix the problem.

You might be able to find which page might be the root cause. If the numbers you are saying are that high you might be able to find the pages that are being accessed from the /var/log/httpd/access_log* files.

[EdelingF]

Charly, that results in:

Code: [Select]

apache:x:102:102:Apache:/var/www:/sbin/nologin
www:x:102:102:e-smith web server:/home/e-smith:/bin/false
Hiring a consultant is not an option. This is a home server for email and a familysite with a few non-commercial sites from friends who don't pay for it. So it must be a DIY-project.

Cactus, I'll look into that log. I allready looked earlier and there is one site that appears more than the others.
The strange thing is, when I open the email-ports now, I don't get any emails outside my own test-emails.

[janet]

jameswilson

can/should you use sme in server only mode and connect it to the internet? I thought it was designed for use on private networks with no public access?

In server only mode, you need to have a seperate rounter/modem/firewall in front of the sme server, typically this is your ADSL or Cable router/modem, which also does the gateway & firewall functions.
In this case you forward ports from the router to the sme server for each of the services you need to run on sme. This is done in the router itself eg port 80 for web sites, port 25 for mail & so on
It is safe to do as long as you set it up correctly.

[mmccarn]

Hiring a consultant is not an option. This is a home server for email and a familysite with a few non-commercial sites from friends who don't pay for it. So it must be a DIY-project.

If you're willing to post or email me your host address I can run a scan for you using nessus, which might identify the security hole.

Or, if you have a laptop, you could install nessus and scan your network from off-site.

Nessus Download:
http://www.tenable.com/products/nessus/select-your-operating-system

Nessus Activation Code (the "HomeFeed" subscription is slightly out of date but free for home use only):
http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code