Koozali.org formerly Contribs.org

My mail Server is Sending a lot of spam mail

Offline Mar

My mail Server is Sending a lot of spam mail
« on: August 17, 2019, 05:02:10 PM »
Dear Experts,
I got a notification from my mail server that it is sending a lot mails when I log in to SME 9 admin from the reports I got the result below:
messages in queue: 19773
messages in queue but not yet preprocessed: 0
First: How can I solve this issue I mean stop sending these mails
Second: the is the reason behind that.
Regards
Mhd

Offline ReetP

  • *
  • 3,124
Re: My mail Server is Sending a lot of spam mail
« Reply #1 on: August 17, 2019, 06:06:07 PM »
Without knowing much about your server I'd say you had been hacked.

I suggest taking it off line immediately to assess the damage.

You need to tell us more about your server.

Do you run software like Joomla or Wordpress?

Do you use passwords for ssh access or just keys?

You can install qmHandle to remove existing mails, but if you are online they will just keep sending so you have to close the door to them.

I think if you go to server-manager and look at the bottom left you can do 'create bug report'

Please paste it here or pastebin or a githib gist.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 1,994
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: My mail Server is Sending a lot of spam mail
« Reply #2 on: September 06, 2019, 10:56:06 PM »
Or alternatively    a local computer has been infected and send spam.

One way to say is to use smeserver-qmhandle to read a few of the mail and see from the header if it is from the lan or a hacked webapp.

Offline Mar

Re: My mail Server is Sending a lot of spam mail
« Reply #3 on: September 16, 2019, 01:46:01 PM »
Mostly this is the case

Offline Jean-Philippe Pialasse

  • *
  • 1,994
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: My mail Server is Sending a lot of spam mail
« Reply #4 on: September 17, 2019, 12:30:22 AM »
Also qmhandle with the command line allow you to flush mails using a regex.


So you can flush the hudred similar spams while saving important mail. 

Indee you still have to find the source an fix it.

Offline Mar

Re: My mail Server is Sending a lot of spam mail
« Reply #5 on: September 17, 2019, 12:50:31 PM »
Actually, I  found the problem reason after one hour of its starting. it was from one of the accounts.
It causes some harmful affects which took more time to fix them.
Thank you guys.
« Last Edit: September 17, 2019, 01:41:06 PM by M_aboush »

Re: My mail Server is Sending a lot of spam mail
« Reply #6 on: October 15, 2019, 11:21:49 PM »
Hi Guys,
   The bad guys must be working hard. The same thing happened to me. two mail accounts were hacked. I see in the logs they are still trying. It seems to be distributed to avoid being blocked by fail2ban.

grep  ' authentication failure for: '  /var/log/sqpsmtpd/current -A 1 |tai64nlocal
will give you
2019-10-15 14:04:53.452552500 5980 (auth-plain) auth::auth_cvm_unix_local: fail: authentication failure for: user
2019-10-15 14:04:53.452909500 5980 (deny) logging::logterse: ` 70.52.119.168
And the effenders IP address, wich is always changing. My guess is there are inected (bot)machines on the other networks.
I changed E-mail settings - IMAP server access - to local, But I still see ' authentication failure for: '  /var/log/sqpsmtpd/current from outside IP Addresses.
Am I missing something ? Is sqpsmtpd the comunication on port 465 ?



 

Offline Jean-Philippe Pialasse

  • *
  • 1,994
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: My mail Server is Sending a lot of spam mail
« Reply #7 on: October 16, 2019, 05:32:40 PM »
Catton,

Imap is a thing, qpsmtpd another


You can play with fail2ban setting to increase delay of search. Mostly these distributed attack will play on few ips and try again with the same after a while. Increasing the delay will allow to catch them all.

Check all your passwords for weak ones or compromised against online db.

Xt_geoip can help a little with some attacks. I have found usefull to limit access to imap, sqpsmtpd,  ssh to only regions i have actual users.

Of course smtp port 25 is another story as you do not want to prevent half of the world to send you email, or maybe you do....

Offline ReetP

  • *
  • 3,124
Re: My mail Server is Sending a lot of spam mail
« Reply #8 on: October 16, 2019, 06:18:13 PM »
I found blocking countries I never deal with helped most.

If you run geoip across your mail you can see the worst offenders and blick them.

Eg

RU RO CN

I'd love to block US too....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: My mail Server is Sending a lot of spam mail
« Reply #9 on: October 16, 2019, 08:51:27 PM »
Jean-Philippe,
 Thank you - I will set Findtime and Bantime higher in fail2ban and see if it catches more IPs.
   Does setting E-mail settings - IMAP server access - to local - block port 465 to the external world/interface ?
I also use Xt_geoip and 40DenyRiffRaff to block much of the world.
Here is what yesterdays attack looked like:


grep  ' authentication failure for: '  /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| grep  ' authentication failure for: '  /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| xargs -n 1 geoiplookup { } | grep ' Country Edition' | sort | uniq -c | sort

    176 GeoIP Country Edition: US, United States
      2 GeoIP Country Edition: IP Address not found
     30 GeoIP Country Edition: CA, Canada
So  IPs from US and Canada and no one else.

Offline Jean-Philippe Pialasse

  • *
  • 1,994
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: My mail Server is Sending a lot of spam mail
« Reply #10 on: October 17, 2019, 05:18:39 AM »
Jean-Philippe,
 Thank you - I will set Findtime and Bantime higher in fail2ban and see if it catches more IPs.
   Does setting E-mail settings - IMAP server access - to local - block port 465 to the external world/interface ?


the change on IMAP will do nothing on your /var/log/sqpsmtpd/current logged attack on port 465, it will only only on  the IMAP service logged there /var/log/dovecot/current

do you have any user using email outside of your lan ?

if you want to remove those attacks totally, you have to disable authentication on port 465 and on port 25 for public.

the panel only allow you to:
- disable auth completely for smtp (25) and smtps (465) both on public and private side (internet and lan)
- allow auth on both on public and private sides
- allow auth only on port 465 on public and private side

Code: [Select]
config setprop sqpsmtpd access private
config setprop qpsmtpd Authentication disabled
signal-event email-update
while I do not recommend, will prevent auth from outside by closing port 465 and removing auth from port 25 while leaving auth on port 465 from lan and incoming email from internet on port 25.

then if you want to limit other password bruteforce, disable pop and imaps from public (internet) and do not allow webmail from public (internet)
of course you will isolate your users who want to access emails when away from the lan...

so the best answer would be strong passwords, and better fail2ban rules

grep  ' authentication failure for: '  /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| grep  ' authentication failure for: '  /var/log/sqpsmtpd/current -A 1 |tai64nlocal |grep ' ` '| awk '{ print $7 }'|sort|sort -u| xargs -n 1 geoiplookup { } | grep ' Country Edition' | sort | uniq -c | sort

    176 GeoIP Country Edition: US, United States
      2 GeoIP Country Edition: IP Address not found
     30 GeoIP Country Edition: CA, Canada
So  IPs from US and Canada and no one else.
you should move to  geoip2 db, geoip were only 80% accurate in april 2018 and were not updated since.
it is probable that your results are not accurate


here is a little script to allow touse the new mmdblookup like we were used to with geoiplookup

you need to install  libmaxminddb-devel from epel

Code: [Select]
cat bin/geoiplook
#!/bin/bash
for var in "$@"
do
/usr/bin/mmdblookup --file /usr/share/GeoIP/GeoLite2-Country.mmdb --ip $1 country iso_code |cut -d\" -f2|  tr -d '\n'
echo ""
done