0

I need help diagnosing this: http://www.projecthoneypot.org/ip_66.18.204.186 It says my server has been sending spam for 4 months!

I try to be a responsible mail server admin, I hate spam, I do everything I am capable of to prevent it from happening. I need to figure out what is going on and where it is coming from so I can stop this.

I have watched the logs and tcpdumped traffic and I cannot find anything out of the ordinary. Everything going out is legitimate emails from users. There is no sign of spam, and no sign of increased traffic.

Network is locked down by a firewall/gateway server running shorewall. The 66.18.204.186 IP address is one of several static IP addresses I have, but it is the ONLY IP address I use for mail and it is dedicated to only that purpose. It is 1:1 NAT translated to an internal server at 192.168.50.9 (bismark - my mail server) The firewall is configured to allow traffic in/out on port 25 ONLY from this server, and ONLY mapped to that outbound IP. This works, I've tested it, there's no way in or out on port 25 from any other computer on the network.

This leaves me with the conclusion that any spam originating from that IP address must indeed be coming from my mail server but I have no idea how. My only guess is a compromised user account password (it does allow external SMTP auth, defended against brute force by fail2ban)

I can't see any spam going out at the moment. How do I monitor for it? How will I know if it starts again? More importantly, how do I make sure it will never start again? Help! I don't want to be one of the bad guys!

cecilkorik
  • 445
  • 1
  • 4
  • 13
  • Have you searched for this message in the logs: `From: "Poste Italiane" Subject: Comunicazione importante` – MichelZ Apr 24 '14 at 05:58
  • I have checked the logs, I suppose they don't go back far enough. I don't think it's a duplicate. Those features I have already configured, and I have confirmed they are working. This is something beyond those basic protections. – cecilkorik Apr 24 '14 at 08:00
  • @cecilkorik How long do you keep your logs for? Now might be a good time to increase how long you keep them for so that you still have the evidence you need when you discover a problem. – Ladadadada Apr 24 '14 at 14:46
  • Good tip, I agree. I thought I had longer logging configured already, but apparently on Ubuntu this is done by /etc/cron.daily/sysklogd NOT by logrotated. I am not sure why they use the two different methods for rotating log files. – cecilkorik Apr 24 '14 at 14:59

1 Answers1

2

What it your mail server running as an MTA? Which OS?

There is everything you need on the honeypot page in order to find out what's going on. Your have an example email snippet:

Example Messages Sent From 66.18.204.186

From: "Poste.it"<info@poste.it>
Subject: Comunicazione importante 
From: "Poste Italiane"<Informa@poste.it>
Subject: Comunicazione importante

Just check your mail server logs for that. My 2 cents you have a " legitimate user" infected by some virus.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
alxgomz
  • 1,600
  • 1
  • 10
  • 14
  • I'm running postfix on Ubuntu Server 10.04 LTS. I'll be upgrading to 14.04 LTS as soon as I'm comfortable that it's stabilized. I've searched the logs for all those strings (including the archived compressed logs) and found nothing. Unfortunately the mail logs only go back to April 08, and I have no idea what dates I would be looking for if I were to pull backups. – cecilkorik Apr 24 '14 at 07:41
  • 1
    And I do agree that it's quite probably a legitimate user infected by a virus, the trick is going to be tracking down which one. Many family and friends have email accounts, as well as a few very small businesses who I help out with IT things. – cecilkorik Apr 24 '14 at 07:45