Unauthorsied email sending

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Unauthorsied email sending

Post by DColes123 » 2014-07-21 11:35

Hi Guys,

Me again!

I opened up my mail program this mornig to hundreds of non delivery emails from hMailServer for emails that I have not sent. Now I was sure that I set up my IP ranges correctly, but maybe not.

I looked in the logs and I can see this

"APPLICATION" 14044 "2014-07-21 00:00:24.868" "SMTPDeliverer - Message 9236215: Delivering message from myemail@mydomain.co.uk to patrat@onthenet.com.au. File: C:\Program Files (x86)\hMailServer\Data\{54450D2F-66DC-4BD9-98FD-742AD212A874}.eml"

however myemail@mydomain.co.uk refers to my own email address and I never sent this.

My settings for the IP ranges are as follows

local server (local IP range)
Allow Deliveries From
Local to local e-mail addresses (ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (ticked)
External to external e-mail-addresses (ticked)
Require SMTP authentication
Local to local e-mail addresses (un-ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (ticked)
External to external e-mail-addresses (ticked)

internet (0.0.0.0 to 255.255.255.255)
Allow Deliveries From
Local to local e-mail addresses (ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (ticked)
External to external e-mail-addresses (un-ticked)
Require SMTP authentication
Local to local e-mail addresses (un-ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (un-ticked)
External to external e-mail-addresses (ticked (disabled))

To my knowledge the above will only let people send email from the server if they provide SMTP authentication, but that doesn't appear to be the case?

Any help would be greatly appreciated.

Thanks

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Unauthorsied email sending

Post by mattg » 2014-07-21 12:19

Perhaps your password has been hacked

Did that user authenticate?

Also, what is the priority for each IP range?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
martin
Developer
Developer
Posts: 6777
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Unauthorsied email sending

Post by martin » 2014-07-21 12:21

Are you sure that not someone has actually figured out your password then?

Do you have SMTP logging enabled? Is it possible to find the relevant section?

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-07-21 15:23

I did think that somebody might have found my password, although I'm not sure how they would have done this, I have changed the password this morning to make sure.

The priority for the serve is 15 and the internet is 10.

I'm not sure how to tell if that user authenticated?

I have logging enabled for SMTP yes.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Unauthorsied email sending

Post by percepts » 2014-07-21 15:34

put a section of your log with auth lines into following. It will decode the user. (password is not in your logs, coded or othewise)

http://log.damnation.org.uk/ (Dooms log analyser: Site admin here.)

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-07-21 16:21

OK here is an example of one of the sessions where it looks like I've (myemail@mydomain.co.uk) sent an emailto some random yahoo.com address

"SMTPC" 14136 25098 "2014-07-20 00:00:23.413" "98.138.112.34" "RECEIVED: 220 mta1290.mail.ne1.yahoo.com ESMTP ready"
"SMTPC" 14136 25098 "2014-07-20 00:00:23.413" "98.138.112.34" "SENT: HELO mail.myserver.co.uk"
"SMTPC" 15860 25098 "2014-07-20 00:00:23.569" "98.138.112.34" "RECEIVED: 250 mta1290.mail.ne1.yahoo.com"
"SMTPC" 15860 25098 "2014-07-20 00:00:23.584" "98.138.112.34" "SENT: MAIL FROM:<myemail@mydomain.co.uk>"
"SMTPC" 8932 25098 "2014-07-20 00:00:23.741" "98.138.112.34" "RECEIVED: 250 sender <myemail@mydomain.co.uk> ok"
"SMTPC" 8932 25098 "2014-07-20 00:00:23.756" "98.138.112.34" "SENT: RCPT TO:<zendemahesh@ymail.com>"
"SMTPC" 14236 25098 "2014-07-20 00:00:23.928" "98.138.112.34" "RECEIVED: 250 recipient <zendemahesh@ymail.com> ok"
"SMTPC" 14236 25098 "2014-07-20 00:00:23.928" "98.138.112.34" "SENT: DATA"
"SMTPC" 16140 25098 "2014-07-20 00:00:24.084" "98.138.112.34" "RECEIVED: 354 go ahead"
"SMTPC" 16140 25098 "2014-07-20 00:00:24.131" "98.138.112.34" "SENT: [nl]."
"SMTPC" 9160 25098 "2014-07-20 00:00:25.600" "98.138.112.34" "RECEIVED: 250 ok dirdel"
"SMTPC" 9160 25098 "2014-07-20 00:00:25.616" "98.138.112.34" "SENT: QUIT"
"SMTPC" 1688 25098 "2014-07-20 00:00:25.772" "98.138.112.34" "RECEIVED: 221 mta1290.mail.ne1.yahoo.com"

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Unauthorsied email sending

Post by percepts » 2014-07-21 16:45

there are no AUTH lines in there. AUTH should be SMTPD lines if someone is sending from you.

Check that you have set authentication required in all your IP-Ranges for everything except external to local.

Auth looks like...
"SMTPD" 8432 2025 "2014-07-21 12:36:43.222" "129.58.207.78" "RECEIVED: AUTH LOGIN"
"SMTPD" 8432 2025 "2014-07-21 12:36:43.238" "129.58.207.78" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3620 2025 "2014-07-21 12:36:43.238" "129.58.207.78" "RECEIVED: ai874nf6nr8smabefg783ndge789=="
"SMTPD" 3620 2025 "2014-07-21 12:36:43.238" "129.58.207.78" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 8432 2025 "2014-07-21 12:36:43.238" "129.58.207.78" "RECEIVED: ***"
"SMTPD" 8432 2025 "2014-07-21 12:36:43.238" "129.58.207.78" "SENT: 235 authenticated."
put a section like that into the log analyser.

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-08-04 07:36

Just an update on this, sorry I have'nt done it for a while, but it kind of went away, but it has now, over the past couple of days, become a real problem.

I look at the delivery queue in hMailServer and there are thousands of emails being sent, the address they are being delivered from is from a valid domain in hMailServer but not always a valid address, so example invalid_email@valid_domain.com.

I have authentication required for all of my IP ranges except External to Local.

Our IP address is being flagged now as we have had a number of complaints against us as a spammer, but I don't know how they are managing to send from us!

After looking at the logs and using the tool you gave me I found the following

"SMTPD" 6656 24578 "2014-08-04 04:52:36.834" "41.71.204.176" "RECEIVED: AUTH LOGIN"
"SMTPD" 6656 24578 "2014-08-04 04:52:36.834" "41.71.204.176" "SENT: 334 VXN****U6"
"SMTPD" 7848 24578 "2014-08-04 04:52:37.006" "41.71.204.176" "RECEIVED: amRyYXl****lvbmhvYmJpZXMuY29t" [ valid_email@valid_domain.com ]
"SMTPD" 7848 24578 "2014-08-04 04:52:37.022" "41.71.204.176" "SENT: 334 UGF***Q6"
"SMTPD" 7728 24578 "2014-08-04 04:52:37.178" "41.71.204.176" "RECEIVED: ***"
"SMTPD" 7728 24578 "2014-08-04 04:52:37.178" "41.71.204.176" "SENT: 235 authenticated."
"SMTPD" 10524 24578 "2014-08-04 04:52:37.334" "41.71.204.176" "RECEIVED: RSET"
"SMTPD" 10524 24578 "2014-08-04 04:52:37.334" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 7848 24578 "2014-08-04 04:52:37.522" "41.71.204.176" "RECEIVED: MAIL FROM:<invalid_email@invaliddomain.com>"
"SMTPD" 7848 24578 "2014-08-04 04:52:37.522" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 8216 24578 "2014-08-04 04:52:37.709" "41.71.204.176" "RECEIVED: RCPT TO:<mrscarmanlapointnationoffice@gmail.com>"
"SMTPD" 8216 24578 "2014-08-04 04:52:37.725" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 8348 24578 "2014-08-04 04:52:37.881" "41.71.204.176" "RECEIVED: RCPT TO:<ozoemena.brown@yahoo.com>"
"SMTPD" 8348 24578 "2014-08-04 04:52:37.897" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 18040 24578 "2014-08-04 04:52:38.053" "41.71.204.176" "RECEIVED: RCPT TO:<revrobert.mba@aol.com>"
"SMTPD" 18040 24578 "2014-08-04 04:52:38.068" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 13876 24578 "2014-08-04 04:52:38.272" "41.71.204.176" "RECEIVED: RCPT TO:<williamrooduch@live.com>"
"SMTPD" 13876 24578 "2014-08-04 04:52:38.287" "41.71.204.176" "SENT: 250 OK"
"SMTPD" 7120 24578 "2014-08-04 04:52:38.459" "41.71.204.176" "RECEIVED: DATA"
"SMTPD" 7120 24578 "2014-08-04 04:52:38.459" "41.71.204.176" "SENT: 354 OK, send."

So as you can see it looks like they have successfully logged in using a valid email address and password, then they are sending from that domain with an email address that is not set up.

I have reset the password on this account and will notify the user of what has happened, but my question now is how this has happened in the first place and how I can prevent it?

Cheers

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Unauthorsied email sending

Post by LesD » 2014-08-04 10:34

Set a strong password and make sure others don't find it out! :)

There could be 101 ways how the password got compromised.

Happened to one of my clients and there it was probably due to a lost tablet.

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-08-04 10:38

Thanks LesD, I knew this would be the response, I was just asking in case there maybe somethig I had missed.

Cheers

LesD
Senior user
Senior user
Posts: 343
Joined: 2009-01-15 20:22
Location: London, UK.

Re: Unauthorsied email sending

Post by LesD » 2014-08-04 10:47

There have been several threads here about this problem and I think there have been suggestions on how to possibly mitigate such occurrences if they do happen.

Some ideas suggested by a colleague of mine (maybe also mentioned here) is to have a script run to look at the count of files in the root of the Data directory and report if they start creeping up. An other idea was to check the size of the hMS log file.

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Unauthorsied email sending

Post by mattg » 2014-08-04 10:50

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-08-04 11:31

Hi mattg,

Thanks for you suggestion, however I can't use those scripts as there are a lot of web forms set up to send through the server that get sent to the individual website administrators from the email address entered on the form, using these scripts will break those forms as it is trying to deliver from an email not listed in hMailServer.

Would there be a way to use these scripts to only affect external sources and not items sent from the local network?

Cheers

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Unauthorsied email sending

Post by percepts » 2014-08-04 16:19

Have you scanned your server and email client PCs to make sure they have not been infected with a mail sending virus ?

Infected PC can bypass all security.

running the smtpd lines with auth info through Dooms log scanner will tell you which account is sending out mail. Virus scan their PC (and all others)

http://log.damnation.org.uk/

AND

do your web forms send to a user entered address on the form ? Do the forms require a login before sending mail ?
Is access to the forms limited to inhouse IPs?

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-08-04 16:38

Yes I have scanned the servers and nothing was picked up, it does look like every time a spam message was sent they did authenticate suggesting it was the password that was compromised.

I did run it through Dooms log and found out which account it was, I have informed the account user that I have reset his password and to use a more secure password next time.

The web forms are generated by a CMS, these forms will send to whatever email address the form has been set to and will also send an email to the email address entered on the form. To fill out a form you don't need to log in, they are just like contact forms on websites, but the emails are validated before sending and they can't use the forms to send unsolicited email to third parties.

Cheers

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Unauthorsied email sending

Post by percepts » 2014-08-04 17:04

what do you mean by unsolicited? If anyone can use the form and enter any email address then robots can use it to send spam. This is a common occurence when form security is poor. Add a captcha to the form

DColes123
Normal user
Normal user
Posts: 35
Joined: 2014-07-01 16:48

Re: Unauthorsied email sending

Post by DColes123 » 2014-08-04 17:30

What I mean is the security on the form is adequate enough so that people can't abuse it by sendng mass emails, the issue I have here is not from any web forms.

I am not in control of all the web forms, so I can't just add captcha to them all. Some of the forms use captcha and some don't but there are other security measures in place.

Cheers

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Unauthorsied email sending

Post by percepts » 2014-08-04 17:55

let us know if changing the password stopped the spam being sent.

^DooM^
Site Admin
Posts: 13862
Joined: 2005-07-29 16:18
Location: UK

Re: Unauthorsied email sending

Post by ^DooM^ » 2014-08-05 01:18

What you are seeing is part of the SMTP protocol.

Once logged in hMail considers you trusted. A good script for you would be this one that limits the amount of email an account can send in a given time span (By Andy and Percepts). but perhaps the best way to mitigate these occurrences is by keeping a close eye on your logs.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

norponto
Normal user
Normal user
Posts: 47
Joined: 2014-07-11 19:54
Location: Porto, Portugal

Re: Unauthorsied email sending

Post by norponto » 2014-08-05 11:39

a few days ago a had a similar problem
modifying the internet IP range to

internet (0.0.0.0 to 255.255.255.255)
Allow Deliveries From
Local to local e-mail addresses (ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (ticked)
External to external e-mail-addresses (un-ticked)
Require SMTP authentication
Local to local e-mail addresses (ticked)
Local to external e-mail addresses (ticked)
External to local e-mail addresses (un-ticked)
External to external e-mail-addresses (ticked (disabled))

I solve part of problem

Post Reply