0

The IP of my email server has been listed on Spamhaus CBL, which states that the server "attempted to send email without using the HELO/EHLO command", "[which] is generally indicative of a broken email spam infection".

As suggested by the CBL, I first used their HELO check and it replied "The HELO for IP address X.X.X.X was 'example.com' (valid syntax)", which seem to indicate the issue is not a misconfiguration of my email server.

Unfortunately, most of the tools listed on CBL are Windows-only and my server is running Debian.

I ran maldet on most sensitive directories but it found no hits (it is still running, though). I ran unhide but it found nothing. I ran lynis (ex-rkhunter) and though it gave wise security advices on the server configuration, I don't see anything relevant in its report. I ran ispp_scan and though it claimed to have found a suspect.globals.eval malware infected file, the IP got listed again after deletion of this file.

I ran netstat -napec and greped it against ':25' to identify SMTP connections, it showed sporadic TIME_WAIT entries but gave no clue on how to identify their owning process or even if they were legitimate or not. I tried ss -nap as well as iptraf with a filter on outgoing SMTP connections but they weren't more verbose.

How can I identify their parent process ?

Finally I ran an lsof -i tcp:25 -P -R loop but it only showed seemingly legitimate exim4 connections.

Could it still be a server misconfiguration ? Here is my update-exim4.conf.conf :

dc_eximconfig_configtype='internet'
dc_other_hostnames='[a few domain names]'
dc_local_interfaces='127.0.0.1 ; X.X.X.X ; ::1'
dc_readhost='foobar.example.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='foobar.example.com::587'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'

Since the first event CBL reports occurred on Monday 11th, 01:15:00 UTC, I also searched on the whole system for files newer than 5 days ago, but couldn't find anything suspicious. I don't see any recently uploaded suspicious file under the web servers either.

I tried unlisting my IP hoping for a false positive, but it was relisted a few hours later, and since the CBL only list incoming connections to their servers, I do not doubt I have to fix something. But what ? Am I at least looking in the right direction ?

NB : The most sensitive data the server hosts are (literally) a few professional emails, and it is not shared.

Update :

Using tshark I was able to find suspicious MX queries. Checking these queries against exim4 logs, I found that they do correspond to frozen rejection emails of spam addressed to obsolete email addresses.

I doubt it, but could it be that the CBL listed our IP because of such a rejection email ?

  • I guess it might be useful to link to this Q/A for generic guidelines : https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Skippy le Grand Gourou Jun 12 '18 at 17:16
  • Likely the server has been compromised. It may have happened hours, days or even weeks before the spam started going out. Check your web sites carefully. – Michael Hampton Aug 10 '18 at 15:01

0 Answers0