SPAM attack

[sebas]

We are getting tons of spam mail.

I know our server is configured so that relaying is closed and authorization is required to send mail. But they are using a sneaky trick to place the mail in the queue because as long as I can tell they are not using an account to authorize but they are using a domain that is hosted on our server.

Here is a bit from /var/log/messages:
Aug 17 12:03:12 canada7 xinetd[1429]: START: smtp pid=11924 from=::ffff:187.162.75.104
Aug 17 12:03:19 canada7 xinetd[1429]: START: smtp pid=13837 from=::ffff:171.99.143.254
Aug 17 12:03:22 canada7 xinetd[1429]: START: smtp pid=14423 from=::ffff:190.18.37.99
Aug 17 12:03:23 canada7 xinetd[1429]: EXIT: smtp status=0 pid=11924 duration=11(sec)
Aug 17 12:03:24 canada7 xinetd[1429]: START: submission pid=15369 from=::ffff:173.193.188.226
Aug 17 12:03:24 canada7 xinetd[1429]: EXIT: submission status=0 pid=15369 duration=0(sec)
Aug 17 12:03:25 canada7 xinetd[1429]: START: smtp pid=15513 from=::ffff:212.200.204.103

And here a bit from /usr/local/psa/var/log/maillog:
Aug 17 12:04:30 canada7 qmail-queue-handlers[21097]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21029]: starter: submitter[21080] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21038]: starter: submitter[21096] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21041]: starter: submitter[21078] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: from=meg@xxxxx.com.mx
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: to=adaamalafiisah@yahoo.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: to=paulkey2013@yahoo.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: to=ambanicrony@yahoo.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'check-quota' handler
Aug 17 12:04:30 canada7 spf filter[21103]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 spf filter[21104]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 spf filter[21105]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: SKIP during call 'spf' handler
Aug 17 12:04:30 canada7 qmail-queue-handlers[21043]: starter: submitter[21106] exited normally
Aug 17 12:04:30 canada7 qmail-queue-handlers[21108]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21109]: Handlers Filter before-queue for qmail started ...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: from=huj@xxxxx.com.mx
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: to=way2zoned44@hotmail.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: to=asdfga@adsf.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: to=jimmiew50@gmail.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: to=slejun@yahoo.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: to=mnoentil@yahoo.com
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: SKIP during call 'check-quota' handler
Aug 17 12:04:30 canada7 spf filter[21118]: Starting spf filter...
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: handlers_stderr: SKIP
Aug 17 12:04:30 canada7 qmail-queue-handlers[21063]: SKIP during call 'spf' handler

They are sending the mail from a lot of different machines.

I don't know how to stop it and I was wondering if you do.

Here are three samples.

Thanks for your help.

+++++++++++++++++++++++++++++++++++++++++++
Received: (qmail 14598 invoked from network); 17 Aug 2013 11:25:12 -0500
Received: from undef-pesochin-kh.maxnet.ua (HELO pjqwsp) (178.165.84.164)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:12 -0500
From: "Xwe Apife" <rugic@xxxxx.com.mx>
To: <tn_sika@yahoo.com>, <mjgman23@googlemail.com>, <smores1998@yahoo.com>, <spacecowboy210@yahoo.com>
Subject:
Date: Sat, 17 Aug 2013 17:16:18 -0700
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-7

zy w
xaruwoq qonoxes kigytoz vup dyd http://www.sogz.ru/movies.htm
poqoz vydu wipoxa

+++++++++++++++++++++++++++++++++++++++++++

Received: (qmail 14983 invoked from network); 17 Aug 2013 11:25:18 -0500
Received: from mm-55-57-120-178.dynamic.pppoe.mgts.by (HELO kabemrylxeb) (178.120.57.55)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:17 -0500
Date: Sat, 17 Aug 2013 17:16:23 -0700
From: "Fvuso Jw" <fe@xxxxx.com.mx>
To: <max.rawley@yahoo.com>, <duraens@gmail.com>, <pyronancyrey@aol.com>, <aria_aryan70@yahoo.com>, <crk2430@hotmail.com>, <mg109@gateway.net>, <madison22star@hotmail.com>, <mduong999@aol.com>, <kripal.masughat@gmail.com>, <redneckmatty@comcast.net>
Subject:
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-7"

p me http://www.francoiscavallier.com/video.htm?narybatot r
xes g

+++++++++++++++++++++++++++++++++++++++++++

Received: (qmail 16013 invoked from network); 17 Aug 2013 11:25:32 -0500
Received: from unknown (HELO eunnbyspirt) (109.229.174.161)
by canada7.xxxxxxxxxx.com with ESMTPA; 17 Aug 2013 11:25:31 -0500
Subject:
Date: Sat, 17 Aug 2013 17:16:37 -0700
To: <0billyboy7x@yahoo.com>, <grneyes420@hotmail.com>, <1957210eb@gmail.com>, <burgosjose@ymail.com>, <danieldboca@yahoo.com>, <cprasqui@yahoo.de>, <jamesmubs@yahoo.co.uk>, <driland@hotmail.com>, <harman.brar@live.ca>
From: "ko" <joko@xxxxx.com.mx>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"

fyl seqel
fadyni kuwydu wyfev http://www.echipamentelaborator.ro/movie.htm saqa v gaci b
nyhekun papaq

+++++++++++++++++++++++++++++++++++++++++++

 

[sebas]

I have qmail stopped since this problem started because we are getting something between 550 an 2000 spam mails a minute.

I disabled email service for the domain being used by the spammers, but the mail still gets in the queue.

This is what I did to disable it:
qmHandle -B'[video|movie]' && service qmail start && /usr/local/psa/bin/mail --off xxx.com.mx && service qmail stop && qmHandle -B'[video|movie]'

I'm using
qmHandle -B'[video|movie]'

to clean the queue.

 

[Faris Raouf]

Please see my reply to your post on the atomic forum.

Basically, once a spammer authenticates, they very often send as many messages as they can during that session. They do not repeatedly authenticate for each message they send.

Changing the password doesn't help immediately, because the change has no effect on an established connection.

Similarly, restarting qmail has no effect on an established connection. You have to manually kill all the established qmail processes, which you can see using netstat -avnp (or just restart the server)

I would normally also say that psmon (which you will have installed if you have asl) will automatically restart qmail if you stop it, but the last time it looked it didn't do so.

 

[Faris Raouf]

Also, I would add that the spammer's qmail smtp session can last a long time. I forget what the session timeout is in qmail, but it is way too long - hours, I think.

 

[sebas]

Hi Faris,

You were right. I went through the hole cycle and it worked.

Disable, kill all qmails, reset passwords, re enable.

Cheers,

 

[iantresman]

I think my server has the same problem. Did you ever find out how access was gained? My host speculated that they brute-forced a password for an SMTP email account. I'm having problems identifying the email account that may be compromised, as the "account" name is not showing an existing smtp account username, but the server alias. Any suggestions?

It would be useful if Plesk could be more helpful in fixing issues like this. I'd like to see options to:

a. Throttle the number of emails that can be sent from an account, my mail queue was showing 640295 messages.
b. Disable accounts that attempt to send more than set number of emails per minute/hour
c. Identify how many emails come from each account (see you can identify spam/vulnerabilities more easily)
d. Cut qmail sessions
e. List email accounts with "weak" passwords.

 

[sebas]

We did not find how they got access to the account. But since the account was from a domain that has had problems with viruses in the past we assumed that that was the way they used to get the SMTP email account and password.

We had the same problem identifying the account what we did was a password reset on all the accounts on that domain.

I totally agree with you, it would be great to see those options you mention.

 

[iantresman]

1. My host is now suggesting that my cause of this is malware. They are doing a scan. Is there another way to find if there is an offending script, without having to go through every website individually?

2. My mailog also shows connections from Russia and China which would seem to suggest random attempts at guessing vulnerable accounts. I'm sure others would also be aware of their IP addreses. Is there a way to auto-blacklist and firewall such problematic IP ranges?

3. Is it not possible to reduce brute-force attacks by requiring attempts at least 5 seconds apart? I can't see why you would let someone try several password attempts per second.

 

[sebas]

You can use https://www.atomicorp.com/ Atomic Secured Linux works with Plesk and it gives you various protections of the kind you are looking for.

 

[iantresman]

Looks interesting, thanks for that. I had a quick look to see whether Parallel recommends it, and perhaps offers it at a discount, but unfortunately not.

 

[TSCADFX]

If there's a script that's causing this then identifying that script and stopping it would be top priority. There could have been a customer that had a very insecure password as well that allowed a bot to eventually gain access. I would suggest using something such as Fail2Ban in order to prevent these types of attacks in the future.

Even if access was gained through a malicious script it's always good to have other preventative measures in place. On our servers we auto-ban approximately 10 IP's a day, most of them coming from China and targeting postfix. Consider checking out the below links for more information on integrating Fail2Ban with Plesk.

Installing Fail2Ban on Centos with Plesk

Permanently Ban Repeat Offenders With Fail2Ban

We hope that helps!

 

[IgorG]

BTW, Fail2Ban is most voted feature - http://plesk.uservoice.com/forums/1...ions/3701028-add-fail2ban-as-module-for-plesk

 

[TSCADFX]

I've voted on that months ago. Even if it does become integrated into Plesk there's no telling if it will have full integration with the Panel login vs the services on the server. The filters and jails change according to the flavor of OS and on installed options, logging locations etc.

Either way, we've come up with solutions for protecting all aspects of Plesk with Fail2Ban, even invalid webmail and control panel logins.

 

[iantresman]

We just installed Fail2Ban, and it's stopping up to half a dozen attempts per day. I'm surprising it is not installed as standard.