Loading ...
Sorry, an error occurred while loading the content.

Concern of open relay

Expand Messages
  • Ben Johnson
    Hello! I ve noticed increased Postfix activity as of late and am concerned that something is configured inadequately (i.e., open-relay). For postconf -n
    Message 1 of 6 , Jul 7, 2014
    • 0 Attachment
      Hello!

      I've noticed increased Postfix activity as of late and am concerned that
      something is configured inadequately (i.e., open-relay). For "postconf
      -n" output, please skip to the end of this message.

      So, I installed pflogsumm and my concerns seem valid. I'll address each
      point of concern.

      Firstly, the Grand Totals are much larger than expected (especially
      deferrals), given the tenancy on this server:


      Grand Totals
      ------------
      messages

      13993 received
      17602 delivered
      0 forwarded
      19486 deferred (294359 deferrals)
      5439 bounced
      348 rejected (1%)
      0 reject warnings
      0 held
      0 discarded (0%)

      28386k bytes received
      55491k bytes delivered
      690 senders
      43 sending hosts/domains
      11302 recipients
      641 recipient hosts/domains


      Also, nearly this entire next section is full of domains which we do not
      host (obviously). What's interesting, too, is that we do host *Web*
      services for "example.com" (sanitized for privacy reasons), but not
      email (no MX records in DNS for this domain point to the server in
      question -- they point to a different email provider).


      Host/Domain Summary: Message Delivery
      --------------------------------------
      sent cnt bytes defers avg dly max dly host/domain
      -------- ------- ------- ------- ------- -----------
      5438 17837k 0 6.5 s 37.0 s example.com
      4183 3409k 9540 1.8 h 59.6 h yahoo.com
      4094 3207k 259218 9.9 h 51.5 h aol.com
      783 436136 1 30.5 m 2.9 h hotmail.com
      755 1021k 531 3.1 h 30.9 h gmail.com
      136 106885 6803 9.8 h 51.4 h aim.com
      129 104380 207 1.1 h 10.6 h ymail.com
      84 69503 136 1.2 h 9.5 h yahoo.fr
      77 64989 157 1.7 h 7.2 h yahoo.co.uk


      Continuing on, I find that recipients at this domain have received 13814
      messages in this time period. But how is this possible if we don't even
      host email for the client whose domain I am calling "example.com"? The
      domain is not configured in Postfix, there are no mailboxes for users at
      this domain, etc.


      Host/Domain Summary: Messages Received
      ---------------------------------------
      msg cnt bytes host/domain
      -------- ------- -----------
      13814 13177k example.com


      And not only are messages being delivered to these non-existent
      mailboxes (at least according to Postfix and/or pflogsumm), but users at
      this domain (again, for which we do not host email -- Web only) are also
      sending mail. Note that none of these local-parts are valid; they seem
      auto-generated:


      Senders by message count
      ------------------------
      146 mavis_leblanc@...
      144 patrice_scott@...
      140 kathrine_gentry@...
      124 alana_spencer@...
      110 ann_lloyd@...
      110 augusta_galloway@...
      108 nadia_crawford@...
      106 gladys_bean@...
      102 jane_mcgee@...
      96 bobbi_charles@...
      94 christina_schneider@...
      82 glenda_barlow@...
      [list continues for a couple thousand fake addresses]


      And interspersed with legitimate entries (see first item, for example),
      I find more of this garbage for the sanitized domain that I'm calling
      "example.com". This goes on for over 10,000 entries:


      Recipients by message count
      ---------------------------
      59 sally@...
      41 margery_spence@...
      40 augusta_galloway@...
      34 mavis_leblanc@...
      34 yvette_herrera@...
      31 gladys_bean@...
      28 sallie_burks@...
      26 briana_keith@...
      25 vera_atkinson@...
      24 eloise_willis@...
      24 joy_beck@...
      [10,000+ more entries here]


      And then some 1,800 messages with no size data:


      Messages with no size data
      --------------------------
      00508E89F0 lili_alfo10@...
      00555E8C05 brejc@...
      00576E81B4 st8jak@...
      00A09E924C aguiamer6@...
      00BEEE820C srush2k@...
      00DBDE8CEB rinmar2594@...
      00E0AE920D tj_v_loki@...
      00E55E8BB3 breining@...
      01263E6B2D trilasso@...
      01584E8F94 srush1957@...
      015C2E8984 laithzayer@...
      02136E855B omaromi@...
      0253CE81C6 st8ofdenial@...
      [1,800+ more entries here]


      And last but not least (note the tremendous [for this system] number of
      deferrals); clearly, other mail systems are black-listing this system.
      I've replaced this system's IP address with XXX.XXX.XXX.XXX:


      message deferral detail
      -----------------------
      error (total: 271035)
      175000 4.7.1 : (DYN:T1
      85460 5.7.1 : (RLY:B1
      1446 25: Connection timed out
      827 lost connection with mta5.am0.yahoodns.net[98.138.112.32]
      whil...
      727 lost connection with mta5.am0.yahoodns.net[98.136.217.202]
      whi...
      567 lost connection with mta7.am0.yahoodns.net[98.138.112.34]
      whil...
      509 lost connection with mta7.am0.yahoodns.net[66.196.118.37]
      whil...
      424 lost connection with mta6.am0.yahoodns.net[66.196.118.240]
      whi...
      417 lost connection with mta7.am0.yahoodns.net[98.138.112.37]
      whil...
      416 lost connection with mta7.am0.yahoodns.net[66.196.118.240]
      whi...
      407 lost connection with mta5.am0.yahoodns.net[98.138.112.34]
      whil...
      398 lost connection with mta7.am0.yahoodns.net[98.136.217.202]
      whi...
      389 lost connection with mta5.am0.yahoodns.net[66.196.118.240]
      whi...
      365 lost connection with mta5.am0.yahoodns.net[66.196.118.34]
      whil...
      347 lost connection with mta7.am0.yahoodns.net[98.136.217.203]
      whi...
      342 lost connection with mta6.am0.yahoodns.net[66.196.118.33]
      whil...
      331 lost connection with mta6.am0.yahoodns.net[98.138.112.33]
      whil...
      315 lost connection with mta6.am0.yahoodns.net[63.250.192.46]
      whil...
      268 lost connection with mta7.am0.yahoodns.net[66.196.118.34]
      whil...
      262 lost connection with mta6.am0.yahoodns.net[98.138.112.34]
      whil...
      261 lost connection with mta7.am0.yahoodns.net[98.136.216.26]
      whil...
      249 lost connection with mta6.am0.yahoodns.net[98.138.112.38]
      whil...
      247 lost connection with mta5.am0.yahoodns.net[98.138.112.33]
      whil...
      175 Host not found, try again
      160 lost connection with mta6.am0.yahoodns.net[98.138.112.32]
      whil...
      143 lost connection with mta5.am0.yahoodns.net[98.138.112.38]
      whil...
      136 lost connection with mta6.am0.yahoodns.net[98.138.112.35]
      whil...
      132 lost connection with mta5.am0.yahoodns.net[98.138.112.35]
      whil...
      92 lost connection with
      mx-eu.mail.am0.yahoodns.net[188.125.69.79...
      59 lost connection with mta6.am0.yahoodns.net[66.196.118.35]
      whil...
      26 yahoo.co[98.139.102.145]:25: Connection timed out
      23 lost connection with mta5.am0.yahoodns.net[66.196.118.37]
      whil...
      22 //www.verizon.net/whitelist and request removal of the
      block. ...
      19 lost connection with mta7.am0.yahoodns.net[63.250.192.46]
      whil...
      17 yahoo.co[68.180.206.184]:25: Connection timed out
      14 lost connection with mta5.am0.yahoodns.net[98.136.216.25]
      whil...
      12 Service temporarily unavailable, try again later
      10 lost connection with mta5.am0.yahoodns.net[66.196.118.33]
      whil...
      6 lost connection with mta6.am0.yahoodns.net[98.136.216.26]
      whil...
      4 lost connection with mta7.am0.yahoodns.net[63.250.192.45]
      whil...
      4 Too many concurrent SMTP connections; please try again later.
      3 lost connection with mta7.am0.yahoodns.net[98.138.112.35]
      whil...
      2 gimail.com[208.73.211.249]:25: Connection timed out
      2 lost connection with mta6.am0.yahoodns.net[66.196.118.37]
      whil...
      smtp (total: 23324)
      2748 4.2.1 : (DYN:T1
      2222 4.7.1 : (DYN:T1
      1849 Host not found, try again
      1266 25: Connection timed out
      1257 //postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM
      co...
      1164 5.7.1 : (RLY:B1
      579 //www.verizon.net/whitelist and request removal of the
      block. ...
      493 //www.google.com/mail/help/bulk_mail.html to review our
      Bulk 4...
      282
      //postmaster.facebook.com/response_codes?ip=XXX.XXX.XXX.XXX#una...
      181 gimal.com[208.87.34.163]:25: No route to host
      181 lost connection with mx-c1.talktalk.net[62.24.202.3] while
      rec...
      128 tahoo.com[116.212.117.220]:25: No route to host
      123 hotmaill.com[65.55.5.14]:25: Connection timed out
      123 25: Connection refused
      112 gotmail.com[176.74.176.178]:25: Connection refused
      106 yahoo.co[68.180.206.184]:25: Connection timed out
      96 yahoo.co[98.139.102.145]:25: Connection timed out
      96 mail2.sify.com[124.7.36.211]:25: Connection timed out
      94 hotmail.co[207.46.31.61]:25: Connection timed out
      87 jmail.com[209.222.14.3]:25: Connection timed out
      80 e-mail.com[204.146.168.195]:25: Connection timed out
      78 gmain.com[91.237.88.233]:25: Connection timed out
      70 Temporary local problem - please try later (in reply to RC...
      69 hotmail.co[65.55.39.12]:25: Connection timed out
      69 mail.gmail.org[38.110.30.21]:25: Connection timed out
      63 2880:2110:df07:face:b00c:0:1]:25: Connection timed out
      60 comast.net[202.31.187.154]:25: Connection refused
      60 poop.com[69.43.160.219]:25: Connection refused
      57 example.com[93.184.216.119]:25: Connection timed out
      56 XXX.XXX.XXX.XXX are being rejected due to low SenderBase
      Reputa...
      48 5.7.1 Server busy. Please try again later
      47 2800:220:6d:26bf:1447:1097:aa7]:25: Connection timed out
      45 homail.com[64.4.6.100]:25: Connection timed out
      45 hotmal.com[64.4.6.100]:25: Connection timed out
      43 gmile.com[175.118.124.200]:25: Connection refused
      42 cmail.com[176.74.176.178]:25: Connection refused
      41 rocker.com[176.74.176.178]:25: Connection refused
      [several thousand more of these]


      More disconcerting bounce information (again, I've replaced this
      server's IP address with XXX.XXX.XXX.XXX):


      message bounce detail (by relay)
      --------------------------------
      0.0.0.0[0.0.0.0]:25 (total: 1)
      1 mail for sad.com loops back to myself
      126mx01.mxmail.netease.com[220.181.14.131]:25 (total: 1)
      1
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      126mx01.mxmail.netease.com[220.181.14.132]:25 (total: 2)
      1
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      1 User not found: wweq8123@... (in reply to RCPT TO command)
      126mx02.mxmail.netease.com[220.181.14.134]:25 (total: 2)
      1
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      1 User not found: zheee@... (in reply to RCPT TO command)
      163mx01.mxmail.netease.com[220.181.14.135]:25 (total: 2)
      2
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      163mx01.mxmail.netease.com[220.181.14.136]:25 (total: 1)
      1
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      163mx01.mxmail.netease.com[220.181.14.138]:25 (total: 3)
      3
      //mail.163.com/help/help_spam_16.htm?ip=XXX.XXX.XXX.XXX&hostid=m...
      [again, goes on for thousands more entries]


      Here's the output of "postconf -n" (IP address replaced with
      XXX.XXX.XXX.XXX for privacy reasons):

      # postconf -n
      alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
      alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
      append_dot_mydomain = no
      biff = no
      body_checks = regexp:/etc/postfix/body_checks
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      content_filter = amavis:[127.0.0.1]:10024
      dovecot_destination_recipient_limit = 1
      header_checks = regexp:/etc/postfix/header_checks
      html_directory = /usr/share/doc/postfix/html
      inet_interfaces = all
      inet_protocols = all
      mailbox_size_limit = 0
      maildrop_destination_concurrency_limit = 1
      maildrop_destination_recipient_limit = 1
      message_size_limit = 0
      mime_header_checks = regexp:/etc/postfix/mime_header_checks
      mydestination = localhost, localhost.localdomain
      myhostname = our.domain.com
      mynetworks = 127.0.0.0/8 [::1]/128 XXX.XXX.XXX.XXX/32
      myorigin = /etc/mailname
      nested_header_checks = regexp:/etc/postfix/nested_header_checks
      owner_request_special = no
      policy-spf_time_limit = 3600s
      proxy_read_maps = $local_recipient_maps $mydestination
      $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
      $virtual_mailbox_domains $relay_recipient_maps $relay_domains
      $canonical_maps $sender_canonical_maps $recipient_canonical_maps
      $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
      readme_directory = /usr/share/doc/postfix
      receive_override_options = no_address_mappings
      recipient_delimiter = +
      relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
      relay_recipient_maps =
      mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
      relayhost =
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_client_message_rate_limit = 100
      smtpd_client_restrictions = permit_mynetworks,
      permit_sasl_authenticated, check_client_access
      mysql:/etc/postfix/mysql-virtual_client.cf, reject_unknown_client_hostname
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_delay_reject = yes
      smtpd_helo_required = yes
      smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_unauth_destination,
      check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
      reject_sender_login_mismatch, reject_invalid_helo_hostname,
      reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
      reject_non_fqdn_recipient, reject_unknown_sender_domain,
      reject_unknown_recipient_domain, check_policy_service
      unix:private/policy-spf
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = check_sender_access
      mysql:/etc/postfix/mysql-virtual_sender.cf
      smtpd_tls_cert_file = /root/ssl/our.domain.com.crt
      smtpd_tls_key_file = /root/ssl/our.domain.com.key
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      strict_rfc821_envelopes = yes
      transport_maps = hash:/var/lib/mailman/data/transport-mailman,
      proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
      virtual_alias_domains =
      virtual_alias_maps =
      proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
      proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf,
      hash:/var/lib/mailman/data/virtual-mailman
      virtual_gid_maps = static:5000
      virtual_mailbox_base = /var/vmail
      virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
      virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
      virtual_transport = dovecot
      virtual_uid_maps = static:5000


      Thanks for any advice here!

      -Ben
    • Leonardo Rodrigues
      ... It s much easier that you had some account hijacked and bots are using it to send the messages. Check the queueids of some messages looking for the
      Message 2 of 6 , Jul 7, 2014
      • 0 Attachment
        Em 07/07/14 13:24, Ben Johnson escreveu:
        > Hello!
        >
        > I've noticed increased Postfix activity as of late and am concerned that
        > something is configured inadequately (i.e., open-relay). For "postconf
        > -n" output, please skip to the end of this message.
        >

        It's much easier that you had some account hijacked and bots are
        using it to send the messages. Check the queueids of some messages
        looking for the sasl_username used for sending it. If you find lots of
        suspect messages sent by the same user, then you find your problem !

        --


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        gertrudes@...
        My SPAMTRAP, do not email it
      • Noel Jones
        ... And it s not unusual to find spammers abusing some web form to send spam. Check your web server logs for evidence. -- Noel Jones
        Message 3 of 6 , Jul 7, 2014
        • 0 Attachment
          On 7/7/2014 11:56 AM, Leonardo Rodrigues wrote:
          > Em 07/07/14 13:24, Ben Johnson escreveu:
          >> Hello!
          >>
          >> I've noticed increased Postfix activity as of late and am
          >> concerned that
          >> something is configured inadequately (i.e., open-relay). For
          >> "postconf
          >> -n" output, please skip to the end of this message.
          >>
          >
          > It's much easier that you had some account hijacked and bots are
          > using it to send the messages. Check the queueids of some messages
          > looking for the sasl_username used for sending it. If you find lots
          > of suspect messages sent by the same user, then you find your problem !
          >


          And it's not unusual to find spammers abusing some web form to send
          spam. Check your web server logs for evidence.



          -- Noel Jones
        • Ben Johnson
          ... Thanks, Leonardo and Noel! I really appreciate the prompt replies. Leonardo, I see no indication that whomever is sending this mail has authenticated. And
          Message 4 of 6 , Jul 7, 2014
          • 0 Attachment
            On 7/7/2014 1:45 PM, Noel Jones wrote:
            > On 7/7/2014 11:56 AM, Leonardo Rodrigues wrote:
            >> Em 07/07/14 13:24, Ben Johnson escreveu:
            >>> Hello!
            >>>
            >>> I've noticed increased Postfix activity as of late and am
            >>> concerned that
            >>> something is configured inadequately (i.e., open-relay). For
            >>> "postconf
            >>> -n" output, please skip to the end of this message.
            >>>
            >>
            >> It's much easier that you had some account hijacked and bots are
            >> using it to send the messages. Check the queueids of some messages
            >> looking for the sasl_username used for sending it. If you find lots
            >> of suspect messages sent by the same user, then you find your problem !
            >>
            >
            >
            > And it's not unusual to find spammers abusing some web form to send
            > spam. Check your web server logs for evidence.
            >
            >
            >
            > -- Noel Jones
            >
            >

            Thanks, Leonardo and Noel! I really appreciate the prompt replies.

            Leonardo, I see no indication that whomever is sending this mail has
            authenticated. And given that local connections are permitted to send
            mail without authenticating on this server, I will pursue Noel's
            suggested course of action next.

            I'll let you know if I can't find the source...

            Thanks again,

            -Ben
          • Ben Johnson
            ... You were right! It was a compromised Joomla site. I was able to spot it almost immediately due to excessive CPU usage. What s disconcerting is that the
            Message 5 of 6 , Jul 7, 2014
            • 0 Attachment
              On 7/7/2014 2:47 PM, Ben Johnson wrote:
              > Thanks, Leonardo and Noel! I really appreciate the prompt replies.
              >
              > Leonardo, I see no indication that whomever is sending this mail has
              > authenticated. And given that local connections are permitted to send
              > mail without authenticating on this server, I will pursue Noel's
              > suggested course of action next.
              >
              > I'll let you know if I can't find the source...
              >
              > Thanks again,
              >
              > -Ben

              You were right!

              It was a compromised Joomla site. I was able to spot it almost
              immediately due to excessive CPU usage.

              What's disconcerting is that the Joomla site is completely up-to-date,
              including all extensions, so the vulnerability is either zero-day or
              with another stack component. But that's here nor there.

              Thanks again, both of you!

              -Ben
            • lists@rhsoft.net
              ... more likely it is using one of the tons of crap plugins written by a monkey i faced Joomla plugins with code nobody right in his brain ever writes like
              Message 6 of 6 , Jul 7, 2014
              • 0 Attachment
                Am 07.07.2014 22:44, schrieb Ben Johnson:
                > On 7/7/2014 2:47 PM, Ben Johnson wrote:
                >> Thanks, Leonardo and Noel! I really appreciate the prompt replies.
                >>
                >> Leonardo, I see no indication that whomever is sending this mail has
                >> authenticated. And given that local connections are permitted to send
                >> mail without authenticating on this server, I will pursue Noel's
                >> suggested course of action next.
                >>
                >> I'll let you know if I can't find the source...
                >>
                >> Thanks again,
                >>
                >> -Ben
                >
                > You were right!
                >
                > It was a compromised Joomla site. I was able to spot it almost
                > immediately due to excessive CPU usage.
                >
                > What's disconcerting is that the Joomla site is completely up-to-date,
                > including all extensions, so the vulnerability is either zero-day or
                > with another stack component. But that's here nor there

                more likely it is using one of the tons of crap plugins written by a monkey
                i faced Joomla plugins with code nobody right in his brain ever writes like
                "file_put_contents($random_request_var, $random_request_var); in some gallery
                plugin years ago

                most plugins are written by clueless people for their own needs which
                think they do someboddy a favor by make them public and no longer care
                for updates as never cared for security by missing knowledge

                rule 1: don't install Joomla if you care for security at all
                rule 2: if you think you need it anyways don't install random plugins

                the most important rule: *never ever* allow endusers to install any plugin
              Your message has been successfully submitted and would be delivered to recipients shortly.