store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 24, 2014 12:54 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Fri Oct 15, 2010 1:09 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Hello,

My ASL secured server is being used to send out spam. I've caught it a couple times and am learning how to hunt. I'd appreciate any suggestions on good practices to lock down a server so it can't effectively be used as a relay.

Good info here: http://gnufreakz.wordpress.com/2010/02/ ... -in-qmail/

Here's one I tracked:
Received: (qmail 26429 invoked from network); 9 Oct 2010 04:15:39 -0400
Received: from localhost (127.0.0.1)
by localhost with SMTP; 9 Oct 2010 04:15:39 -0400
Received: from 82.128.62.45 ([82.128.62.45]) by webmail.editeddomainname.com
(Horde Framework) with HTTP; Sat, 09 Oct 2010 04:15:37 -0400

Ah ha, someone was using a crappy password on webmail. I turned off webmail for that domain.

Next:
Received: (qmail 24463 invoked from network); 15 Oct 2010 02:07:56 -0400
Received: from unknown (HELO User) (82.128.84.58) by myservers.editedreverselookup.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 15

This one is a little harder for me to decipher. Any ideas? Who is "User" to HELO? Invoked from "network"? Ideas on how to find this one?

I'm not sure if it's the right thing to do, but I went into my ASL interface today and blacklisted 82.128.0.0/16. Will that prevent any connections from them? I also geoblocked Nigeria.

I've been googling, searching the ASL docs, etc. Does anyone have a good comprehensive "lock down your email but still allow your users access" tut?

Thanks!


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Fri Oct 15, 2010 6:27 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
So bad passwords is one good thing to swash (ASL will report weak passwords, and if ASL reports then as weak they are WEAK, change them fast) - so just to understand is the spam going through your MTA to the outside world? (You're the source of the spam, not the recipient)

If so, and if its going thru your MTA - do you have spamassassin scanning all outgoing mail?

Also, have you enabled dazuko in ASL? It can detect spamming tools and will prevent them from running.

Just a few thoughts off the top of my head.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Sat Oct 16, 2010 4:37 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 839
Location: Germany
for investigate who or what might be sending you could try to create a sendmail-wrapper with that content:

Code:
#!/bin/sh
TODAY=`date -Iseconds`
echo $TODAY sendmail-wrapper called $USER from $PWD >>/tmp/mail.send
(echo X-Additional-Header: $(dirname $PWD);cat) | /usr/lib/sendmail-real "$@"


This will write an extra header in the mail and a logfile in /tmp/mail.send. "dirname" is set to ensure no confidential informations are put in.

After that hook the wrapper in the mail routine:
Code:
chmod +x sendmail-wrapper
mv /usr/lib/sendmail /usr/lib/sendmail-real
mv sendmail-wrapper /usr/lib/sendmail


Hope this helps

EDIT: just found a similar tut from parallels: http://kb.parallels.com/article_22_1711_en.html


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Sat Oct 16, 2010 9:03 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Sat Oct 16, 2010 12:26 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Thanks guys. I've been using the ASL php mail logger for a while now, this isn't coming through PHP. I just added the sendmail wrapper. Looks like this system is symlinking /usr/sbin/sendmail over to /etc/alternatives/mta. /usr/lib/sendmail also symlinked to there so I did a little extra linking to make sure all sendmail calls are logged.

We'll see if this helps.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Sat Oct 16, 2010 1:38 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2007
Scott -- I think ASL should include a script to enable and disable a wrapper like this. Kind of like a security blanket - "I know it is there if I need it, and I know the script is being updated regularly, so it will always be ready when the time comes" sort of thing.

It would take 5 minutes and add another tick box to the feature list :-)

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Tue Oct 26, 2010 1:16 pm 
Offline
New Forum User
New Forum User

Joined: Tue Oct 26, 2010 12:29 pm
Posts: 3
I used the method above found it http://kb.parallels.com/article_22_1711_en.html

It looks like /var/tmp/mail.send is logging messages sent through horde but not through other php sources, specifically several Drupal installs. Any ideas why this might be ?


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Tue Oct 26, 2010 1:20 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 839
Location: Germany
see above post:
Quote:
If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Tue Oct 26, 2010 2:58 pm 
Offline
New Forum User
New Forum User

Joined: Tue Oct 26, 2010 12:29 pm
Posts: 3
>> If its php, you can configure it to log all uses of the mail() function, or send a header telling you which script is the originator.

How can I do this? Is there a global solution in php.ini ? I can't really hack into individuals client's code.

Also - Wondering why the sendmail wrapper solution logs horde but not other php. Running Plesk v8.4.0

Thanks


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Tue Oct 26, 2010 3:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
The same mail header / logging capability in php 5.3 was backported into 5.2.x


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Tue Oct 26, 2010 4:24 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
If you are using our PHP rpms.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Mon Nov 15, 2010 1:07 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
By wrapping sendmail I was able to track it to one particular domain on the system. At first they were using Horde, so I shut off webmail to that domain. Then they were using the same account, but by SMTP. For that I reset the password to something stronger and the problem stopped.

Prior to all of this I locked down all the email passwords that ASL said were weak. The password in question was pretty crappy, but it didn't trip that switch. Perhaps a more thorough weakness test would help.

How do you make Spam Assassin scan outgoing email?

mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.
I'm looking into dazuko, I'm not sure off the top of my head on that one. I'm reading about it and am not sure how this helps spam.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Mon Nov 15, 2010 1:12 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
Sure, what was the password that account was using?


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Mon Nov 15, 2010 5:02 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
I didn't save it. Shoot. From memory, it may have been the same as the username or same as domain name or something like that.


Top
 Profile  
 
 Post subject: Re: On the hunt - My ASL'd server used to send out spam
Unread postPosted: Mon Nov 15, 2010 5:12 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Quote:
mikeshinn, yes, we were the "source". I found it in our mail queue. qmHandle makes monitoring much easier.


Was the spam tool running on your box, or were they just relaying through you? If the former, any chance you have the spamming tools? We can check to see if there are sigs for them.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group