0

This question it's diferent to How do I deal with a compromised server?

Obviously the server has a security commitment. But this question presents some specific and not generic issues, as generic and very obvious are those of the post which is accused of being a duplicate.

The special difference is that a series of data is provided, which refers to a specific question: sending mail if you use the sendmail system, a contribution of data regarding how the use of the server was detected for the mail, and The suspicions of how it is done.

If you want to mark this as a duplicate, then 99% of StackOverflow and its variants is a duplicate.

Affair:

On last day one of my machines is involved on campaign of sending spam with subject "Incomming voicemail" Supposedly sent by WhatsApp.

I know this beacuse my provideer detect spam sending of my server. Oops. My server use Exim, and ASSP how anti-spam system.

Well, my provider send me some examples of spam.
Destination IP: 74.125.129.27 - Message-ID: 7eE1c2268c4.8E2eBB6d3b915f3dc69aacA1E36@fes.de - Spam score: 600
Destination IP: 74.125.129.27 - Message-ID: 5C6e3Cf89a.9E98A6E9af61F2C6aC3a214@frfsa.org - Spam score: 600
Destination IP: 74.125.129.27 - Message-ID: 9e2E3aA2EDd54C5AD52ae1.C23DC3e9faD3@clayton.com - Spam score: 600
Destination IP: 74.125.129.27 - Message-ID: Fd7521FAf5BC98C87.3BacFaAe@wapi.com - Spam score: 300
Destination IP: 74.125.129.27 - Message-ID: a87fa6d2Cb4Ab42A9f3e54859a84A8f152b6cc@masapon.net - Spam score: 600

On my server there is no evidence of such submissions. We talk about the exim logs and the ASSP logs, and we're talking about looking only at the destination domain.

To analyze the problem, create a script to create a dump with tcpdump on the port 25 traffic in order to verify and analyze if it was true that my provider was detecting those submissions.

When I analyze the traffic in the next suspension of traffic, I returned to find nothing in the logs but my surprise when analyzing with Wireshark the pcap file of the temporary space sent to the sending of spam, I found that all the evidence was there.

I do not understand how it is possible to send mail without it passing through the ASSP and Exim logs, unless you are using a program that does telnet?

An error or lack of configuration in ASSP or Exim?

On wireshark

220 SNT004-MC4F14.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 17 Feb 2017 16:51:25 -0800 
HELO srv108.tamainut.net
250 SNT004-MC4F14.hotmail.com (3.22.0.27) Hello [176.31.31.233]
MAIL FROM: <davidiqwq@clayton.com>
250 davidiqwq@clayton.com....Sender OK
RCPT TO: <rdlord@msn.com>
550 Requested action not taken: mailbox unavailable
Community
  • 1
abkrim
  • 407
  • 6
  • 18
  • Your system has likely been breached and injected with a process that sends these spam messages. You need to restore from a known good backup. – Tero Kilkanen Feb 18 '17 at 11:53
  • After 25 years of experience, that explanation and the one to restore the system, I seem a little apprentice. If a user account intrusion had to be restored, the world would be permanently restored. You have not even stopped to read, you have not even put a bit of intentions except to mark the question as duplicate. It is the best way to learn and give quality to this site. Thank you, – abkrim Feb 18 '17 at 16:16
  • The symptoms clearly look like that there is some rogue process in the system sending the spam. Once there is such a rogue process in the system, you cannot trust anything that is inside the system. You could boot to a rescue system, check all OS files one-by-one to see which have been replaced with backdoors. However, this would take much longer than simply restoring from backups, and you could still miss a critical file. That is the unfortunate reality of rootkit malware in the systems. Therefore the best action is to restore from backups. – Tero Kilkanen Feb 18 '17 at 20:12
  • Track it back, who is sending that mail. – peterh Feb 19 '17 at 11:34
  • @peterh track it's the qestion. It's sending using sockets (telnet it's off on machine). If sendig with sockets not log on mail server. – abkrim Feb 19 '17 at 19:18
  • @abkrim All mails are sent using sockets, it is a meaningless statement. You have to find out, which process started these mails, or from which hosts were they sent through your machine. – peterh Feb 19 '17 at 19:33
  • If you use sockets, if TCP conversation show sender not user of my machine, if mail server and antispam server not show naything on logs, I need, IMHO, search and app that uses sockets (php, perl...) for emule a telnet conversation with remote SMTP. It's sure. All email uses sockets, but legitimate mails, use on other OSI level trought smtp server (exim, sendmail). – abkrim Feb 19 '17 at 20:53
  • If the sender machine belongs to elsewhere, you can put it in some blacklist. If it belongs to you, you can continue the track on it. – peterh Feb 22 '17 at 16:08
  • Firewall for stop and tracking attempting connections trought port 25 except root, Whit this detect who is sending spam using programing and not with server. Timestamps, check logs, analyze and clean intrusion. It's too. – abkrim Feb 25 '17 at 13:07

0 Answers0