Hello everyone, I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first. the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender. First I thought: sure thing - a compromised account. So I changed his password. But the following day it happened again. So I changed his pw again and told him not to update the pw on his computer but only use his mobile for a day. About 36h later it happened again. I have checked the logs and he indeed didn’t connect using his macbook for the whole day. Just a told him. So this should rule out a compromised machine, right? There are no relay servers in my exim4u installation and connections are only accepted on SSL/TLS (993/587). The eximu4 web interface is not public. I keep the box up to date and have all Debian LTS packages installed and have a rather tight iptables based firewall running. Plus I think I can exclude dictionary attacks because I have fail2ban blacklisting IPs after a couple of failed attempts. Long story short: I’m running out of excuses. My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important" Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628 So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration? It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me. thanks i.a. Mika
Hi Mika, 2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works. The fact that these messages are sent from an your user's e-mail address might mean that: a) the sender expects that the recipients will be more likely to read it (due to the message appearing as being from same domain/from user in the address book) b) (and you should really test this theory) your mail server might be skipping spam checks on messages which it considers as sent from local users. I had a similar issue a couple years once: someone's account was compromised, and our server became a spamming machine. I can't remember whether or not it happened more than once, but when I decided to debug this problem, the issue turned out to be that I had disabled spam checking on messages originating from 127.0.01, and the spammer used our webmail service running on the same server to send the spam. Once I figured that out, I configured Exim to also test messages originating from www-data user, and the problems stopped. Hope this helps, Rimas
Hi Rimas, on 20.08.15 21:29 Rimas Kudelis wrote:
Hi Mika,
2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
At the same time when these (few) mails are being sent from my machine to local users there are remote 'JoeJobs' that are sending out mail from other IPs using the local user's mail address. Sounds silly, I know. In the meantime I've discovered this might be a larger operation involving a possible security breach at Telekom, a large local (german) provider. https://www.google.de/search?q=WORLDST-UQ3K9Q0 Seems to be a local issue (atm) so most info is in german. There seem to be a lot of similar cases. Same procedure, same HELO and subjects used and same clueless admins trying to figure out how the mail was sent.
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works.
I think you got me wrong: user(a)example.com is the local user. And "he" is sending out mails that he shouldn't. And if "P=esmtps" means he's doing it without authentication then that's not how e-mail should work. ;) So am I right to asume they manage to do it without authentication?
The fact that these messages are sent from an your user's e-mail address might mean that: a) the sender expects that the recipients will be more likely to read it (due to the message appearing as being from same domain/from user in the address book) b) (and you should really test this theory) your mail server might be skipping spam checks on messages which it considers as sent from local users.
I had a similar issue a couple years once: someone's account was compromised, and our server became a spamming machine. I can't remember whether or not it happened more than once, but when I decided to debug this problem, the issue turned out to be that I had disabled spam checking on messages originating from 127.0.01, and the spammer used our webmail service running on the same server to send the spam. Once I figured that out, I configured Exim to also test messages originating from www-data user, and the problems stopped.
Hope this helps, Rimas
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
Hi, 2015-08-20 23:22, emkay wrote:
on 20.08.15 21:29 Rimas Kudelis wrote:
2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
At the same time when these (few) mails are being sent from my machine to local users there are remote 'JoeJobs' that are sending out mail from other IPs using the local user's mail address. Sounds silly, I know.
As you probably know, faking the "From:" header is very easy. If somebody is faking this header and uses third-party servers to send spam, there is only so much you can do. You may want to explore DMARC and similar initiatives, but that's about it.
In the meantime I've discovered this might be a larger operation involving a possible security breach at Telekom, a large local (german) provider. https://www.google.de/search?q=WORLDST-UQ3K9Q0 Seems to be a local issue (atm) so most info is in german. There seem to be a lot of similar cases. Same procedure, same HELO and subjects used and same clueless admins trying to figure out how the mail was sent.
Again, in your place, I would first of all limit my concern to my own server and users. You should make sure that _your_ server hasn't been compromised first of all.
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works.
I think you got me wrong: user(a)example.com is the local user. And "he" is sending out mails that he shouldn't. And if "P=esmtps" means he's doing it without authentication then that's not how e-mail should work. ;)
So am I right to asume they manage to do it without authentication?
Yes, I suppose so (you have already looked it up, there's no need for me to do the same). However, your first message says "All sent to the domain’s aliases and one other local domain", so I assume you are talking about spam delivered to your server's local mailboxes, hence the direction is IN. And if that is correct, then not requiring authentication is the expected behavior, because that's how SMTP servers talk to each other. Rimas
Hi Rimas, I just realised that what I thought were mails being sent out without authentication where in fact received mails that were simple delivered to the local accounts. The faked mails from remote machines continue but they don't bother me too much because I have SPF and DKIM set. I'm just glad the machine is not compromised. Although I wish I noticed this embarracing detail before I sent my initial mail :) Guess it was paranoia creeping up my spine. Ignore me and pardon the noise. Mika Am 20.08.15 um 22:55 schrieb Rimas Kudelis:
Hi,
2015-08-20 23:22, emkay wrote:
on 20.08.15 21:29 Rimas Kudelis wrote:
2015-08-20 13:35, emkay wrote:
I’m having a weird issue with my server running exim4u 2.1.1 on Debian Squeeze and I just can’t get my head around this. I know this might be more of an Exim question but since I use Exim4u I’ll try my luck here first.
the problem: For a few days now I have one single user sending out spam mails. Not many - only about 5x a day. All sent to the domain’s aliases and one other local domain. But: they seem to 'multiply' because simultaneously the same rubbish is sent from multiple external IPs to what seems to be his whole addresses book, using his account’s email address as sender.
I don't really understand this last sentence. Care to clarify?
At the same time when these (few) mails are being sent from my machine to local users there are remote 'JoeJobs' that are sending out mail from other IPs using the local user's mail address. Sounds silly, I know.
As you probably know, faking the "From:" header is very easy. If somebody is faking this header and uses third-party servers to send spam, there is only so much you can do. You may want to explore DMARC and similar initiatives, but that's about it.
In the meantime I've discovered this might be a larger operation involving a possible security breach at Telekom, a large local (german) provider. https://www.google.de/search?q=WORLDST-UQ3K9Q0 Seems to be a local issue (atm) so most info is in german. There seem to be a lot of similar cases. Same procedure, same HELO and subjects used and same clueless admins trying to figure out how the mail was sent.
Again, in your place, I would first of all limit my concern to my own server and users. You should make sure that _your_ server hasn't been compromised first of all.
My last glimps of hope: I noticed in the exim mainlog that the rogue connections used „P=esmtps“: 2015-08-18 01:20:36 1ZSDMy-0002RD-MY <= user(a)example.com H=s115.panelboxmanager.com [184.107.100.85] P=esmtps X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32 S=7303 id=b0795df60e0f65f5.3b60fdmy(a)example.com T="Fw: important"
Rather than „P=esmtpsa“, which is used when a regular, _a_uthenticated user sends out mail. http://www.gossamer-threads.com/lists/exim/users/98628#98628
So my question is: does the 'missing a' indicate that the mail was sent without authentication? could this be an Exim/Exim4U ACL issue/misconfiguration?
It would be great to get some feedback or hints regarding this because neither the spamming pattern (local / remote) nor the password-change-ignoring connections make any sense to me.
You're probably right about authentication not happening, but this is normal in your case – mail servers in general only require authentication when sending messages OUT, not IN (and you wrote above that the spam is coming IN). This is how e-mail works.
I think you got me wrong: user(a)example.com is the local user. And "he" is sending out mails that he shouldn't. And if "P=esmtps" means he's doing it without authentication then that's not how e-mail should work. ;)
So am I right to asume they manage to do it without authentication?
Yes, I suppose so (you have already looked it up, there's no need for me to do the same). However, your first message says "All sent to the domain’s aliases and one other local domain", so I assume you are talking about spam delivered to your server's local mailboxes, hence the direction is IN. And if that is correct, then not requiring authentication is the expected behavior, because that's how SMTP servers talk to each other.
Rimas
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
participants (2)
-
emkay -
Rimas Kudelis