Solved

Cent os email logs and remote emails being sent

Posted on 2014-09-23
6
52 Views
Last Modified: 2016-07-19
Hi.

I noticed that my dedi box had a full mail queue with spam emails all being sent from the same domain hosted internally on the server.

After changing all the email passwords for the domain I can now see failed login attempts from Russia France and an ip found to be in Germany (server is based in united kingdom.) so I expect a proxy is involved.

This is from /usr/local/psa/var/log/maillog
This is Ukraine ip address:
Sep 23 03:55:42 server88-208-248-91 /var/qmail/bin/relaylock[2019]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63128 (592329.soborka.net)
Sep 23 03:55:43 server88-208-248-91 /var/qmail/bin/relaylock[2020]: /var/qmail/bin/relaylock: mail from 94.158.158.194:63188 (host-94-158-158-194.soborka.net)
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: FAILED: casper - password incorrect from 592329.soborka.net [94.158.158.194]
Sep 23 03:55:43 server88-208-248-91 smtp_auth: SMTP connect from host-94-158-158-194.soborka.net [94.158.158.194]

Open in new window


and some others:

Sep 19 03:30:29 server88-208-248-91 smtp_auth: SMTP connect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:29 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 122-103-149-92.chiba.fdn.vectant.ne.jp [122.103.149.92]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: SMTP connect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:32 server88-208-248-91 smtp_auth: FAILED: drivers@thedomain1.co.uk - password incorrect from 194.28.152.193.base-net.ru [194.28.152.193]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: SMTP connect from unknown [92.47.35.36]
Sep 19 03:30:39 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from (null) [92.47.35.36]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: SMTP connect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]
Sep 19 03:30:42 server88-208-248-91 smtp_auth: FAILED: elaine@thedomain1.co.uk - password incorrect from 109-162-28-179-stbn.broadband.kyivstar.net [109.162.28.179]

Open in new window




I can also see that a lot of emails are being sent to domains with spoofed from addresses.
e.g

This email was received to an internal email on the server:

subject: Your account might be compromised
From:	Barclays Bank PLC
Date:	04/29/2014 (05:29:39 AM UTC)
To:	Undisclosed Recipients
 	
1 Attachment
application/x-zip-compressed	Barclays Bank - Form.zip (4 KB)	
Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 30, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.
application/x-zip-compressed Barclays Bank - Form.zip (4 KB) 

Open in new window




and I then found its headers by checking: /var/qmail/mailnames/domain.com/email_account/Maildir/

Received: (qmail 21075 invoked from network); 23 Apr 2014 11:02:04 +0100
Received: from static.119.17.76.144.clients.your-server.de (HELO c1.cyber-empire.com) (144.76.17.119)
  by server88-208-248-91.live-servers.net with (DHE-RSA-AES256-GCM-SHA384 encrypted) SMTP; 23 Apr 2014 11:02:04 +0100
Received: from mail1.islamichelp.org.uk ([213.120.215.123] helo=User)
	by c1.cyber-empire.com with esmtpa (Exim 4.82)
	(envelope-from <support@buhpressa.ru>)
	id 1Wctzn-00022y-Rm; Wed, 23 Apr 2014 12:01:40 +0200
Reply-To: <Barclays@email.barclays.co.uk>
From: "Barclays Bank PLC"<Barclays@email.barclays.co.uk>
Subject: Your account might be compromised
Date: Wed, 23 Apr 2014 11:01:33 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_012B_01C2A9A6.140BBE10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1Wctzn-00022y-Rm@c1.cyber-empire.com>
Sender: support@buhpressa.ru

This is a multi-part message in MIME format.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit

Dear Customer,

We recently have determined that different computers have logged in your Barclays
account, and multiple password failures were present before the logons.

For your security we have temporary suspended your account.
Please download the document attached to this email and fill carefully.

If you do not restore your account by April 24, we will be forced to suspend
your account indefinitely, as it may have been used for fraudulent purposes.

Do not ignore this message is for your security.

We apologize for any inconvenience.

Thank you,
Barclays Bank PLC.


Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

------=_NextPart_000_012B_01C2A9A6.140BBE10
Content-Type: application/x-zip-compressed;
	name="Barclays Bank - Form.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Barclays Bank - Form.zip"

[encoded file removed]

------=_NextPart_000_012B_01C2A9A6.140BBE10--

Open in new window



So I can see from the header that the envelope-from is <support@buhpressa.ru> but i looks like its from Barclays@email.barclays.co.uk

its obvious that the email is trying to get the user to open the attachment that is a .zip   :D

So how can I secure the server to stop these emails?
Thanks.
0
Comment
Question by:helpchrisplz
  • 3
6 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40339974
Ask person who compiled and installed qmail...

Move quickly to (CentOS default) postfix. It has many wits in default configuration that it is quite hard to set open relay unintentionally or even intentionally.
0
 
LVL 1

Author Comment

by:helpchrisplz
ID: 40340357
its rented from hosting complany with preinstalled plesk. i have asked hosting company tech support but they just say to look for php scripts that might be insecure.

i haven't got much server maintenance knowledge. so i should change to centos postfix.  how can i action that? thx.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40340839
Easy peasy - stop QMAIL and take 5 minutes to THINK.
Now install and start POSTFIX
It will by default let mail out. So stay reading /var/log/messages until all your web forms are secure.
You have 4-5 days before mails bounce.... So have a good read of postfix.org site  and enable mail reception if you want it.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41713509
https:#a40234964
(my first line is basic procedure of mail abuse handling)
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS CLI issues with Tags 3 62
Linux tcp ports listening for testing 4 44
Tracking Bouncebacks in PHPMailer 3 34
Adding more CPU cores to a Linux VM 5 56
Utilizing an array to gracefully append to a list of EmailAddresses
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now