MAJOR SECURITY CONCERN: trash50534137@somedomain.com catch-all

[Bogdan]

Does anyone know why all domains created in Plesk that don't have a catch-all address specified are being created with default catch-all called trash50534137@domain.com with password trash50534137?

This behavior is also present in Plesk 7.6.1,not only in 8.1. In Plesk 7.6.1 it used to fill out with all sorts of mails (usually spam sent to inexistent) and cause the client's disk usage to go sky high.

But the security problem is mainly caused by that common password for all the mailboxes which anyone can use to log on the mailbox, see it's contents and even use to authenticate and send SPAM through the server.

If anyone wants to recreate this it's easy:
1. set up a domain in Plesk (mytest.com for example)
2. open webmail (http://IP:8425, where IP is the IP you used to set up hosting for it)
3. Login using the trash50534137 account (trash50534137@mytest.com)
4. Send an email.

You can also log on to trash50534137@mydomain.com with a mail client by specifying server's IP as the mail server in your mail client config.

So, my question now, also asked in http://forum.swsoft.com/showthread.php?threadid=37058 several months ago, is what is this catch-all address used for? I'm sure it's not created by MailEnable (http://www.mailenable.com/forum/vie...previous&sid=cd119fef0cab0ae45856f8eb024a0b8d) but it also doesn't show up in my client's Control Panel either, so I wonder what's its purpose and if it's so important that it really needs to make my servers vulnerable!

As a temporary and partial solution, I disabled catch-all emails on the entire server from MailEanble and I used MailEnable's Catchall Reporter and Remover (http://mailenable.com/addons_Diagnostic.asp) to remove all trash50534137 catch-alls, but that is far from being an answer to the problem.

 

[PaulC]

From what I have seen the use of the mailbox is for the "Discard" option for the mails. I have not looked at closely but the fact it has such a simple password is shocking.

I'm sure a much elegant way would be to drop the message when its being checked by the message filter.

 

[Bogdan]

sergius, any coment from a SWsoft representative on this, or are you guys just gonna ignore it and hope nobody notices?

 

[Bogdan]

I sent a support ticket to SWsoft about this issue, hopefully they'll be able to shed some light.

 

[sergius]

Bogdan, thank you for report. This bug will be fixed ASAP.

 

[Bogdan]

It has been over 28 hours and I haven't received absolutely no response from SWsoft support about this matter. In the mean time, I confirmed this on a fresh install of Windows Server 2003 Enterprise and Plesk 8.1.

 

[Bogdan]

Almost 2 days and the only answer I got was to confirm that the problem is real and that this was forwarded to their incompetent developers.

 

[Bogdan]

Originally posted by sergius
Bogdan, thank you for report. This bug will be fixed ASAP.

Can you give an ETA? I sent a ticket to you guys 3 days ago and still no patch? Is this that hard to fix?

 

[sergius]

Originally posted by Bogdan
Can you give an ETA? I sent a ticket to you guys 3 days ago and still no patch? Is this that hard to fix?

Please check your ticket just now and give here feedback.

 

[Bogdan]

This is what I received from the support engineer handling my ticket:

Hello Bogdan,

Our developers have created patches for Plesk 7.6.1 and Plesk 8.1. It will make "Prevent user from authenticating" MailEnable option enabled for the problem mail user.
For a permanent solution you should replace mailenableproviderw.dll module at %plesk_bin% and execute fixtrash.vbs script.

Please, let us know if you have questions.


Thanks,
--
Alexander Illarionov
Technical Support Engineer
SWsoft, Inc

OK, so as I understand, after applying the patch and running the .vbs script the trash50534137@somedomain.com catch-all will still be there but people won't be able to authenticate using it. As far as I see, this is only half of the problem solved, because all mail sent to inexistent mail accounts for somedomain.com will still be moved to trash50534137@somedomain.com and stored there for no reason at all. In time, trash50534137@somedomain.com will fill up with a lot of emails (mostly spam) that will add up to my clients' disk usage, they will start complaining and I will have to clean the accounts manually (this scenario happened on Plesk 7.6.1 and this let me to notice the problem).

I haven't tested this behavior on Plesk 8.1, but I assume it's the same. Please correct me if I'm wrong.

 

[sergius]

Bogdan, You are right partially.
If you choose value "Discard" of option "Mail to nonexistent user" then MailEnable needs to do something with emails of these (nonexistence) users. ME provides domain option "Catchall email addresses/mailbox" for this purpose. Plesk specifies local mailbox "trash50534137" as value of this option. In one's part Plesk mail filter removes emails sent to this mailbox. In other words Plesk needs to simulate option "redirect to null" which is not supported by ME obviously.

 

[Bogdan]

Hello,

This patch is working perfectly, and sergius, you are right about mails not being stored in the trash mailboxes.

 

[Traged1]

OK, we are seeing this on our servers as well, the password problem is gone, but customer disk space is being taken up by this trash mailbox, and so far it is not ever being cleared out.

My question is then, how do we set the trash mail folder to automatically empty?