Topic: Machine sending worm mail from my server, NOT an open relay

[mapangojoe]

Hello All.  This morning I started to get a bunch of MAILER-DAEMON, returned Email errors.  They all were from a non real user on my network to chineese sites.  Specifically, they were from one of my domains@mydomain.com (spcomputers@spcomputers.com).  Again, this user does not exist.  below is an example header.

****************************************************
Hi. This is the qmail-send program at mapango.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<joonlove0125@hanmail.net>:
211.43.197.153 does not like recipient.
Remote host said: 550 5.1.1 <joonlove0125@hanmail.net>... Inactive mbox
Giving up on 211.43.197.153.

--- Below this line is a copy of the message.

Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
  by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
To: joonlove0125@hanmail.net
Subject: =?ks_c_5601?q?<=B1=A4=B0=ED>=C3=EB=C1=F7=20100%=20=20"=BB=E7=C8=B8=20=BA=B9=C1=F6=BB=E7"=C0=DA=B7=E1=B4=C2=20=B9=AB=B7=E1"=20@oyt553@?=
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
X-Priority: 5
X-MSMail-Priority: Low
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-type: text/html
****************************************************

I am running SME 6X, fully patched, and rkhunter.  All but one of the PC's in my office run Linux or OSX.  This seems to come from a worm called w32.jubon@mm.  It also seems to originate from a user running Outlook Express, which non of us run.  It could come from someone whom I host, but I'm having trouble finding a way to trace the mail back to the actual sender, via the log files.  What is more funkey, is that we are ALL receiving the MAILER-DAEMON error.

Any ideas all you guru's out there, or is there a qmail log file that will tell the IP of the machine sending the Email?

Chris Curtis

[CharlieBrady]

Hello All.  This morning I started to get a bunch of MAILER-DAEMON, returned Email errors.

That's called backscatter. Google will find you an explanation.

Any ideas all you guru's out there, or is there a qmail log file that will tell the IP of the machine sending the Email?

You don't need to look in any log file - it's right in the text of the bounce message you've quoted - 66.225.16.170 - which accepted the mail from 61.96.188.159 and tried to relay it.

...
Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
...

[mapangojoe]

You write that:

>66.225.16.170 - which accepted the mail from >61.96.188.159 and tried to relay it.

I am 66.225.16.170, and I have tested it, and it is not an open relay.  So, are you saying that 61.96.188.159 asked me to relay mail?  Normally, when that happens, I get an error saying something about "no in my rcp list" or something like that.  

Is this something comming from my network (I can't see it if it is) or is this spam pretending to be me, and I'm getting the bounced messages?

I did read about backscatter, but I'm still not clear if this is something that came from my network, or like a jo job using my domain?

Please elaborate!

Chris Curtis



...
Return-Path: <spcomputers@spcomputers.com>
Received: (qmail 4915 invoked from network); 8 Dec 2005 12:53:53 -0000
Received: from unknown (HELO fqx.ser.qdekm.com) (61.96.188.159)
by server.mapango.net (66.225.16.170) with SMTP; 08 Dec 2005 12:53:53 -0000
Message-ID: <SMPYBAAHXJGPRLRXURYHID@IJSSK>
From: "±è±ÔÀ¸"<spcomputers@spcomputers.com>
...[/quote]

[mapangojoe]

I took the advise of the kind responder and have been spending all day reading about Qmail and backscatter.  

From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

I'm hoping someone here can post an actual solution for someone running SME.  If not, this will be and ongoing and worseining problem for SME users, because this is a problem for anyone running Qmail

[thethinman]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

[CharlieBrady]

From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

The issues with qmail and backscatter all relate to the lack of filtering capabilities in qmail-smtpd. But SME server hasn't used qmail-smtpd since early 2002!

There is little you can do to prevent backscatter from other sites being sent to your users. That's what you are complaining about here.

You can do something to prevent your site from sending backscatter to other sites. To do that you need to accept only mail which you are going to deliver to legitimate users' mailboxes. For versions 6.x, you'll need a variety of contribs to do that. For 7.0 (currently in beta) all required measures (recipient checking, virus and spam detection) are built in.

[CharlieBrady]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

That will only take care of undeliverable bounces ending up in the admin mailbox. This is a deliverable bounce, but it's to an innocent party, not to the real sender of the original message.

[alejandro]

.......
From what I read this DOES NOT look good for SME and Qmail.  Post after post on the net reads "qmail is old, outdated and lame" in referance to backscatter.  I did not see any solution to my SME/Qmail backscatter problem.  Most posts suggested replacing qmail with exim/postfix or some other "modern" MTA.  

I'm hoping someone here can post an actual solution for someone running SME.  If not, this will be and ongoing and worseining problem for SME users, because this is a problem for anyone running Qmail

Allow me to disagree with this.
You could try to fix backscatter issue...
(from http://blog.centresource.com/2005/05/03/backscatter/ )

 "by simply configuring your mailserver to reject mail for unknown users right off the bat at the SMTP “RCPT TO” command, rather than accepting, queueing and generating NDRs. Any modern mailserver (as well as qmail and sendmail) will let you configure it in this way, and there’s an excellent list of resources for doing this on many mailservers that you can find herehttp://spamlinks.net/prevent-secure-backscatter.htm#reject.
Where you'll find this:

goodrcptto - www.chater.demon.co.uk/qmail/
LDAP with qmail - www.lifewithqmail.org/ldap/
bad-rcpt-noisy-patch - www.iecc.com/bad-rcpt-noisy-patch.txt
qmail-realrcptto - code.dogmap.org./qmail/
Spamming for Qmail - postmaster.gtcs.com/QMailSpammers.php
Recipient checking - http.netdevice.com:9080/qmail/rcptck/
of course any modifications should be done through the custom templates procedure
Hope this can help.
regards

[raem]

> They all were from a non real user on my network to chineese sites...

> configuring your mailserver to reject mail for
> unknown users right off the bat at the SMTP “RCPT > TO” command

The free dungog mailblocking contrib (by default) will reject all mail sent to invalid users (no need to configure anything just install it).

[thethinman]

I could be wrong but doesn't the "double bounce how to" take care of this problem?

That will only take care of undeliverable bounces ending up in the admin mailbox. This is a deliverable bounce, but it's to an innocent party, not to the real sender of the original message.

Sorry, my bad.

[mapangojoe]

Hello All.  And thanks to all who replied and offered assistance.  I have the dungog mail-block RPM installed, but that did not help.  It could be that I have not configured it correctly.

My solution (if you can call it that) was to create an iptables rule to block the IP to the server my server was trying to reply to.  This has worked for now, even though it is a completely  inelegant solution.

Thanks again for your replies!

Have a great weekend.

Chris Curtis

[CharlieBrady]

My solution (if you can call it that) was to create an iptables rule to block the IP to the server my server was trying to reply to.  This has worked for now, even though it is a completely  inelegant solution.

It's not really a solution. You'll still receive those bounce messages - but in a week's time, not immediately.

You'd be much better off to change your doublebounce configuration. And better again to get inbound mail filtering correctly configurated. (In fact, it is possible that it is already correctly configurated, and you are just seeing doublebounces from messages which have been stuck in your queue for a while).

[nate]

The free dungog mailblocking contrib (by default) will reject all mail sent to invalid users (no need to configure anything just install it).

 
Is there a way around this?

Jan 3, 2005 - Commented out dungog-mailblocking - it must be disabled to allow the fetchmail pop3 contrib to work...

[GPete]

I'm getting bounce traffic from all over the world and the mail log indicates a spike in messages. I assume that confirms that my server has been used as a relay for spamming.

These are the settings from my server.  Are there any changes I can make to prevent relays?

E-mail settings
POP3 server access    Allow private
IMAP server access    Allow private
Webmail access    Allow HTTPS (secure)

Virus scanning    Enabled
Spam filtering    Enabled
Executable content blocking    Enabled

E-mail retrieval mode    Standard (SMTP)
SMTP authentication    Allow SSMTP (secure)


Forwarding address for administrative notices “me”@yahoo.com
E-mail to unknown users    Send to “me”
Address of internal mail server    
Address of Internet provider's mail server

[raem]

GPete

> I'm getting bounce traffic from all over the world ...
> I assume that confirms that my server has been used as a relay..

Probably a wrong assumption.
Someone (or a virus) is sending spam or virus infected messages to invalid addresses on other peoples servers, and using your return email address.
The other servers send the undeliverable message to you or valid users on your server, or even invalid users on your server.

These "undeliverable message" messages are what you are now receiving lots of.


> E-mail to unknown users    Send to “me”

I'd change that to Return to sender and then you won't be bothered by that rubbish.
You then will probably receive a fair bit of doublebounce messages, see below.
I assume you are using sme6 without mailblocking installed, as sme7 will reject messages to invalid addresses.
On sme6 you can install the dungog mailblocking contrib which will reject all messages sent to invalid addresses, by default, and also install the dungog doublebounce contrib.

Better still upgrade to sme7 if you are not using that.