Topic: How to limit outgoing email to valid local domain addresses

[mike_mattos]

Is there a way to limit outgoing email to only valid email addresses on the SME server hosted domains?

[CharlieBrady]

You would need a custom qpsmtpd configuration to do that, and perhaps a custom qpsmtpd plugin.

You are probably better to identify the source of your spam (possibly a compromised account or virus/trojan infection) and fix that problem.

[mike_mattos]

IF I could figure out which machine was the source, I would do that.  But my suspicion is that the source is NOT a local workstation.  I say that because the mail log far shows more total messages than are allocated to the local users, thus the spammer is not using a valid account on the domain as the 'sender'.  qpsmtpd seems to be the sender ( qmail 9075 invoked by uid 453 ).

The server antivirus says all is well.

[CharlieBrady]

qpsmtpd seems to be the sender ( qmail 9075 invoked by uid 453 ).

In that case both the message full headers and the qpsmtpd log will identify the IP address which is the source of the message.

[mike_mattos]

if only that were true! 

The ip is 127.0.0.1 and I can't get a copy of the outgoing message, only from the bounce do I see the following, also note the Outlook Express referevce!



Received: from [207.xxx.x.x] (helo=saxxxx.xxxx.com)
    by mail-06.primus.ca with esmtpa (Exim 4.72)
    (envelope-from )
    id 1ScnuQ-0003IS-2W
    for elvinaf@hotmail.com; Thu, 07 Jun 2012 21:22:38 -0400
 Received: (qmail 9075 invoked by uid 453); 8 Jun 2012 00:21:19 -0000
 X-Virus-Checked: Checked by ClamAV on saxxxxx.com
 Received: from localhost (HELO User) (127.0.0.1)
     by saxxxxxx.com (qpsmtpd/0.83) with SMTP; Thu, 07 Jun 2012 20:21:19 -0400
 Reply-To:
 From: "Mr. David Chen"
 Subject: INHERITANCE
 Date: Thu, 7 Jun 2012 17:26:48 -0700
 MIME-Version: 1.0
 Content-Type: text/plain;
    charset="Windows-1251"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 
 Good day,
 
 I am Mr.David Chen, Trained and working as an Account Officer In Development Bank of Singapore (DBS).
 I write to contact you about a foreigner bearing the same name as yours, who died here in Singapore, over a decades ago leaving behind an estate/capital US$12.8M here in Development Bank of Singapore.However, the Investor died intestate, no next-of-kin, nobody came forward all these years to lay claim of the inheritance. I have decided to work with you to secure the funds, and propose 20% offer for you.
 If you are interested, you are advised to email me through my private email dchen1_dbs@imail.com the following information stated below:-  i. RE-CONFIRM YOUR FULL NAMES:
 ii. CONTACT ADDRESS:
 iii. AGE:
 iv. TELEPHONE AND FAX NUMBER:
 v. OCCUPATION:
 Upon hearing from you, I will unfold more details and how to commence in the transaction.
 Best regards,
 Mr. David Chen
 NB:ENSURE TO RESPOND TO MY PRIVATE EMAIL dchen1_dbs@imail.com WITH REQUIRED DETAILS IF WILLING.
;

[CharlieBrady]

if only that were true! 

The ip is 127.0.0.1

Check your apache access logs. Then remove or fix whatever php script is (most likely) allowing email to be injected.

... and I can't get a copy of the outgoing message

Stop qmail and look at any of the many messages in your qmail outgoing queue.

also note the Outlook Express referevce!

That's of no evidentiary value, any more than 'From: ...".

[mike_mattos]

By apache access log, do you mean /var/log/httpd/access_log?    Current log looks good, I'll look at  previous one shortly, after it transfers+

There is NOTHING in the outgoing queue, but at 1AM, the system was very busy. 

My ISP reported the problem, we use their mail server.

[CharlieBrady]

By apache access log, do you mean /var/log/httpd/access_log?

Yes, that is the apache access log.

If your apache log does show activity, you need to look for another process which would allow connections to port 25 from localhost, e.g. ssh with port forwarding, squid, some other proxy.

[mike_mattos]

From the qpstmod log, a bad guy identified, but still don't see any indication of the outgoing spam, bt the time is consistent witht he bounce messages as above

http://www.projecthoneypot.org/ip_118.35.239.79

2012-06-08 00:38:28.084099500 29621 Accepted connection 0/40 from 118.35.239.79 / Unknown
2012-06-08 00:38:28.084207500 29621 Connection from Unknown [118.35.239.79]
2012-06-08 00:38:28.084573500 29621 running plugin (set_hooks): peers
2012-06-08 00:38:28.085569500 29621 peers hooking valid_auth
2012-06-08 00:38:28.085627500 29621 peers hooking set_hooks
2012-06-08 00:38:28.085922500 29621 logging::logterse hooking queue
2012-06-08 00:38:28.086006500 29621 logging::logterse hooking deny
2012-06-08 00:38:28.086251500 29621 tls plugin (init): ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2012-06-08 00:38:28.086927500 29621 tls hooking connect
2012-06-08 00:38:28.086976500 29621 tls hooking ehlo
2012-06-08 00:38:28.087020500 29621 tls hooking helo
2012-06-08 00:38:28.087097500 29621 tls hooking rcpt
2012-06-08 00:38:28.087149500 29621 tls hooking mail
2012-06-08 00:38:28.087194500 29621 tls hooking data
2012-06-08 00:38:28.087273500 29621 tls hooking post-connection
2012-06-08 00:38:28.087314500 29621 tls hooking unrecognized_command
2012-06-08 00:38:28.087969500 29621 check_earlytalker hooking connect
2012-06-08 00:38:28.088012500 29621 check_earlytalker hooking data
2012-06-08 00:38:28.088157500 29621 count_unrecognized_commands hooking connect
2012-06-08 00:38:28.088325500 29621 count_unrecognized_commands hooking unrecognized_command
2012-06-08 00:38:28.088504500 29621 check_relay hooking connect
2012-06-08 00:38:28.088778500 29621 check_norelay hooking connect
2012-06-08 00:38:28.089102500 29621 require_resolvable_fromhost hooking mail
2012-06-08 00:38:28.089443500 29621 check_basicheaders hooking data_post
2012-06-08 00:38:28.089712500 29621 rhsbl hooking rcpt
2012-06-08 00:38:28.089767500 29621 rhsbl hooking mail
2012-06-08 00:38:28.089861500 29621 rhsbl hooking disconnect
2012-06-08 00:38:28.090036500 29621 dnsbl hooking connect
2012-06-08 00:38:28.090141500 29621 dnsbl hooking rcpt
2012-06-08 00:38:28.090240500 29621 dnsbl hooking disconnect
2012-06-08 00:38:28.090470500 29621 check_badmailfrom hooking rcpt
2012-06-08 00:38:28.090517500 29621 check_badmailfrom hooking mail
2012-06-08 00:38:28.090774500 29621 check_badrcptto_patterns hooking rcpt
2012-06-08 00:38:28.091044500 29621 check_badrcptto hooking rcpt
2012-06-08 00:38:28.091265500 29621 check_spamhelo hooking ehlo
2012-06-08 00:38:28.091319500 29621 check_spamhelo hooking helo
2012-06-08 00:38:28.091698500 29621 check_goodrcptto hooking rcpt
2012-06-08 00:38:28.091898500 29621 rcpt_ok hooking rcpt
2012-06-08 00:38:28.092259500 29621 virus::pattern_filter hooking data_post
2012-06-08 00:38:28.092565500 29621 tnef2mime hooking data_post
2012-06-08 00:38:28.092787500 29621 spamassassin hooking data_post
2012-06-08 00:38:28.092898500 29621 spamassassin hooking data_post
2012-06-08 00:38:28.093137500 29621 virus::clamav hooking data_post
2012-06-08 00:38:28.093524500 29621 queue::qmail_2dqueue hooking queue
2012-06-08 00:38:28.093843500 29621 Plugin peers, hook set_hooks returned DECLINED,
2012-06-08 00:38:28.093942500 29621 running plugin (connect): tls
2012-06-08 00:38:28.094003500 29621 Plugin tls, hook connect returned DECLINED,
2012-06-08 00:38:28.094029500 29621 running plugin (connect): check_earlytalker
2012-06-08 00:38:28.094162500 29621 check_earlytalker plugin (connect): remote host started talking before we said hello [118.35.239.79]
2012-06-08 00:38:28.094232500 29621 Plugin check_earlytalker, hook connect returned DENYSOFT, Connecting host started transmitting before SMTP greeting
2012-06-08 00:38:28.094383500 29621 logging::logterse plugin (deny): ` 118.35.239.79   Unknown            check_earlytalker   902   Connecting host started transmitting before SMTP greeting   msg denied before queued
2012-06-08 00:38:28.094496500 29621 Lost connection to client, cannot send response.
2012-06-08 00:38:28.094517500 29621 click, disconnecting
2012-06-08 00:38:28.094600500 29621 running plugin (disconnect): rhsbl
2012-06-08 00:38:28.094662500 29621 Plugin rhsbl, hook disconnect returned DECLINED,
2012-06-08 00:38:28.094687500 29621 running plugin (disconnect): dnsbl
2012-06-08 00:38:28.094755500 29621 Plugin dnsbl, hook disconnect returned DECLINED,
2012-06-08 00:38:28.094900500 29621 running plugin (post-connection): tls
2012-06-08 00:38:28.094975500 29621 Plugin tls, hook post-connection returned DECLINED,
2012-06-08 00:38:28.663575500 23868 cleaning up after 29621

[mmccarn]

The log extract you've included shows an email that was denied by your mail server.

Having said that, the source IP in your log extract (118.35.239.79) is listed in many RBL lists, including both of those that I have active on my SME (RBLList=zen.spamhaus.org:combined.njabl.org): http://rbls.org/118.35.239.79 - so the connection should have been denied immediately and not by the "check_earlytalker" plugin.

I strongly recommend that you read through the Sonoracomm spam filter configuration how-to and review your email configuration: http://wiki.contribs.org/Email#The_Sonora_Communications_.22Spam_Filter_Configuration_for_SME_7.22_howto

You might learn more by downloading "qploggrep" and searching your log files for "127.0.0.1":
http://wiki.contribs.org/Email_Statistics#qploggrep

Also, if you see nothing in /var/log/httpd/access_log, take a look in /var/log/messages.

Finally, if you are running PHP5 via php5-cgi and have not patched the injection attack publicized last month, you need to take care of that: http://forums.contribs.org/index.php/topic,48612.msg241682.html#msg241682

[mike_mattos]

Thanks. mmcarn,

the 'attack' was at 1AM Friday morning, 10,000 outbound emails in about an hour, but the ISP mail server trapped them, they sent me a warning message.  Last night there was no unusual activity.

I didn't see anything in the Sonora link about outbound spam

qploggrep dnsbl was interesting, but there were no trends 

The Spam my system was sending did not have a FROM email address, only a name in quotes, From: "Mr. David Chen"

I did install php5 on one ibay/domain/site for this server,  Charlie Brady says in that thread that SME does not operate in cgi mode, and I don't maintain the site, it was written in Drupal with a few add on php scripts to access MySQL,  so I'm not sure if the problem exists or how to fix it if it does.

 

[Stefano]

I did install php5 on one ibay/domain/site for this server,  Charlie Brady says in that thread that SME does not operate in cgi mode, and I don't maintain the site, it was written in Drupal with a few add on php scripts to access MySQL,  so I'm not sure if the problem exists or how to fix it if it does.

did you upgrade php4 to php5 or did you install php5-cgi?

if you are using the latter, there is a big vulnerability...

also, be sure your drupal installation is up to date..

[mike_mattos]

http://wiki.contribs.org/PHP5#For_Ibays  was what I used, not sure if it auto-updates though!

If the problem repeats I'll roll back to php4.  I'll ask the web designer to confirm the Drupal status

[CharlieBrady]

If the problem repeats I'll roll back to php4.

Don't wait for it to repeat. You have an insecure php5-cgi rpm installed.

[mmccarn]

Here's a link to the top of the php5-cgi discussion I linked above:
http://forums.contribs.org/index.php/topic,48612.0.html

Read through the whole thread -- you should be able to ameliorate the security problem by setting "AllowOverride" for the ibay, and adding some lines to /home/e-smith/files/ibays/<ibayname>/html/.htaccess.

I have a Wordpress install hosted on a (non-SME) service provider using php5-cgi - the bug we're discussing here allowed a remote attacker to overwrite all instances of "index.php" in my wordpress directory tree with a new file that began with an encrypted php command to load a malicious website.

You should apply the .htaccess workaround as soon as possible, then compare all of your site's PHP files to backup versions from before you started observing odd behavior.

Here's a link to the redhat bug report about this vulnerability:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1823