Topic: Uknown mail connection

[kryptos]

Hello,
Good Day!

I'm a little bit confused when checking on the sqpsmtpd logs i see a couple of emails coming from unknown address sending to unknown emails addresses. I know this is not from our users based on the logs. How it was able to use our server to send emails? Please see attached screenshots, the uknown emails I it labeled with a number, we have bcc enabled which is the redacted item on the screenshots.

I have server-only settings. Just don't know where to trace further. Glad for your help on this.


Best Regards,
Rocel

[Jean-Philippe Pialasse]

pretty frequent spammers try all the eay they can to get in. fake from, trying most frequent name as dest email. 

your server is doing what it is supposed to do refuse them, except that with the bcc you get a copy …

[kryptos]

pretty frequent spammers try all the eay they can to get in. fake from, trying most frequent name as dest email. 

your server is doing what it is supposed to do refuse them, except that with the bcc you get a copy …

Thanks, I thought it was successfully sent to those emails since I don't see any reject based on the logs.  Is sqpsmtpd transaction also for accept incoming email, not a connection for authenticated users only? I was only expecting to be in qpsmtpd not sqpmtpd for incoming mails correct me if my wrong for the assumptions i am not very expert knowledgeable about this.

Thanks again!

[Jean-Philippe Pialasse]

Sorry looked too fast.

this is sqpsmtpd and yes they were accepted. the key line is the line logterse plugin that will present a resumé of the transaction with either queued or denied.

here the difficulty is that you show at least 3 ongoing transaction without letting access to the first line of the three transactions, so it is hard to  say who auth and from where, but this should be available in the log.

[kryptos]

Sorry looked too fast.

this is sqpsmtpd and yes they were accepted. the key line is the line logterse plugin that will present a resumé of the transaction with either queued or denied.

here the difficulty is that you show at least 3 ongoing transaction without letting access to the first line of the three transactions, so it is hard to  say who auth and from where, but this should be available in the log.

Here is one transaction. I tried to double-check but seems I can't any clues about which auth it uses. This transaction is unusual seems it's very long I keep on repeating I just cut it.

================================
2021-09-03 11:33:15.774023500 26404 dispatching RSET
2021-09-03 11:33:15.774504500 26404 250 OK
2021-09-03 11:33:16.021346500 26404 dispatching MAIL FROM:<COVID-19@doh.gov.ph>
2021-09-03 11:33:16.023201500 26404 (mail) badmailfrom: skip, relay client
2021-09-03 11:33:16.023290500 26404 250 <COVID-19@doh.gov.ph>, sender OK - how exciting to get mail from you!
2021-09-03 11:33:16.270225500 26404 dispatching RCPT TO:<raocampo@iee.com.ph>
2021-09-03 11:33:16.271438500 26404 (rcpt) badrcptto: skip, relay client
2021-09-03 11:33:16.271717500 26404 (rcpt) rcpt_ok: skip, relay client
2021-09-03 11:33:16.271974500 26404 250 <raocampo@iee.com.ph>, recipient ok
2021-09-03 11:33:16.532089500 26404 dispatching DATA
2021-09-03 11:33:16.532265500 26404 354 go ahead
2021-09-03 11:33:16.779655500 26404 spooling message to disk
2021-09-03 11:33:23.371131500 26404 (data_post_headers) dkim: skip, DKIM not configured for doh.gov.ph
2021-09-03 11:33:23.373008500 26404 (data_post) bogus_bounce: pass, not a null sender
2021-09-03 11:33:23.373311500 26404 (data_post) bcc: message copied to maillog@hmydomainxx.ph
2021-09-03 11:33:23.373576500 26404 (data_post) headers: skip, relay client
2021-09-03 11:33:23.424174500 26404 FATAL PLUGIN ERROR [tnef2mime]:  Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 184.
2021-09-03 11:33:23.469639500 26404 (data_post) virus::clamdscan: pass, clean
2021-09-03 11:33:23.470627500 26404 (queue) logging::logterse: ` 79.134.225.92   Unknown   [79.134.225.92]   <COVID-19@doh.gov.ph>   <raocampo@iee.com.ph>,<maillog@hmydomainxx.ph>   queued      <20210903113315.21BD56CFE312EAA5@doh.gov.ph>   
2021-09-03 11:33:23.474793500 27245 (queue) queue::qmail_2dqueue: (for 26404) Queuing to /var/qmail/bin/qmail-queue
2021-09-03 11:33:23.547619500 26404 250 Queued! 1630640003 qp 27245 <20210903113315.21BD56CFE312EAA5@doh.gov.ph>
2021-09-03 11:33:23.880136500 26404 dispatching RSET
2021-09-03 11:33:23.880290500 26404 250 OK
2021-09-03 11:33:24.126096500 26404 dispatching MAIL FROM:<COVID-19@doh.gov.ph>
2021-09-03 11:33:24.126728500 26404 (mail) badmailfrom: skip, relay client
2021-09-03 11:33:24.126824500 26404 250 <COVID-19@doh.gov.ph>, sender OK - how exciting to get mail from you!
2021-09-03 11:33:24.374310500 26404 dispatching RCPT TO:<ampizarroph@yahoo.com>
2021-09-03 11:33:24.375415500 26404 (rcpt) badrcptto: skip, relay client
2021-09-03 11:33:24.375706500 26404 (rcpt) rcpt_ok: skip, relay client
2021-09-03 11:33:24.375957500 26404 250 <ampizarroph@yahoo.com>, recipient ok
2021-09-03 11:33:24.623347500 26404 dispatching DATA
2021-09-03 11:33:24.623856500 26404 354 go ahead
2021-09-03 11:33:24.870943500 26404 spooling message to disk
2021-09-03 11:33:31.743482500 26404 (data_post_headers) dkim: skip, DKIM not configured for doh.gov.ph
2021-09-03 11:33:31.745351500 26404 (data_post) bogus_bounce: pass, not a null sender
2021-09-03 11:33:31.745704500 26404 (data_post) bcc: message copied to maillog@hmydomainxx.ph
2021-09-03 11:33:31.746013500 26404 (data_post) headers: skip, relay client
2021-09-03 11:33:31.794989500 26404 FATAL PLUGIN ERROR [tnef2mime]:  Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 184.
2021-09-03 11:33:31.841968500 26404 (data_post) virus::clamdscan: pass, clean
2021-09-03 11:33:31.842806500 26404 (queue) logging::logterse: ` 79.134.225.92   Unknown   [79.134.225.92]   <COVID-19@doh.gov.ph>   <ampizarroph@yahoo.com>,<maillog@hmydomainxx.ph>   queued      <20210903113323.8C7092B8DD0D0EDE@doh.gov.ph>   
2021-09-03 11:33:31.846495500 27297 (queue) queue::qmail_2dqueue: (for 26404) Queuing to /var/qmail/bin/qmail-queue
2021-09-03 11:33:31.921711500 26404 250 Queued! 1630640011 qp 27297 <20210903113323.8C7092B8DD0D0EDE@doh.gov.ph>
2021-09-03 11:33:32.213427500 26404 dispatching RSET
2021-09-03 11:33:32.213860500 26404 250 OK
2021-09-03 11:33:32.460234500 26404 dispatching MAIL FROM:<COVID-19@doh.gov.ph>
2021-09-03 11:33:32.462340500 26404 (mail) badmailfrom: skip, relay client
2021-09-03 11:33:32.462343500 26404 250 <COVID-19@doh.gov.ph>, sender OK - how exciting to get mail from you!
2021-09-03 11:33:32.730413500 26404 dispatching RCPT TO:<madier@viva.com.ph>
2021-09-03 11:33:32.731521500 26404 (rcpt) badrcptto: skip, relay client
2021-09-03 11:33:32.731775500 26404 (rcpt) rcpt_ok: skip, relay client
2021-09-03 11:33:32.732025500 26404 250 <madier@viva.com.ph>, recipient ok
2021-09-03 11:33:32.978931500 26404 dispatching DATA
2021-09-03 11:33:32.979578500 26404 354 go ahead
2021-09-03 11:33:33.227889500 26404 spooling message to disk
2021-09-03 11:33:40.194938500 26404 (data_post_headers) dkim: skip, DKIM not configured for doh.gov.ph
2021-09-03 11:33:40.196917500 26404 (data_post) bogus_bounce: pass, not a null sender
2021-09-03 11:33:40.197293500 26404 (data_post) bcc: message copied to maillog@hmydomainxx.ph
2021-09-03 11:33:40.197523500 26404 (data_post) headers: skip, relay client
2021-09-03 11:33:40.242894500 26404 FATAL PLUGIN ERROR [tnef2mime]:  Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 184.
2021-09-03 11:33:40.286724500 26404 (data_post) virus::clamdscan: pass, clean
2021-09-03 11:33:40.287624500 26404 (queue) logging::logterse: ` 79.134.225.92   Unknown   [79.134.225.92]   <COVID-19@doh.gov.ph>   <madier@viva.com.ph>,<maillog@hmydomainxx.ph>   queued      <20210903113331.0CCF63A71C42A47E@doh.gov.ph>   
2021-09-03 11:33:40.291629500 27340 (queue) queue::qmail_2dqueue: (for 26404) Queuing to /var/qmail/bin/qmail-queue
2021-09-03 11:33:40.380267500 26404 250 Queued! 1630640020 qp 27340 <20210903113331.0CCF63A71C42A47E@doh.gov.ph>
2021-09-03 11:33:40.626628500 26404 dispatching QUIT
2021-09-03 11:33:40.626875500 26404 221 hmydomainxx.ph closing connection. Have a wonderful day.
2021-09-03 11:33:40.627022500 26404 click, disconnecting
2021-09-03 11:33:41.060368500 30284 cleaning up after 26404
==========================================

I there any logs that could compare aside from this?

Thanks,
Rocel

[kryptos]

I already got it affected user account it was using, after a very long log tracing. Anyway, thank you for taking the time on this.

[ReetP]

Also see this:

FATAL PLUGIN ERROR [tnef2mime]:  Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 184.

https://bugs.koozali.org/show_bug.cgi?id=11648

[Jean-Philippe Pialasse]

yes, one transaction could include multiple mails to sent, so can be very long.

hope you will be able to also retrace if this was a malicious user or an infected user’s pc.


for Reetp, yes known bug visible but not related to the issue.

[kryptos]

yes, one transaction could include multiple mails to sent, so can be very long.

hope you will be able to also retrace if this was a malicious user or an infected user’s pc.


for Reetp, yes known bug visible but not related to the issue.

Yes indeed, Thanks!

[kryptos]

Also see this:

https://bugs.koozali.org/show_bug.cgi?id=11648

Yes, i am aware of it also it is still an open bug waiting for the updates also for this. Thanks!