My hMailserver being used for spam delivery

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
heinduplessis
Normal user
Normal user
Posts: 60
Joined: 2005-10-16 06:34

My hMailserver being used for spam delivery

Post by heinduplessis » 2014-05-09 08:54

Once every couple of months our server is being used to delivery tens of thousands of spam to yahoo, hotmail etc.

I've added protection using hMailserver's settings but the settings seems to be ignored.

1) I require a login in order to SMTP, though they seem to use my SMTP server without having to log in:

Code: Select all

"SMTPC"	3752	126032	"2014-05-08 11:25:29.687"	"65.55.92.184"	"RECEIVED: 220 SNT0-MC4-F34.Snt0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Thu, 8 May 2014 02:26:28 -0700 "
"SMTPC"	3752	126032	"2014-05-08 11:25:29.687"	"65.55.92.184"	"SENT: HELO mail.cde.co.za"
"SMTPC"	5136	126032	"2014-05-08 11:25:29.968"	"65.55.92.184"	"RECEIVED: 250 SNT0-MC4-F34.Snt0.hotmail.com (3.19.0.77) Hello [41.203.29.196]"
"SMTPC"	5136	126032	"2014-05-08 11:25:29.968"	"65.55.92.184"	"SENT: MAIL FROM:<rory@kellydrillingservices.com>"
"SMTPC"	5136	126032	"2014-05-08 11:25:30.234"	"65.55.92.184"	"RECEIVED: 250 rory@kellydrillingservices.com....Sender OK"
"SMTPC"	5136	126032	"2014-05-08 11:25:30.234"	"65.55.92.184"	"SENT: RCPT TO:<francesca01@msn.com>"
"SMTPC"	5136	126032	"2014-05-08 11:25:30.546"	"65.55.92.184"	"RECEIVED: 250 francesca01@msn.com "
"SMTPC"	5136	126032	"2014-05-08 11:25:30.546"	"65.55.92.184"	"SENT: DATA"
"SMTPC"	7652	126032	"2014-05-08 11:25:30.828"	"65.55.92.184"	"RECEIVED: 354 Start mail input; end with <CRLF>.<CRLF>"
2) Also, I've added rules to delete all email with "From" field containing "rory@kellydrillingservices.com" OR the "To" field containing "rory@kellydrillingservices.com" but it's not being executed, the mail keeps flooding through.

3) I've don't allow blank senders, yet I have thousands in the delivery queue.

If someone can assist me with where to look or what to do, I'd appreciate it.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: My hMailserver being used for spam delivery

Post by Bill48105 » 2014-05-09 09:18

Start here:
http://www.hmailserver.com/documentatio ... d_for_spam

The log snippet you show is for SMTPC which is hmail trying to send which is worthless in trying to figure out how mail got in. For that look earlier in logs for SMTPD The above link will walk you thru tracing & hopefully help you figure it out. But there are only a few possibilities. Most common is guessed password for user's box then spammer just uses that box. There are scripts posted that help stop that by restricting FROM. It's possible to be open relay if IP ranges are not set right. Normally safe to his Defaults button to reset them if you don't have special need. Otherwise your server, web form or user is infected. Again follow the above link & find the SMTPD lines for one of the messages to narrow it down.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

heinduplessis
Normal user
Normal user
Posts: 60
Joined: 2005-10-16 06:34

Re: My hMailserver being used for spam delivery

Post by heinduplessis » 2014-05-09 09:35

Thank you, sorry I did not see the guide. I'll post results here.

heinduplessis
Normal user
Normal user
Posts: 60
Joined: 2005-10-16 06:34

Re: My hMailserver being used for spam delivery

Post by heinduplessis » 2014-05-09 09:57

Unfortunately the guide does not show how to find the relative SMTPD messages, so that I can see which username and password has been used to send the above email.

Is there a way to do this?

User avatar
mattg
Moderator
Moderator
Posts: 20837
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: My hMailserver being used for spam delivery

Post by mattg » 2014-05-09 10:59

This is the best way >> put your logs into this
http://log.damnation.org.uk/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: My hMailserver being used for spam delivery

Post by Bill48105 » 2014-05-09 17:04

heinduplessis wrote:Unfortunately the guide does not show how to find the relative SMTPD messages, so that I can see which username and password has been used to send the above email.

Is there a way to do this?
Say what? You search for VXNlcm5hbWU6 in your logs. As mattg pointed out then you paste in the lines that follow into doom's log analyzer although you can base64 decode the strings yours tool.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

heinduplessis
Normal user
Normal user
Posts: 60
Joined: 2005-10-16 06:34

Re: My hMailserver being used for spam delivery

Post by heinduplessis » 2014-05-12 08:22

Thanks Bill48105, VXNlcm5hbWU6 decoded is "Username:" - I'm not sure how to find the login of the users sending as rory@?

I've used the great log analyser tool of doom, but I still can't find a link between the spam message sent and the original login). SMTPD only shows "RECEIVED: RCPT TO:" entries.

I'm attaching the html result of the analyse tool's output. Perhaps I'm not looking back far enough, but the day's log is half a gig and I can't run it all through the analyser. How can I find the original SMTP login session for certain SMTP send actions?

Thanks for your time, it's really appreciated.
Attachments
hmail.zip
(231.83 KiB) Downloaded 63 times

User avatar
mattg
Moderator
Moderator
Posts: 20837
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: My hMailserver being used for spam delivery

Post by mattg » 2014-05-12 11:25

The compromised account is piet@wolwXXXXX.co.za

Then the FROM that is used is another account
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

heinduplessis
Normal user
Normal user
Posts: 60
Joined: 2005-10-16 06:34

Re: My hMailserver being used for spam delivery

Post by heinduplessis » 2014-05-19 21:12

Thank you Matt. I've had the customer change his password and shut down nonlocal outgoing mail for the time being. This keeps on happening, so we simply can't offer the service.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: My hMailserver being used for spam delivery

Post by Bill48105 » 2014-05-20 00:23

heinduplessis wrote:Thank you Matt. I've had the customer change his password and shut down nonlocal outgoing mail for the time being. This keeps on happening, so we simply can't offer the service.
If an acct is being abused either the users have weak passwords, you have poor autoban settings (to prevent dictionary attacks where they guess passwords), user passwords are being sniffed (use SSL), or user computers are infected & passwords being stolen. The way you know is if it is the same users over & over or if there is some other factor in common.

Btw running a mail server requires a certain level of abilities but also a certain amount of time for monitoring & maintenance. You might not be able to stop all attacks but you can do many things to try or at least alert you. There are scripts that will limit # of emails per day for example. There are scripts to alert you if there are a lot of autobans (indicator of attacks). There are scripts to block connections based on GeoIP (country of IP address). You can limit based on the port. Many many things you can do but all the scripts or settings will not make it maintenance free. You need to actively run the mail server and have reasonable policies including minimum password strength and likely require users to send on SSL for starters.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Post Reply