Debian exim4 smtp relay spam

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Debian exim4 smtp relay spam

Andreas Westvik
So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail.
Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to
stop SMTP in exim4.  But Im not sure how to do this with exim4u.

Here is a forum thread I made in the debian forums.
http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626

Anyone know how to do this?

-Andreas
_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Debian exim4 smtp relay spam

gldickens3
Administrator
Hi Andreas,

You need to check your exim logs to see how these emails are arriving on
your server.

Exim4U's stock configuration is NOT an open relay and so, unless you
have modified Exim4U's configuration, then the spam emails are most
probably arriving as having been generated by authenticated user logins.
Unfortunately, this hack is quite common since spammers routinely
conduct dictionary attacks on SMTP and IMAP ports to obtain valid user
authentication credentials.  On most servers, the SMTP and IMAP
authentication credentials typically use the same username/password for
a given user.  When successful, these dictionary attacks will yield user
credentials that can subsequently be used for spamming from your server
whereby the spammer masquerades as a valid authenticating user.

Look at your logs.  For authenticated mail, the originating log entry
should look like this:

2011-05-11 22:10:44 1QKLMS-0000lx-Gp <= [hidden email]
H=(k12-46eb5b203aa) [50.8.80.139] P=esmtpa
A=fixed_login:[hidden email] S=1340
id=CHILKAT-MID-b8da5a7e-6034-b3f6-7b3a-df92b3486c1b@k12-46eb5b203aa
T="Spammer's Subject Title"

Note the "A=fixed_login:" in the above log entry denoting a valid
authenticated user.  In the above example, [hidden email] will be
a valid user on your mail server.  Once you establish whose login
credientials have been compromised then you should change those user's
passwords and your problem will be solved.

The best way to defend against dictionary attacks is to use fail2ban or
similar software for ratelimiting SMTP and IMAP authentication
failures.  I have used fail2ban for quite a while and it is a very
reliable product that does the job well. So, when dictionary attacks do
occur, you can limit the number of attempted logins to a reasonably
small number that typically will not yield any results for the spammer.

If, on the other hand, your logs indicate that the mail is being relayed
then someone has most probably modified the stock Exim4U configuration
file and you need to reverse those modifications. Also, review the
contents of the exim4u_relay_from_hosts file to make sure that you are
not allowing the relays via that file.

FYI,

Gordon





On 06/16/2011 08:53 AM, Andreas Westvik wrote:

> So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail.
> Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to
> stop SMTP in exim4.  But Im not sure how to do this with exim4u.
>
> Here is a forum thread I made in the debian forums.
> http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626
>
> Anyone know how to do this?
>
> -Andreas
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Debian exim4 smtp relay spam

Andreas Westvik
Thank you very much for your reply!

I did cat mainlog.1 | grep A=fixed and got many hits with my own username. (The same username that got the error mails)
So I just changed my password on that account.
And I have fail2ban, but I only have a section for dovecot. I cant seem to find any one for exim4 ??

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/syslog
maxretry = 1
findtime = 1200
bantime = 1200

And I have just tweaked some ratelimiting options in exim4.conf
Are any other ratelimiting programs that can be used in Debian?
In the exim4u_relay_from_hosts only mentions 127.0.0.1

-Andreas

Den 16. juni 2011 kl. 18.25 skrev Gordon Dickens:

> Hi Andreas,
>
> You need to check your exim logs to see how these emails are arriving on
> your server.
>
> Exim4U's stock configuration is NOT an open relay and so, unless you
> have modified Exim4U's configuration, then the spam emails are most
> probably arriving as having been generated by authenticated user logins.
> Unfortunately, this hack is quite common since spammers routinely
> conduct dictionary attacks on SMTP and IMAP ports to obtain valid user
> authentication credentials.  On most servers, the SMTP and IMAP
> authentication credentials typically use the same username/password for
> a given user.  When successful, these dictionary attacks will yield user
> credentials that can subsequently be used for spamming from your server
> whereby the spammer masquerades as a valid authenticating user.
>
> Look at your logs.  For authenticated mail, the originating log entry
> should look like this:
>
> 2011-05-11 22:10:44 1QKLMS-0000lx-Gp <= [hidden email]
> H=(k12-46eb5b203aa) [50.8.80.139] P=esmtpa
> A=fixed_login:[hidden email] S=1340
> id=CHILKAT-MID-b8da5a7e-6034-b3f6-7b3a-df92b3486c1b@k12-46eb5b203aa
> T="Spammer's Subject Title"
>
> Note the "A=fixed_login:" in the above log entry denoting a valid
> authenticated user.  In the above example, [hidden email] will be
> a valid user on your mail server.  Once you establish whose login
> credientials have been compromised then you should change those user's
> passwords and your problem will be solved.
>
> The best way to defend against dictionary attacks is to use fail2ban or
> similar software for ratelimiting SMTP and IMAP authentication
> failures.  I have used fail2ban for quite a while and it is a very
> reliable product that does the job well. So, when dictionary attacks do
> occur, you can limit the number of attempted logins to a reasonably
> small number that typically will not yield any results for the spammer.
>
> If, on the other hand, your logs indicate that the mail is being relayed
> then someone has most probably modified the stock Exim4U configuration
> file and you need to reverse those modifications. Also, review the
> contents of the exim4u_relay_from_hosts file to make sure that you are
> not allowing the relays via that file.
>
> FYI,
>
> Gordon
>
>
>
>
>
> On 06/16/2011 08:53 AM, Andreas Westvik wrote:
>> So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail.
>> Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to
>> stop SMTP in exim4.  But Im not sure how to do this with exim4u.
>>
>> Here is a forum thread I made in the debian forums.
>> http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626
>>
>> Anyone know how to do this?
>>
>> -Andreas
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Debian exim4 smtp relay spam

gldickens3
Administrator
Hi Andreas,

Here is an exim config from one of my /etc/fail2ban/jail.conf server
files on CentOS 5.6:

# GLD - This jail blocks exim authenticated SMTP dictionary attacks -
bad username/password
[exim-authentication]
enabled=true
filter = exim-authentication
action = iptables-multiport[name=exim-authentication,
port="25,587,2525", protocol=tcp]
logpath = /var/log/exim/main.log
maxretry = 20
findtime = 300
bantime = 900

You had maxretry = 1 in your dovecot config which I think is too low
since you will have legitimate users having to retry from time to time.  
Here is a dovecot config from one of my etc/fail2ban/jail.conf server
files with more realistic values:

# GLD - This jail blocks dovecot IMAP/POP dictionary attacks
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap",
protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 300
bantime = 900

Of course, you should make these values whatever you think is best for
your needs. However, I would not make them so restrictive that they
would adversely impact your legitimate email users.  The only other
thing regarding ratelimiting that I would recommend is to use iptables
to ratelimit ports 20, 21 and 22 (ssh and ftp) to defend against
dictionary attacks there. I ratelimit ssh and ftp to 4 attempts for
every 2 minutes. something like this (from iptables-save) prior to the
ACCEPT statements for ssh and ftp:

-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP
-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name DEFAULT --rsource
-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m
recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP
-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m
recent --set --name DEFAULT --rsource
-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -m
recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j DROP
-A GLD-FIrewall-INPUT -p tcp -m tcp --dport 20 -m state --state NEW -m
recent --set --name DEFAULT --rsource

Good luck,

Gordon



On 06/16/2011 01:07 PM, Andreas Westvik wrote:

> Thank you very much for your reply!
>
> I did cat mainlog.1 | grep A=fixed and got many hits with my own username. (The same username that got the error mails)
> So I just changed my password on that account.
> And I have fail2ban, but I only have a section for dovecot. I cant seem to find any one for exim4 ??
>
> [dovecot-pop3imap]
> enabled = true
> filter = dovecot-pop3imap
> action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
> # optionaly mail notification # mail[name=dovecot-pop3imap, dest=root@domain] # see /etc/fail2ban/action.d/ or Fail2Ban doc
> logpath = /var/log/syslog
> maxretry = 1
> findtime = 1200
> bantime = 1200
>
> And I have just tweaked some ratelimiting options in exim4.conf
> Are any other ratelimiting programs that can be used in Debian?
> In the exim4u_relay_from_hosts only mentions 127.0.0.1
>
> -Andreas
>
> Den 16. juni 2011 kl. 18.25 skrev Gordon Dickens:
>
>> Hi Andreas,
>>
>> You need to check your exim logs to see how these emails are arriving on
>> your server.
>>
>> Exim4U's stock configuration is NOT an open relay and so, unless you
>> have modified Exim4U's configuration, then the spam emails are most
>> probably arriving as having been generated by authenticated user logins.
>> Unfortunately, this hack is quite common since spammers routinely
>> conduct dictionary attacks on SMTP and IMAP ports to obtain valid user
>> authentication credentials.  On most servers, the SMTP and IMAP
>> authentication credentials typically use the same username/password for
>> a given user.  When successful, these dictionary attacks will yield user
>> credentials that can subsequently be used for spamming from your server
>> whereby the spammer masquerades as a valid authenticating user.
>>
>> Look at your logs.  For authenticated mail, the originating log entry
>> should look like this:
>>
>> 2011-05-11 22:10:44 1QKLMS-0000lx-Gp<= [hidden email]
>> H=(k12-46eb5b203aa) [50.8.80.139] P=esmtpa
>> A=fixed_login:[hidden email] S=1340
>> id=CHILKAT-MID-b8da5a7e-6034-b3f6-7b3a-df92b3486c1b@k12-46eb5b203aa
>> T="Spammer's Subject Title"
>>
>> Note the "A=fixed_login:" in the above log entry denoting a valid
>> authenticated user.  In the above example, [hidden email] will be
>> a valid user on your mail server.  Once you establish whose login
>> credientials have been compromised then you should change those user's
>> passwords and your problem will be solved.
>>
>> The best way to defend against dictionary attacks is to use fail2ban or
>> similar software for ratelimiting SMTP and IMAP authentication
>> failures.  I have used fail2ban for quite a while and it is a very
>> reliable product that does the job well. So, when dictionary attacks do
>> occur, you can limit the number of attempted logins to a reasonably
>> small number that typically will not yield any results for the spammer.
>>
>> If, on the other hand, your logs indicate that the mail is being relayed
>> then someone has most probably modified the stock Exim4U configuration
>> file and you need to reverse those modifications. Also, review the
>> contents of the exim4u_relay_from_hosts file to make sure that you are
>> not allowing the relays via that file.
>>
>> FYI,
>>
>> Gordon
>>
>>
>>
>>
>>
>> On 06/16/2011 08:53 AM, Andreas Westvik wrote:
>>> So Im having a smtp problem. Someone is trying to use my server as a relay for spam mail.
>>> Now, my host is blocking port 25 for outgoing mail, so its really not working. But I want to
>>> stop SMTP in exim4.  But Im not sure how to do this with exim4u.
>>>
>>> Here is a forum thread I made in the debian forums.
>>> http://forums.debian.net/viewtopic.php?f=5&t=65526&p=376626#p376626
>>>
>>> Anyone know how to do this?
>>>
>>> -Andreas
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> https://exim4u.org/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users