Solved

Cent os email logs and remote emails being sent

Posted on 2014-09-23
6
46 Views
Last Modified: 2016-07-19
Hi.

I noticed that my dedi box had a full mail queue with spam emails all being sent from the same domain hosted internally on the server.

After changing all the email passwords for the domain I can now see failed login attempts from Russia France and an ip found to be in Germany (server is based in united kingdom.) so I expect a proxy is involved.

This is from /usr/local/psa/var/log/maillog
This is Ukraine ip address:
Sep 23 03:55:42 server88-208-248-91 /var/qmail/bin/relaylock[2019]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63128 (592329.soborka.net)
Sep 23 03:55:43 server88-208-248-91 /var/qmail/bin/relaylock[2020]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63188 (host-94-158-158-194.soborka.net)
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: FAILED: casper - password incorrect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from host-94-158-158-194.soborka.net [94.158.158.194]

Open in new window


and some others:

Sep 19 03:30:29 server88-208-248-91 smtp_auth: SMTP connect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:29 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: SMTP connect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: SMTP connect from unknown [92.47.35.36]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from (null) [92.47.35.36]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: SMTP connect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]

Open in new window




I can also see that a lot of emails are being sent to domains with spoofed from addresses.
e.g

This email was received to an internal email on the server:

subject: Your account might be compromised
From:	Barclays Bank PLC
Date:	04/29/2014 (05:29:39 AM UTC)
To:	Undisclosed Recipients
 	
1 Attachment
application/x-zip-compressed	Barclays Bank - Form.zip (4 KB)	
Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 30, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.
application/x-zip-compressed Barclays Bank - Form.zip (4 KB) 

Open in new window




and I then found its headers by checking: /var/qmail/mailnames/domain.com/email_account/Maildir/

Received: (qmail 21075 invoked from network); 23 Apr 2014 11:02:04 +0100
Received: from static.119.17.76.144.clients.your-server.de (HELO c1.cyber-empire.com) (144.76.17.119)
  by server88-208-248-91.live-servers.net with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP; 23 Apr 2014 11:02:04 +0100
Received: from mail1.islamichelp.org.uk ([213.120.215.123] helo=User)
	by c1.cyber-empire.com with esmtpa (Exim 4.82)
	(envelope-from <support@buhpressa.ru>)
	id 1Wctzn-00022y-Rm; Wed, 23 Apr 2014 12:01:40 +0200
Reply-To: <Barclays@email.barclays.co.uk>
From: "Barclays Bank PLC"<Barclays@email.barclays.co.uk>
Subject: Your account might be compromised
Date: Wed, 23 Apr 2014 11:01:33 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_012B_01C2A9A6.140BBE10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1Wctzn-00022y-Rm@c1.cyber-empire.com>
Sender: support@buhpressa.ru

This is a multi-part message in MIME format.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit

Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 24, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: application/x-zip-compressed;
	name="Barclays Bank - Form.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Barclays Bank - Form.zip"

[encoded file removed]

------=_NextPart_000_012B_01C2A9A6.140BBE10--

Open in new window



So I can see from the header that the envelope-from is <support@buhpressa.ru> but i looks like its from Barclays@email.barclays.co.uk

its obvious that the email is trying to get the user to open the attachment that is a .zip   :D

So how can I secure the server to stop these emails?
Thanks.
0
Comment
Question by:helpchrisplz
  • 3
6 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40339974
Ask person who compiled and installed qmail...

Move quickly to (CentOS default) postfix. It has many wits in default configuration that it is quite hard to set open relay unintentionally or even intentionally.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 40340357
its rented from hosting complany with preinstalled plesk. i have asked hosting company tech support but they just say to look for php scripts that might be insecure.

i haven't got much server maintenance knowledge. so i should change to centos postfix.  how can i action that? thx.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40340839
Easy peasy - stop QMAIL and take 5 minutes to THINK.
Now install and start POSTFIX
It will by default let mail out. So stay reading /var/log/messages until all your web forms are secure.
You have 4-5 days before mails bounce.... So have a good read of postfix.org site  and enable mail reception if you want it.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41713509
https:#a40234964
(my first line is basic procedure of mail abuse handling)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
Utilizing an array to gracefully append to a list of EmailAddresses
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now