2

I am getting "Undelivered Mail Returned to Sender" messages. The relevant mail messages are being forwarded using a valid user (mike@proactech.com) on my server (server1.nbicharts.com). I control that email address, so it is not me that's doing the forwarding. I have tested that my server is not an open relay so I need help on how to track the vulnerability that is allowing this to happen. I presume that although I am seeing only the undelivered messages, there must be more that are being delivered.

Any help will be greatly appreciated.

Here is a typical message:

        This is the mail system at host server1.nbicharts.com.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system

<hrrecruitmentcell@tvssons.com>: host b.as.safentrix.com[23.239.12.179] said:
    550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient address rejected: User
    unknown (in reply to RCPT TO command)



Reporting-MTA: dns; server1.nbicharts.com
X-Postfix-Queue-ID: D7340580C88
X-Postfix-Sender: rfc822; mike@proactech.com
Arrival-Date: Sat, 25 Jul 2015 06:35:04 -0400 (EDT)

Final-Recipient: rfc822; hrrecruitmentcell@tvssons.com
Original-Recipient: rfc822;hrrecruitmentcell@tvssons.com
Action: failed Status: 5.1.1
Remote-MTA: dns; b.as.safentrix.com
Diagnostic-Code: smtp; 550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient
    address rejected: User unknown


ForwardedMessage.eml
Subject: Reply: kavithamai
From: kavithamai <mike@proactech.com>
Date: 07/25/2015 01:35 AM
To: "hrrecruitmentcell" <hrrecruitmentcell@tvssons.com>

Begin forwarded message

>  
>>
>>> http://freefinancialstresstest.com/lazbqala.php?kavithamai
>
> From: Kavithamai -kavithamai@yahoo.co.in-
> Date: Fri, 25 Jul 2015 11:35:04 +0000
> To: Hrrecruitmentcell
> Subject: Re: Fwd
>
> 7/25/2015 11:35:04 AM

Sent from my iPad

Here the mail.log

Jul 25 06:35:06 server1 postfix/smtp[18650]: D7340580C88: to=<hrrecruitmentcell@tvssons.com>, relay=b.as.safentrix.com[23.239.12.179]:25, delay=1.8, delays=1.1/0/0.45/0.2, dsn=5.1.1, status=bounced (host b.as.safentrix.com[23.239.12.179] said: 550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient address rejected: User unknown (in reply to RCPT TO command))
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
user1142052
  • 23
  • 3
  • 4
    At the moment we have no idea whether this went out through your server or not. Does your MTA have logs corresponding to the original delivery attempt? If not, you've been [joe-jobbed](https://en.wikipedia.org/wiki/Joe_job); there's [good advice on SF](http://serverfault.com/questions/369460/what-are-spf-records-and-how-do-i-configure-them) already about dealing with that. – MadHatter Jul 26 '15 at 08:56
  • I agree with MadHatter. Consult your Postfix log file for traces of that mail. If you find none, the mail hasn't been forwarded by your server, just forged with your sender address. If you do find entries related to that mail they will tell you where it came from, how it was delivered to your server and how it circumvented your relay policy. – Tilman Schmidt Jul 26 '15 at 13:26
  • I found this record in the mail log, so I think its clear that the mail is being forwarded through my server: Jul 25 06:35:06 server1 postfix/smtp[18650]: D7340580C88: to=, relay=b.as.safentrix.com[23.239.12.179]:25, delay=1.8, delays=1.1/0/0.45/0.2, dsn=5.1.1, status=bounced (host b.as.safentrix.com[23.239.12.179] said: 550 5.1.1 : Recipient address rejected: User unknown (in reply to RCPT TO command)) – user1142052 Jul 26 '15 at 16:23
  • That's a start, and I agree it does look like it was sent from your server. Now we need the rest of the logs about that particular email; as Tilman says, those should give you a better clue about how it got into your queue in the first place. – MadHatter Jul 26 '15 at 19:29
  • Thanks so much for your help. How do I get the "rest of the logs" ? I got that from webmin's mail log search. – user1142052 Jul 26 '15 at 21:12
  • 1
    Something like `grep 18650 /var/log/postfix` is likely to be your friend here, but I'm a `sendmail` chap so can't be sure what postfix logs, nor where. I'm afraid you will need to learn to use proper sysadmin tools, from the shell, or there's some danger your question will get closed (questions involving web-based control panels are generally off-topic). – MadHatter Jul 27 '15 at 05:57
  • Thanks for the tip. I can use the command line but I'm also lazy! I did find this though for that email: Jul 25 06:35:04 server1 postfix/smtpd[18459]: D7340580C88: client=178-143-123-1.dynamic.orange.sk[178.143.123.1], sasl_method=PLAIN, sasl_username=mike@proactech.com – user1142052 Jul 27 '15 at 06:50

2 Answers2

3

You've done some digging, and found that the original outbound email was sent through your server. That means that, unusually in such cases, you weren't joe-jobbed.

Digging through the logs has shown that the user in question authenticated to send email from Orange Slovakia, which will most likely be a mobile connection. You should ask this user why he's authenticating to send mail from Slovakia.

If he intended to send this mail, you should evaluate his actions in light of your Acceptable Use Policy. If he didn't intend to send it, then his account, and probably his mobile computing equipment, has been compromised, he should engage in appropriate cleanup, and you should lock his accouunt until you're satisfied that he has done so satisfactorily, again depending on your AUP to justify your actions.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thank you for continuing to try to help me. In fact, the only valid users on the server are users I control. The only logins are to applications not to the server its self so somehow this user has gained access to the server. – user1142052 Jul 27 '15 at 09:19
  • I can't say how postfix came to allow that authentication, but if I read those logs right (and I may not be, for as I said I'm no postfix guy), it did indeed permit him to do so. Note that you don't necessarily need a valid shell login to authenticate to a service like an MTA, or IMAP - merely credentials that satisfy the application itself. – MadHatter Jul 27 '15 at 09:22
  • I found this maillog entry: Jul 25 06:34:59 server1 postfix/smtpd[18459]: connect from 178-143-123-1.dynamic.orange.sk[178.143.123.1] followed by about a hundred messages sent as mike@proactech.com. So I need to blacklist ip 178.143.123.1. I did change the password on the mike@proactech.com account and I haven't seen any logins since then. – user1142052 Jul 27 '15 at 09:30
  • Then I think the evidence that this account was compromised, and used to send spam, is even stronger, no? – MadHatter Jul 27 '15 at 10:01
  • Yes, I agree, and I found logins from many ip's too numerous to mention. Thank you MadHatter for your help. – user1142052 Jul 27 '15 at 21:18
1

More likely than a server vulnerability exploitation, this looks like spoofing source address. One of the methods to deal with this (but not entirely mitigate), is to use SPF records.

There are currently no SPF records for proactech.com domain. This means that the target mail servers can not verify whether an incoming message comes from your mail server (legitimate) or some other (not legitimate).

If you install SPF records, the target systems (that are sending you bounce messages) that check validity of SPF records (and there are many of them today) will reject any incoming messages from servers that are not allowed by these SPF records and they will not try to deliver such messages. This means no bounces to you.

You can also consider installing DKIM, which is another feature that can help you mitigate a part of the problem. I do think SPF is checked more widely than SPF, so the first thing to do is SPF, but if it is possible, also install DKIM, just to make sure you have done the best you could.

Wapac
  • 652
  • 4
  • 15