Ederwainer
asked on
My server has been spoofed - help configuring mailenable
Hello,
This morning we ran into a pretty serious problem.
Based on what I saw at the logs, seems like our server was spoofed as over 1.000 messages were sent from my server using apparently my own mailbox.
so the relay limit I have on my dedicated server, wich runs Plesk 8.3 for windows, at godaddy was maxxed out early in the morning and up to now I havent been able to close the door to this kind of action.
From what I have read, seems like some settings on mailenable are allowing for spoofing and thats what caused all the trouble. However Im not familiar with mailenable at all and I havend found a way to access its interface in order to reconfigure it.
After my relay was maxxed out, none of the hundreds of websites I have hosted there were able to send email through their contact forms.
This is a small part of todays log which I think can show someone who understands about it what happened and how I can fix it:
************************** ********** ********** ********** ********** ********** ********** ********** ********** *******
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7 79B317.MAI 492 127.0.0.1 220 KLAN02.home ESMTP MailEnable Service, Version: 1.983-- ready at 04/23/09 07:36:55 0 0
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7 79B317.MAI 492 127.0.0.1 HELO HELO klan02 250 Requested mail action okay, completed 43 13
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7 79B317.MAI 492 127.0.0.1 MAIL MAIL FROM:<eder@coll.com.br> 250 Requested mail action okay, completed 43 30
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7 79B317.MAI 492 127.0.0.1 RCPT RCPT TO:<spoouf@hotmail.com> 250 Requested mail action okay, completed 43 30
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7 79B317.MAI 492 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7 ABC000.MAI 500 127.0.0.1 220 KLAN02.home ESMTP MailEnable Service, Version: 1.983-- ready at 04/23/09 07:36:55 0 0
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7 ABC000.MAI 500 127.0.0.1 HELO HELO klan02 250 Requested mail action okay, completed 43 13
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7 ABC000.MAI 500 127.0.0.1 MAIL MAIL FROM:<eder@coll.com.br> 250 Requested mail action okay, completed 43 30
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7 ABC000.MAI 500 127.0.0.1 RCPT RCPT TO:<spoouf@hotmail.com> 250 Requested mail action okay, completed 43 30
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7 ABC000.MAI 500 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
04/23/09 07:36:56 SMTP-IN 6C4B803660104FC0A2D3622B5B A9E3F3.MAI 492 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
************************** ********** ********** ********** ********** ********** ********** ********** ********** *******
eder@coll.com.br is my personal mailbox. seems like it was spoofed to get through the server authentication.
Any help on securing our server from this kind of action will be greatly appreciated.
Thanks
Eder
This morning we ran into a pretty serious problem.
Based on what I saw at the logs, seems like our server was spoofed as over 1.000 messages were sent from my server using apparently my own mailbox.
so the relay limit I have on my dedicated server, wich runs Plesk 8.3 for windows, at godaddy was maxxed out early in the morning and up to now I havent been able to close the door to this kind of action.
From what I have read, seems like some settings on mailenable are allowing for spoofing and thats what caused all the trouble. However Im not familiar with mailenable at all and I havend found a way to access its interface in order to reconfigure it.
After my relay was maxxed out, none of the hundreds of websites I have hosted there were able to send email through their contact forms.
This is a small part of todays log which I think can show someone who understands about it what happened and how I can fix it:
**************************
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7
04/23/09 07:36:55 SMTP-IN EC9372A288194763BDA79164F7
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7
04/23/09 07:36:55 SMTP-IN CA68A4F94F2847BFA800B4DED7
04/23/09 07:36:56 SMTP-IN 6C4B803660104FC0A2D3622B5B
**************************
eder@coll.com.br is my personal mailbox. seems like it was spoofed to get through the server authentication.
Any help on securing our server from this kind of action will be greatly appreciated.
Thanks
Eder
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have recently enabled "perl" on the domain coll.com.br, which is the same as the mailbox authenticating for sending. could it be the source of the problem?
I enabled Perl to be able to run an application by Google, sitemap generator.
Thanks
Eder wainer
I enabled Perl to be able to run an application by Google, sitemap generator.
Thanks
Eder wainer
ASKER
After some searches on my dedicated server I came accross a folder created by the default Plesk Skeleton that had a file called test_mail.asp, which had the local IP address (127.0.0.1) and my email address configured at the top, the fields of the form matches the fields of the messages that were being sent.
I deleted this "test" folder, generated automatically by Plesk on all domains and its been 20 minutes since the last message was queued to be sen, no more messages were created.
So seemed like malicious code was using this form for spam.
I think its a shame, coming from a company that should care for the safety of its customers placing a form like that by default on new accounts opens the security for trouble.
Im gonna be monitoring the service tomorrow and if anything still goes wrong, Ill post here.
Thanks
Eder Wainer
I deleted this "test" folder, generated automatically by Plesk on all domains and its been 20 minutes since the last message was queued to be sen, no more messages were created.
So seemed like malicious code was using this form for spam.
I think its a shame, coming from a company that should care for the safety of its customers placing a form like that by default on new accounts opens the security for trouble.
Im gonna be monitoring the service tomorrow and if anything still goes wrong, Ill post here.
Thanks
Eder Wainer
I would check the Plesk documentation - usually frameworks come with such test pages by default (php comes with some too) and the documentation recommends that they be removed before the machine is placed in "production".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is using my mailbox for authentication "eder@coll.com.br". As a temporary measeure I was thinking of deleting my mailbox. would it solve the problem till I can stop this action?
I dont know if it helps, but I do not run any mailboxes at this server, only contact forms that send email messages.
If anybody is willing to help me through this, I can attach log files
Thanks
Eder Wainer