Someone was able to send spam through my server. Now my IP is blacklisted for 10 hours. However, I have detected some suspect things in the logfiles:

1) maillog:
(was the spammer able to use <mail> as user?!?)
---
Dec 19 21:10:16 5t1 sendmail[23940]: AUTH=server, relay=adsl86-34-8-16.romtelecom.net [86.34.8.16] (may be forged), authid=mail, mech=LOGIN, bits=0
Dec 19 21:10:19 5t1 sendmail[23940]: jBJKAFvs023940: from=<service@paypal.com>, size=5018, class=0, nrcpts=1, msgid=<200512192010.jBJKAFvs023940@5t1.com>, proto=ESMTP, daemon=MSA, relay=adsl86-34-8-16.romtelecom.net [86.34.8.16] (may be forged)


2)
apache log files:
130.161.3.148 - - [20/Dec/2005:00:10:14 +0100] "CONNECT 205.231.29.241:25 HTTP/1.0" 405 235 "-" "-"
206.78.61.94 - - [20/Dec/2005:00:12:26 +0100] "GET http://www.microsoft.com:80 HTTP/1.0" 200 2392 "-" "-"
206.78.61.94 - - [20/Dec/2005:00:12:26 +0100] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 2392 "-" "-"


[Tue Dec 20 00:57:28 2005] [error] [client 70.116.93.235] request failed: error reading the headers
[Tue Dec 20 00:57:28 2005] [error] [client 70.116.93.235] request failed: error reading the headers
[Tue Dec 20 00:57:28 2005] [error] [client 70.116.93.235] request failed: error reading the headers
[Tue Dec 20 00:57:28 2005] [error] [client 70.116.93.235] request failed: error reading the headers


So, what do you think of above log files?

Thank you
J.

Have you got some kind of mail script on your website? (scripts like formmail.pl have very well known problems / security holes etc) Because to me it looks like the spammer is utilising this script as a way of sending spam.

For the last 2 days, I've been getting the exact same thing in my maillog.

Its only been the last two days.

I'll go into my mqueue and I'll have 40-200 emails sitting there, all saying they're from service@paypal.com

and this part is EXACTLY the same in my logs "adsl86-34-8-16.romtelecom.net [86.34.8.16]"

*bump*

Any ideas on this? I find it wierd that I'm not the only one with this issue.

I was thinking it was something with my VPS or someone that uses my mail server, but since JohnQM is getting the exact same thing, I'm not so sure its my VPS anymore.

well neither of you have answered my question.. Have you got some kind of mail scripts on your site.. That is the first place spamers will strike

Not that I know of. I have vBulletin, so I believe there's a feedback page which is a form...but that's all I would have.

There's only one thing that I've changed on my server which was last week. I copied over a backup for my company's old website which was available if you knew the URL. I have disabled access to that directory since I don't really know what files are in there.

Suggest you might to check your Apache logs for something like "206.78.61.94 - - [20/Dec/2005:00:12:26 +0100] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 2392"

This will at least tell you if a spammer has found a way to use a form to send mail out..

I had the apache logs disabled, but I will turn them back on and see if anything shows up.

...if it does, would it show me what they're using to send the mail out?

yes it will show the URL being used and as a tip I would NEVER recommend you disable the apache log unless your site is getting hundreds of thousands of hits per day then maybe.. My personal experience is without that log is would be impossible to validate what is happening to your site when something is wrong and the logging really does not generate that much of an overhead..

Suggest you might to check your Apache logs for something like "206.78.61.94 - - [20/Dec/2005:00:12:26 +0100] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 2392"

This will at least tell you if a spammer has found a way to use a form to send mail out..

I checked my logs and I don't have anything like that.

I have 600 messages in my mqueue now :(

for now, use mod_security!! Block every request that contains :25 in it! At least, you have to stop it... and then, you will be able to breath and look for the cause...

The probable cause imo is that you have a proxy. Notice that blocking CONNECT used by proxy doesn't block POST request... and i think it's your problem right now.

The probable cause imo is that you have a proxy. Notice that blocking CONNECT used by proxy doesn't block POST request... and i think it's your problem right now.

Ok, this part is over my head, lol. I'm not sure what you mean.

well, from what i see, you have an open proxy enabled in your apache... is it possible ?
If you do not use it. You should disable it!

well, from what i see, you have an open proxy enabled in your apache... is it possible ?
If you do not use it. You should disable it!
I don't use any proxy, so that should not be there. How would I disable it? Which part of httpd.conf?

ok, to be sure... please look at this script:
http://www.unicom.com/sw/pxytest/

Just download it and chmod +x and run it with your ip.
It will tell you if you have a proxy.

Test complete - no proxies found


That was the result of that proxy test

...also, the messaged seemed like they have stopped. I'm not sure if I changed something that blocks it, or if something else happened, but right now there are no messages in the mqueue.

well, it's not because it stopped that you are not vulnerable anymore... The bot is in a coffee break :)
Also, we're still not sure if the spam comes from a scripts, a proxy or from the smtp... i would need direct access to your logs to be able to understand the cause.

I'll suggest you to ask for help at support@powervps.com ... They sure can do something for you. If you prefer not to disturb them then, i would recommend you to hire a sysadmin. I never used any of them, i don't know the prices, but i know one that i could recommend because i used them for MailScanner installation: http://www.configserver.com/
But first, i would ask for help at support@powervps.com i'm sure they can do something for you. :cool:

I have emailed support but haven't received a response yet.

In the mean time, I did notice this in my maillog:


Dec 21 14:47:59 host sendmail[9216]: AUTH=server, relay=adsl86-34-8-16.romtelecom.net [86.34.8.16] (may be forged), authid=sales, mech=LOGIN, bits=0


I did have an account called sales. To me, that looks like it was authenticating on the server as 'sales' and since that user existed it went ahead and try sending the email. I have deleted that account and the emails seemed to have stopped, but it could just be temporary again.

Is there an easy walkthrough on how to make sendmail authenticate smtp? Either require a username/password or pop-before-smtp?

Yes I posted it as part of the Mailfoundry blocking spam but you can modify it to do the same...

http://forums.deftechgroup.com/showpost.php?p=7103&postcount=124

Look for the code starting with
# to restrict port 587 to authenticated users only and change this logic to port 25..
condition = ${if eq {$interface_port}{25} {yes}{no}}

add code to the same place in your exim.conf and restart exim then try to send mail without authenticating yourself and you should be rejected (it works on mine although I use a different port as the ISP's in aussie are blocking outgoing port 25)

I'm not using exim. I have a webmin VPS.

I think deleting my 'sales' user fixed the issue. I haven't had anything in the queue for about 6 hours.

I be surprised if you are not running exim. Webmin is a unix system admin front end and exim is the SMTP transport client, they are not the same thing..

If you do a top or a ps -aux you can look to see if you are running exim..

I have Sendmail for SMTP

I have Sendmail for SMTP

Damn sorry I do not know how to secure that :-( maybe a google search on authentication for sendmail might yield you some gems..

Well I think the problem is fixed. I haven't had any messages in about 24 hours.

Somehow I think a script got in my 'sales' user home. After I deleted that account (and the files with it) the problem has gone away.

well, you will have to look into that... if you think someone got in your sales account... there's something that wasn't set correctly... Password ? Webscript ?? or even the place where you use your login... like school, work, friends etc... IMO, i do not trust any computer at all except my laptop... I always bring a knoppix live cd with me... ( and my settings are all on my mp3 player as a usb key. It can be loaded when the live cd is booted )

Anyway, you should investigate... One friend i know had a strange story. A sh*tload of spam was sent by using his mail account with smtp auth!! He wasn't able to know how the hell the spammer was able to get his login... He noticed 2 or 3 hours later that his phpbb forum installed on his hosting website for tech support was hacked by one of those bot/worms... He was using smtp auth to send notifications and stuff about registration... Someone behind the bot was able to get access to the db and found the mail login...

to make a long story short... you really should investigate and not being relax just because the attack stopped ... :)
There's a reason behind...

I know, I'm not saying that my investigation is over. I will still be looking around to figure out what happened.