2

I received an Abuse-Message from the operators of dnsbl.de. To me it sounds like it has nothing to do with me, but since it is too serious I don't want to do "guess work" and check whether it really is.

What I got

Here is an excerpt of the mail which was supposed to have run through my server (IP-Adresses replaced by placeholders):

Return-Path: <root@vicibox7.suse>
Received: from vicibox7.suse (static.12-34-56-78.example.tld [12.34.56.78] (may be forged))
    by topixx1.b2.powerweb.de (8.14.5/8.14.1) with ESMTP id 016KERQF029825
    for <XXX@XXX.XXX>;  Thu, 6 Feb 2020 21:14:28 +0100
Received: by vicibox7.suse (Postfix, from userid 0)
    id EBD62142B3FE; Wed,  4 Dec 2019 15:22:17 -0500 (EST)
Subject: Der Einweisungsprozess ist obligatorisch #DE1D22H11788Z9740018344514
X-PHP-Originating-Script: 0:eb.php

The server in question does not run a mailserver at all. So it an open gateway is out of the question. Actually there is nothing on the server which should send anything via port 25 at all. I am the only person who has access to the machine (via SSH). The only service provided to the public is a webservice I wrote myself. So if this mail has actually passed through my server, then this would indicate that someone has gained unauthorized access and this would of course mean that I need to take drastic action, such as re-installing the whole machine from scratch, because who knows what else the attacker did?

However did this email really pass thru my server? Here are a couple things I found suspicious:

  • Received: from vicibox7.suse, but my server is not called vicibox7.suse. Not even similar. However the IP-Address after that is actially mine. Googling for the name leads me to VICIbox, which seems to refer to "VICIDIAL Call Center Suite", which is a software unknown to me, also indicating a server which is not mine?
  • In the Received-Header it lists "(may be forged)" so, as far as I understand this means that the receiving mailserver could not verify whether the mail actually came from the server listed and the whole "received"-Entry might be forged.
  • It says X-PHP-Originating-Script: 0:eb.php, so it does seem to indicate that the mail was generated somewhere by some PHP-Script. My server does not even have PHP installed in the first place.

Of course I checked log files (/var/log/*) of my server and I could not find anything out of the ordinary. I also checked the traffic statistics provided by the data center operator. Usually my server produces about 1-2 GB of outgoing traffic per day, so not very much in any case. I'd expect that someone who hijacks my server would send lots of Emails and thus cause substantially more traffic. However no spikes are to be seen. The traffic is just normal.

I checked ps aux for processes that should not be there and checked netstat -a. Nothing I would not expect to be there.

Then I used to following to block possible attempts to send mails using Port 25 and log them using iptables:

iptables -N LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
iptables -A OUTPUT -p tcp --destination-port 25 -j LOGGING

I tested whether it works using netcat google.com 25 and that immediately creates a log-entry in /var/log/syslog. So theoretically it works. I watched syslog for several hours, but no further log output from my iptables-Script.

What now?

It seems like I am unaffected. However the website of dnsbl.de states "Please be ensured that our system only blocks mailserver our customers we received spam from.". I hope their software is better then their grammar ;-). In the German version of the text they even use the word "proven". Do they actually mean "Please be ensured that our system only blocks mailservers that some random email claims to have passed, no matter where it actually comes from"? A service that can be fooled this easily would be rather useless, would it not be? So maybe I am wrong somewhere.

So I also checked http://www.anti-abuse.org and 2 of the 53 DNSBL-Services that this site lists also blacklist my IP-Address (ix.dnsbl.manitu.net and truncate.gbudb.net). Not sure if this is a good sign or a bad sign.

What do you make of it? Could this abuse be real?

yankee
  • 177
  • 2
  • 6
  • Hi, the two ban come from what BL ? as like SORBS just blacklist like DHCP scoop, which can be inacurate. For your problem I would do a simple network monitoring to be sure your server is not used as a mail relay. – yagmoth555 Feb 07 '20 at 14:54
  • @yagmoth555: ix.dnsbl.manitu.net and truncate.gbudb.net. – yankee Feb 07 '20 at 15:26

1 Answers1

0

I think your server is compromised or your webservice allows mail to be sent by unauthorized individuals. I would audit your code and rebuild the server.

The fact that the first Received: header has your IP concerns me. The second is probably fake.

topixx1.b2.powerweb.de is in fact a mail relay.

As for why your IP appears on some DNSBLs: perhaps your server has sent other spam or whoever had your IP before you used it to send spam.

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47