Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Other Languages
  3. Italiano
  4. Topic: Utente manda spam?
« previous next »
Pages: [1]   Go Down

Utente manda spam?

  • 6 Replies
  • 1713 Views

Offline mauro

  • ****
  • 101
  • +0/-0
Utente manda spam?
« on: March 06, 2015, 09:23:27 AM »
Buondì
Questa mattina un utente lamenta di aver ricevuto messaggi di errore dal server; si tratta di messaggi apparentemente spediti da lui e non recapitati a causa di indirizzo destinatario errato. Effettivamente, nella notte scorsa vedo circa un centinaio di messaggi nel log /var/log/qmail/current che hanno come mittente <utente@server.dominio.com> (notare che il client di posta è configurato per usare <utente@dominio.com>; in ogni caso, il pc client era spento durante la notte) e come destinatario vari indirizzi esterni dubbi o sconosciuti. L'UID dei messaggi è 453, cioè qpsmtpd.
L'utente aveva cambiato password proprio ieri. Il server (SME 8.1 in gateway mode) è settato con autenticazione SMTP 'accesso SSMTP (sicuro)'.
Per complicare le cose, l'utente sta lavorando da casa via OpenVPN e io sono dovrei essere in vacanza, quindi accedo da remoto al server.
Si accettano suggerimenti
Logged
All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer.
-- IBM maintenance manual (1975)

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Utente manda spam?
« Reply #1 on: March 06, 2015, 10:09:37 AM »
hai un estratto del log da sottoporci?
Logged

Offline mauro

  • ****
  • 101
  • +0/-0
Re: Utente manda spam?
« Reply #2 on: March 06, 2015, 10:47:46 AM »
/var/log/qmail/current:
Code: [Select]
2015-03-06 00:19:25.241340500 new msg 28344921
2015-03-06 00:19:25.241342500 info msg 28344921: bytes 2350 from <egrambow@wintermute.XXX.com> qp 9218 uid 453
2015-03-06 00:19:25.464009500 starting delivery 118968: msg 28344921 to local alias-localdelivery-maillog@XXX.com
2015-03-06 00:19:25.464012500 status: local 1/20 remote 0/20
2015-03-06 00:19:25.464013500 starting delivery 118969: msg 28344921 to remote friedrich-blase@YYY.de
2015-03-06 00:19:25.464015500 status: local 1/20 remote 1/20
2015-03-06 00:19:25.648957500 new msg 28345016
2015-03-06 00:19:25.648959500 info msg 28345016: bytes 2475 from <egrambow@wintermute.XXX.com> qp 9226 uid 400
2015-03-06 00:19:25.766755500 starting delivery 118970: msg 28345016 to local maillog@wintermute.XXX.com
2015-03-06 00:19:25.766757500 status: local 2/20 remote 1/20
2015-03-06 00:19:25.766759500 delivery 118968: success: forward:_qp_9226/did_0+0+1/
2015-03-06 00:19:25.766761500 status: local 1/20 remote 1/20
2015-03-06 00:19:25.778446500 delivery 118970: success: procmail:_Couldn't_create_"/var/mail/maillog"/did_0+0+2/
2015-03-06 00:19:25.778449500 status: local 0/20 remote 1/20
2015-03-06 00:19:25.778450500 end msg 28345016
2015-03-06 00:19:25.779421500 delivery 118969: failure: 194.25.134.9_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.0_Message_considered_as_spam_or_virus,_rejected/550-5.7.0_Your_IP:_80.152.140.223/550-5.7.0_Mailhost:_mailin53.aul.t-online.de/550-5.7.0_Timestamp:_2015-03-05T23:19:25Z/550-5.7.0_Expurgate-ID:_149288::1425597565-00001484-840A5F02/0-16018943334/0-10/550-5.7.0_Authenticator:_1F643F346C84648EFBC471676D248C7586342FBF75BFF24F5F03EAF21A31AD793F5B18D4/550-5.7.0_/550-5.7.0_Your_message_has_been_rejected_due_to_spam_or_virus_classification./550-5.7.0_If_you_feel_this_is_inapplicable,_please_report_the_above_error_codes/550-5.7.0_back_to_FPR@RX.T-ONLINE.DE_to_help_us_fix_possible_misclassification./550-5.7.0_We_apologize_for_any_inconvenience_and_thank_you_for_your_assistance!/550-5.7.0_/550-5.7.0_Die_Annahme_Ihrer_Nachricht_wurde_abgelehnt,_da_sie_als_Spam_oder/550-5.7.0_Virus_eingestuft_wurde._Sollten_Sie_dies_als_unzutreffend_ansehen,/550-5.7.0_senden_Sie_bitte_obige_Fehlercodes_an_FPR@RX.T-ONLINE.DE,_damit_wir/550-5.7.0_die_Klassifizierung_untersuchen_k__nnen._Wir_entschuldigen_uns_f__r/550_5.7.0_etwaige_Unannehmlichkeiten_und_bedanken_uns_f__r_Ihre_Unterst__tzung!/
2015-03-06 00:19:25.779565500 status: local 0/20 remote 0/20
2015-03-06 00:19:25.941008500 bounce msg 28344921 qp 9241
2015-03-06 00:19:25.941070500 end msg 28344921
2015-03-06 00:19:25.941243500 new msg 28345064

/var/log/qpsmtpd/current invece contiene righe tipo:

Code: [Select]
2015-03-06 09:14:51.344486500 2987 Accepted connection 0/40 from 195.135.130.51 / mail2.osite.de
2015-03-06 09:14:51.344488500 2987 Connection from mail2.osite.de [195.135.130.51]
2015-03-06 09:14:51.345921500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:51.348964500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:51.365589500 2987 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2015-03-06 09:14:52.372999500 2987 check_earlytalker plugin (connect): remote host said nothing spontaneous, proceeding
2015-03-06 09:14:52.380260500 2987 220 wintermute.XXX.com ESMTP
2015-03-06 09:14:52.469703500 2987 dispatching EHLO mail2.osite.de
2015-03-06 09:14:52.471887500 2987 250-XXX.com Hi mail2.osite.de [195.135.130.51]
2015-03-06 09:14:52.471913500 2987 250-PIPELINING
2015-03-06 09:14:52.471942500 2987 250-8BITMIME
2015-03-06 09:14:52.471973500 2987 250-SIZE 15000000
2015-03-06 09:14:52.472007500 2987 250 STARTTLS
2015-03-06 09:14:52.492380500 2987 dispatching MAIL FROM:<> SIZE=4564 BODY=8BITMIME
2015-03-06 09:14:52.492612500 2987 full from_parameter: FROM:<> SIZE=4564 BODY=8BITMIME
2015-03-06 09:14:52.495453500 2987 getting mail from <>
2015-03-06 09:14:52.495517500 2987 250 <>, sender OK - how exciting to get mail from you!
2015-03-06 09:14:52.495664500 2987 dispatching RCPT TO:<egrambow@wintermute.XXX.com>
2015-03-06 09:14:52.646529500 2987 check_goodrcptto plugin (rcpt): stripping '-' extensions
2015-03-06 09:14:52.647707500 2987 check_goodrcptto plugin (rcpt): recipient egrambow@wintermute.XXX.com denied
2015-03-06 09:14:52.648014500 2987 logging::logterse plugin (deny): ` 195.135.130.51 mail2.osite.de mail2.osite.de <> check_goodrcptto 901 relaying denied egrambow@wintermute.XXX.com msg denied before queued
2015-03-06 09:14:52.648138500 2987 550 relaying denied egrambow@wintermute.XXX.com
2015-03-06 09:14:52.648286500 2987 dispatching DATA
2015-03-06 09:14:52.648649500 2987 503 RCPT first
2015-03-06 09:14:52.738018500 2987 dispatching RSET
2015-03-06 09:14:52.738207500 2987 250 OK
2015-03-06 09:14:52.738296500 2987 dispatching QUIT
2015-03-06 09:14:52.738431500 2987 221 XXX.com closing connection. Have a wonderful day.
2015-03-06 09:14:52.738468500 2987 click, disconnecting
(che a me sembrano normali, pero' guarda caso relative a un solo utente e sempre lo stesso)

Le email sospette sembrano essersi fermate verso le 7 di stamattina, nel frattempo ho chiesto all'utente di cambiare di nuovo password con una difficile da indovinare.

Possono servire altri log?
Grazie x l'attenzione
Logged
All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer.
-- IBM maintenance manual (1975)

Offline mauro

  • ****
  • 101
  • +0/-0
Re: Utente manda spam?
« Reply #3 on: March 06, 2015, 11:05:22 AM »
Questo e' uno dei messaggi di errore arrivati all'utente
Code: [Select]

-----Original Message-----
From: MAILER-DAEMON@XXX.com [mailto:MAILER-DAEMON@XXX.com]
Sent: Friday, March 06, 2015 7:42 AM
To: egrambow@wintermute.XXX.com
Subject: failure notice

Hi. This is the qmail-send program at XXX.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pohl.g.u.k@online.de>:
217.72.192.66 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable Giving
up on 217.72.192.66.

--- Below this line is a copy of the message.

Return-Path: <egrambow@wintermute.XXX.com>
Received: (qmail 24368 invoked by uid 453); 6 Mar 2015 06:41:43 -0000
Received: from 46.220.39.130.wireless.dyn.drei.com (HELO localhost)
(46.220.39.130)
(smtp-auth username egrambow, mechanism login)
by XXX.com (qpsmtpd/0.84) with (AES256-SHA encrypted) ESMTPSA;
Fri, 06 Mar 2015 07:41:43 +0100
Subject: Paket, Ihre Sendung 614944661176417661
From: "DHL Fachteam"<egrambow>
To: pohl.g.u.k@online.de
X-Mailer: Print Manager v1.10.157.18025
Content-type: multipart/mixed; boundary="jmKJ3bWksqczVskz"
MIME-Version: 1.0
X-TNEF2MIME-Plugin: UUENCODE -> MIME
X-Virus-Checked: Checked by ClamAV on XXX.com


--jmKJ3bWksqczVskz
Content-Type: text/html; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT5ESEwgTG9naXN0aWstVGVhbTwvdGl0
bGU+DQo8TUVUQSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9aXNvLTg4
NTktMSIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8c3R5bGU+DQpib2R5
LCBwIHsNCiAgZm9udC1mYW1pbHk6IEFyaWFsOw0KICBmb250LXNpemU6IDEw
cHQ7DQogIGFsaWduOiBsZWZ0Ow0KfQ0KcCB7DQogIG1hcmdpbjogMHB4Ow0K
fQ0KYSB7DQoJRk9OVC1XRUlHSFQ6IG5vcm1hbDsNCglDT0xPUjogIzAwMDAw
MDsNCglURVhULURFQ09SQVRJT046IHVuZGVybGluZTsNCglmb250LXdlaWdo
dDogYm9sZDsNCn0NCjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keT4NCjxoMT48
ZW0+PHAgc3R5bGU9ImJhY2tncm91bmQ6ICNmYzA7Ij4mbmJzcDs8L3A+PHAg
c3R5bGU9InBhZGRpbmctbGVmdDozNXB4O2JhY2tncm91bmQ6ICNmYzA7IGhl
aWdodDogNDJweDtmb250LWZhbWlseTp0YWhvbWEsZ2VuZXZhLHNhbnMtc2Vy
aWY7Zm9udC1zaXplOiAzMHB4O2NvbG9yOiNkMDEwMTAiPiA8aW1nIHNyYz0i
aHR0cDovL3d3dy5kaGwuY29tL2ltZy9tZXRhL2RobF9sb2dvLmdpZiIgd2lk
dGg9IjEzNCIgaGVpZ2h0PSI0MiI+PC9wPjwvZW0+PC9oMT4NCjxwPiZuYnNw
OzwvcD4NCjxwPiZuYnNwOzwvcD4NCjxwPldlcnRlciBLdW5kZSw8L3A+DQo8
cD4mbmJzcDs8L3A+DQo8cD5JaHJlIHVudGVyIGRlciBOdW1tZXIgPGEgaHJl
Zj0iaHR0cDovL3ZpZXd2ZXQubmV0L2RobF9uZXh0dF9vbmxpbmVfcHVibGlj
Ij4xMzczMzM0NjUxNzY1MTEzMzMzNDwvYT4gZXJmYSYjMjIzO3RlIFNlbmR1
bmcgd3VyZGUgdm9uIERITCBpbiBFbXBmYW5nIGdlbm9tbWVuIHVuZCB2b3Jh
dXNzaWNodGxpY2ggZiYjMjUyO3IgZGVuIDxiPjA2LjAzLjIwMTU8L2I+IHp1
ciBBdXNsaWVmZXJ1bmcgdm9yZ2VzZWhlbi48L3A+DQo8cD4mbmJzcDs8L3A+
DQo8cD5IaWVyIGsmb3VtbDtubmVuIFNpZSB3ZWl0ZXJlIEluZm9ybWF0aW9u
ZW4gYmV0cmVmZmVuZCBJaHJlIFNlbmR1bmcgZWluc2VoZW46IDxhIGhyZWY9
Imh0dHA6Ly92aWV3dmV0Lm5ldC9kaGxfbmV4dHRfb25saW5lX3B1YmxpYyI+
MTM3MzMzNDY1MTc2NTExMzMzMzQ8L2E+LjwvcD4NCjxwPiZuYnNwOzwvcD4N
CjxwPk1pdCBmcmV1bmRsaWNoZW4gR3ImIzI1MjsmIzIyMztlbiw8YnI+SWhy
IERITCBGYWNodGVhbTwvcD4NCiANCjwvYm9keT4NCjwvaHRtbD4=

--jmKJ3bWksqczVskz--
Decodificando il messaggio, e' un html con il classico messaggio fasullo di mancata consegna di un corriere.
A me pare mandato da qualcuno che ha accesso a username e password legittimi...
« Last Edit: March 06, 2015, 11:07:31 AM by mauro »
Logged
All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer.
-- IBM maintenance manual (1975)

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Utente manda spam?
« Reply #4 on: March 06, 2015, 11:15:47 AM »
concordo..

cambio delle credenziali e verifica del pc incriminato (che non abbia qualche schifezza a bordo, tipo un keylogger...)
Logged

Offline mauro

  • ****
  • 101
  • +0/-0
Re: Utente manda spam?
« Reply #5 on: March 06, 2015, 11:21:28 AM »
La cosa e' iniziata poche ore dopo che l'utente si era portato a casa il PC. Temo abbia qualche keylogger/sniffer nella rete locale di casa. Se e' cosi', aver cambiato la password non servira' a molto...
Grazie x l'aiuto
Logged
All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer.
-- IBM maintenance manual (1975)

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: Utente manda spam?
« Reply #6 on: March 06, 2015, 11:22:51 AM »
appunto per quello dicevo di verificare il pc.. non penso abbia qualcosa "in casa", ma che abbia fatto qualcosa "a casa"
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Other Languages
  3. Italiano
  4. Topic: Utente manda spam?