Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: security weakness in qmail or server?
« previous next »
Pages: [1]   Go Down

security weakness in qmail or server?

  • 4 Replies
  • 564 Views

kirstyk

security weakness in qmail or server?
« on: August 14, 2002, 05:44:51 PM »
here's my problem, someone is managing to send mail through our box by  spoofing the email address 'anonymous@electricpost.co.uk', how is this possible ? pop and imap is set to private.

here is a portion of the log files,

@400000003d5a194e04d7c4dc info msg 311202: bytes 2252 from qp 4833 uid 100
@400000003d5a194e05152b9c starting delivery 654: msg 311202 to remote jovemcarioca@aol.com
@400000003d5a194e05156634 status: local 0/10 remote 1/20
@400000003d5a194e0515818c starting delivery 655: msg 311202 to remote bilo75@aol.com
@400000003d5a194e0515a89c status: local 0/10 remote 2/20
@400000003d5a194e0515c3f4 starting delivery 656: msg 311202 to remote holstudent@aol.com
@400000003d5a194e0515e71c status: local 0/10 remote 3/20
@400000003d5a194e0532ba04 starting delivery 657: msg 311202 to remote snjcalm1@aol.com
@400000003d5a194e0532f49c status: local 0/10 remote 4/20
@400000003d5a194e05cbaa5c starting delivery 658: msg 311202 to remote dargoodman@aol.com
@400000003d5a194e05cbf0ac status: local 0/10 remote 5/20
@400000003d5a19512b68c90c delivery 658: success: 64.12.137.89_accepted_message./Remote_host_said:_250_OK/
@400000003d5a19512b6926cc status: local 0/10 remote 4/20
@400000003d5a19513029c3ec delivery 655: success: 205.188.156.154_accepted_message./Remote_host_said:_250_OK/
@400000003d5a19513029fe84 status: local 0/10 remote 3/20
@400000003d5a195130c28d34 delivery 656: success: 152.163.224.122_accepted_message./Remote_host_said:_250_OK/
@400000003d5a195130c2c3e4 status: local 0/10 remote 2/20
@400000003d5a1952007aa864 delivery 654: success: 152.163.224.26_accepted_message./Remote_host_said:_250_OK/
@400000003d5a1952007ae2fc status: local 0/10 remote 1/20
@400000003d5a19591b585bcc delivery 657: success: 64.12.137.184_accepted_message./Remote_host_said:_250_OK/
@400000003d5a19591b58b5a4 status: local 0/10 remote 0/20
@400000003d5a19591b58d0fc end msg 311202

fortunatly they only seem to be sending to aol users so I can block the bounced messages back from aol,
unfortunatly enclosed in the messige is a virus.
there is no user anonymous so how can i stop this

kk
Logged

Des Dougan

Re: security weakness in qmail or server?
« Reply #1 on: August 14, 2002, 10:26:25 PM »
Are you sure the messages are actually coming from your site. You didn't say which virus was involved, but the Klez  G and H viruses take addresses from an infected system and send out emails from that system as if they were being sent from the addresses in the book it uses. I had another returned email in my inbox last night of exactly this kind.

You should also ensure you have anti-virus software running on your server and PCs - then you will have some assurance that you're not sending out viruses (and if you get a message with a virus returned which purportedly originated from your site, you'll be sure it didn't come from you).

All this assumes you haven't been "invaded" - you could still have been spoofed externally, and there's not a lot you can do about that - complaining to the ISP from where the spoofing originated doesn't have much effect.

Des Dougan
Logged

kirstyk

Re: security weakness in qmail or server?
« Reply #2 on: August 15, 2002, 03:31:16 AM »
as far as I can tell (and im new to this) acording to the logs.we've sent out 8000 odd emails in the passed 3 days (there are only 4 of us using this gateway).  So I reckon its not a spoof.
We've got tripwire installed so we dont think we have been compromised and i also checked file integrity with rpm.
no client on the network has viruses as we did a full scan on all machines (norton)
a virus did show up in the backup smtserver.tar in a txt file (linuxtux) but i think thatis norton being over zealous
On other option is that formmail is being used so today i replaced it with the formmail.php honey trap from abuse.net
now we will just do a clean install and start again , point our domain to a hosted site and leave smt on dial on demand :(
Logged

Charlie Brady

formmail security (was Re: security weakness in qmail or ser
« Reply #3 on: August 15, 2002, 08:28:31 AM »
kirstyk wrote:

> On other option is that formmail is being used so today i
> replaced it with the formmail.php honey trap from abuse.net
> now we will just do a clean install and start again , point
> our domain to a hosted site and leave smt on dial on demand :(

formmail is very often exploitable as an open relay, as is almost certianly the case here. Your logs show:

 from qp 4833 uid 100

which means that qmail-inject was run by uid 100, i.e. www, and none of the following environment variables was set: QMAILUSER, MAILUSER, USER,  LOGNAME,QMAILĀ­SUSER, QMAILSHOST. This is very likely to be the case when your formmail script ran.

The formmail script is well known as being actively exploited by spammers. See:

http://www.google.com/search?q=formmail+security

for details.

Charlie
Logged

kirstyk

Re: formmail security (was Re: security weakness in qmail or
« Reply #4 on: August 15, 2002, 09:33:27 PM »
thanks  for that, I thought we could get passed the spammers email sniffers by using formmail as the contact point, now i just messed up the apache server trying to install the abuse script :( have to read more about the templates)

kk
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: security weakness in qmail or server?