Koozali.org formerly Contribs.org

9.2 gateway mode: block possible smtp spam-bot virus

9.2 gateway mode: block possible smtp spam-bot virus
« on: June 27, 2019, 07:09:31 PM »
Hello!

A friend has got a sme 9.2 operating in gateway mode. His network is comprised of some 10 devices (PCs, NVRs etc) on the same switch with the WAN side of the SME server. On the LAN side there are also a number of computers.

His domain got blacklisting and asked me for help. It seems that there is SMTP spam being sent from somewhere. On SME web admin, SMTP proxy is set to "Blocked". Does this mean that all traffic originating from the LAN and heading to port 25 on some internet server is blocked?

In any case, I've modified the router setup to allow outgoing TCP to port 25 only for the SME address and immediately afterwards I'm blockin any traffic to TCP/25, logging any filter hits of the latter rule.

If SME is indeed blocking all outgoing SMTP access from its own LAN, is there something else I could check?

EDIT: Which is the correct log to check for SMTP traffic originating from the SME box itself?
« Last Edit: June 27, 2019, 07:48:15 PM by Michail Pappas »

Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #1 on: June 27, 2019, 09:34:19 PM »
Looking around in /var/log/qmail (IIRC), I was found out that there was a Joomla site on SME itself, having a contact form, which was definitely used to spam both the site owner as well as other mail domains.

I've removed that functionality, however after emailing a helpful lad on the CBL block list, he informed me that the problem was that many HELO/EHLO SMTP commands were send with different domains each time (whereas only the single/legit domain should be sent). If this is the case, I'm afraid that disabling the Joomla form is not the end of the story here...

Offline mmccarn

  • *
  • 2,447
Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #2 on: June 28, 2019, 05:33:18 AM »
Here is a wiki page with notes on digging things out of the qpsmtpd (inbound) & qmail (outbound) logs:
https://wiki.contribs.org/Mail_log_file_analysis

Here are some other possibly unhelpful ideas...

RelayRequiresAuth
With the SMTP proxy set to BLOCK, systems on the LAN should not be able to talk to off-site servers on port 25 or 465, but the SME will relay mail for an infected system on the LAN if qpsmtpd does not have 'RelayRequiresAuth' enabled.

Check using:
Code: [Select]
config getprop qpsmtpd RelayRequiresAuth
Enable it (if it is not enabled) using:
Code: [Select]
config set qpsmtpd RelayRequiresAuth enabled
signal-event email-update

Local Networks
There used to be advice floating around on the forums to configure "0.0.0.0/0" as a "local network" in server-manager to allow remote administration - if this is done, then the whole world is on the "LAN" as far as the SME is concerned.

Check the 'local network' setup in server-manager or at the command line to make sure it looks reasonable.
Code: [Select]
db networks show
Compromised System on WAN segment
If any of the systems on the WAN network are accessible from the Internet they could also be leveraged to relay email through the accessible system to the WAN port of the SME and from there out to the world.




Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #3 on: June 28, 2019, 06:43:18 AM »
Here is a wiki page with notes on digging things out of the qpsmtpd (inbound) & qmail (outbound) logs:
https://wiki.contribs.org/Mail_log_file_analysis
I'll check into that, thanks!

Quote
Here are some other possibly unhelpful ideas...

RelayRequiresAuth
With the SMTP proxy set to BLOCK, systems on the LAN should not be able to talk to off-site servers on port 25 or 465, but the SME will relay mail for an infected system on the LAN if qpsmtpd does not have 'RelayRequiresAuth' enabled.

Check using:
Code: [Select]
config getprop qpsmtpd RelayRequiresAuth
Enable it (if it is not enabled) using:
Code: [Select]
config set qpsmtpd RelayRequiresAuth enabled
signal-event email-update

Local Networks
There used to be advice floating around on the forums to configure "0.0.0.0/0" as a "local network" in server-manager to allow remote administration - if this is done, then the whole world is on the "LAN" as far as the SME is concerned.

Check the 'local network' setup in server-manager or at the command line to make sure it looks reasonable.
Code: [Select]
db networks show
Thanks for these too. I've checked the settings and they look ok.

Quote
Compromised System on WAN segment
If any of the systems on the WAN network are accessible from the Internet they could also be leveraged to relay email through the accessible system to the WAN port of the SME and from there out to the world.
I do hope this is the case here, I guess my router firewall filter hits will show if this is the case. BTW, are you aware whether spam bots exist that utilize Tor, or some form of non-SMTP proxy to deliver to SMTP? Because if that is the case, I don't believe I'll see anything.

Really wish my friend had a switch with a mirroring port...
« Last Edit: June 28, 2019, 06:45:50 AM by Michail Pappas »

Offline ReetP

  • *
  • 2,146
Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #4 on: June 28, 2019, 09:44:52 AM »
Depending on what they have managed to install they can run their own mail server.

Saw them add their own mailing list server once. It did all the sending itself.....

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #5 on: June 28, 2019, 10:25:39 AM »
After 12 hours I've not noticed anything strange on the router/firewall, which is definitely good news. I'll monitor things for the next 10 days, hoping for the best. Thx guys!

Offline Jean-Philippe Pialasse

  • *
  • 1,362
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: 9.2 gateway mode: block possible smtp spam-bot virus
« Reply #6 on: July 12, 2019, 06:51:20 PM »
Pay attention to the fact that services installed on the SME itself might contact directly qmail isntead of qpsmtpd


This is thr default for php running on apache.
I have written a little contrib available in sme contribs that includes a wrapper to use qpsmtpd for all php versions.

This helps in filtering and also to add dkim signatures.