[afnog] HOW can I stop outgoing spam

Frank Habicht geier at geier.ne.tz
Thu Oct 6 05:18:49 UTC 2011 

Hello Saleh,

I hope you don't mind me sharing the discussion with the mailing list
again. Maybe it helps others some time as well.

I include below the logs you had attached.

it shows "Received: from internal" and
"29150220.65439.1317824167058.JavaMail.root at localhost.localdomain"
So it appears it was created on your server. It could be from
- a webmail interface where someone was connected (and authenticated)
- MailTo form and CGI script or bad php script on your web server
- or it could be from a user or process that got access to your system.
  illegally.
- maybe something else....

from the log included it doesn't really show.
But the log is about your server's failure to deliver to hotmail.com
There should be log entries earlier that show how the message got into
your mail server's queue in the first place.

If you fixed one problem and another one started showing up, you should
investigate if someone outside got (illegal) access to your server and
now also "owns" it.
- disable unneeded services
- check for root kits, suspicious connections/traffic;
  any processes running you don't know.
- don't trust the tools on the machine, reinstall/compile
  lsof, ls, ps, top, netstat ....  (assuming Ubuntu)
- don't allow ssh by password (if you have to then first change all
passwords and then work on changing that policy)
- update OS and all services
- you can do mirroring of the switch port the server is connected to
  in order to "sniff" all traffic in&out on an independent machine.
  (tcpdump / wireshark)


I don't want to scare you.
But this internet is not always a friendly place.

Greetings,
Frank

PS: normally SMTP Authentication is a good thing. As long as only
autorized people have valid credentials (username/passwords), and these
are not easy to guess for outsiders.
it can enable your boss send emails from outside your network, without
webmail, from "outlook" &co - without changing settings each time.



--------------------- what was attached---------------

[2011-10-05 17:40:11.275][DeliveryDaemon-12]DEBUG: getProvider()
returning
javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun
Microsystems, Inc]
[2011-10-05 17:40:11.275][DeliveryDaemon-12]
[2011-10-05 17:40:11.275][DeliveryDaemon-12]DEBUG SMTP: useEhlo false,
useAuth false
[2011-10-05 17:40:11.275][DeliveryDaemon-12]
[2011-10-05 17:40:11.275][DeliveryDaemon-12]DEBUG SMTP: trying to
connect to host "65.55.37.72", port 25, isSSL false
[2011-10-05 17:40:11.275][DeliveryDaemon-12]
[2011-10-05 17:40:11.856][DeliveryDaemon-12]220
COL0-MC1-F48.Col0.hotmail.com Sending unsolicited commercial or bulk
e-mail to Microsoft's computer network is prohibited. Other restrictions
are found at http://privacy.msn.com/Anti-spam/. Violations will result
in use of equipment located in California and other states. Wed, 5 Oct
2011 07:39:45 -0700
[2011-10-05 17:40:11.857][DeliveryDaemon-12]DEBUG SMTP: connected to
host "65.55.37.72", port: 25
[2011-10-05 17:40:11.857][DeliveryDaemon-12]
[2011-10-05 17:40:11.857][DeliveryDaemon-12]HELO Desknow-server
[2011-10-05 17:40:12.137][DeliveryDaemon-12]250
COL0-MC1-F48.Col0.hotmail.com (3.13.0.93) Hello [41.67.xx.xx]
[2011-10-05 17:40:12.138][DeliveryDaemon-12]DEBUG SMTP: use8bit false
[2011-10-05 17:40:12.138][DeliveryDaemon-12]
[2011-10-05 17:40:12.138][DeliveryDaemon-12]MAIL
FROM:<laurenmartin at globomail.com>
[2011-10-05 17:40:12.392][DeliveryDaemon-12]250
laurenmartin at globomail.com....Sender OK
[2011-10-05 17:40:12.392][DeliveryDaemon-12]RCPT TO:<sweettyyy at hotmail.com>
[2011-10-05 17:40:12.667][DeliveryDaemon-12]250 sweettyyy at hotmail.com
[2011-10-05 17:40:12.668][DeliveryDaemon-12]DEBUG SMTP: Verified Addresses
[2011-10-05 17:40:12.668][DeliveryDaemon-12]
[2011-10-05 17:40:12.668][DeliveryDaemon-12]DEBUG SMTP:
sweettyyy at hotmail.com
[2011-10-05 17:40:12.668][DeliveryDaemon-12]
[2011-10-05 17:40:12.668][DeliveryDaemon-12]DATA
[2011-10-05 17:40:12.921][DeliveryDaemon-12]354 Start mail input; end
with <CRLF>.<CRLF>
[2011-10-05 17:40:12.922][DeliveryDaemon-12]Received: from internal
          by Desknow-server (DeskNow) with SMTP ID 132b5622f72_UWMT_1098f;
          Wed, 5 Oct 2011 17:16:07 +0300 (EAT)
Date: Wed, 5 Oct 2011 17:16:07 +0300 (EAT)
From: "Dr. Lauren Martin" <laurenmartin at globomail.com>
Reply-To: laurenmartin at globomail.com
Message-ID:
<29150220.65439.1317824167058.JavaMail.root at localhost.localdomain>
Subject: World Congress on Human Trafficking, Prostitution and Sex Work
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_65438_21473616.1317824167057"
X-DN-SentFlag: OK
X-Priority: 3
Disposition-Notification-To: "Dr. Lauren Martin"
<laurenmartin at globomail.com>
X-Mailer: DeskNow 3.2.16
X-DN-AuthenticatedSender: 9WW7EEY3WNJ3MTK4C3EF7KPRYPPPRARK-zkv0Bda+WWdSh4uYP
  Ho03jV7wRxkmgwvkVUO+dSxkdNv76+IjRQTl4hRViACw46t59t
  0dzIrE1M=---

------=_Part_65438_21473616.1317824167057
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Dear Friends and Colleagues

It is our great pleasure to invite you to participate at the 2011 World
Congress on Human Trafficking, Prostitution and Sex Work. The Conference
will be held at the California University of Pennsylvania Steele Hall,
250 University Ave., California, PA 15419 from November 21st - 25th 2011
and from 28th to 1st December 2011 at the BCEAO Salle de Conf &
Multimedia in Senegal.

.
[2011-10-05 17:40:13.441][DeliveryDaemon-12]250
<29150220.65439.1317824167058.JavaMail.root at localhost.localdomain>
Queued mail for delivery
[2011-10-05 17:40:13.441][DeliveryDaemon-12]QUIT
[2011-10-05 17:40:13.692][DeliveryDaemon-12]221
COL0-MC1-F48.Col0.hotmail.com Service closing transmission channel




On 10/5/2011 8:47 PM, saleh ali wrote:
> Dear Mr Frank
> 
> greetings
> 
> finally I found where is the problem in my mail server , the miss
> configuration was in SMTP Authentication was enabled and I was stop it 
> and the problem was solved .
> 
> BUT yesterday the problem is back even SMTP Authentication was disabled
> look to attached file , I do not know how and I do not know how can fix
> this problem and I AM SO TIRED from this problems
> 
> please I neeeeeeed your help
> 
> 
>> Date: Wed, 28 Sep 2011 08:17:44 +0300
>> From: geier at geier.ne.tz
>> To: afnog at afnog.org
>> Subject: Re: [afnog] HOW can I stop outgoing spam
>>
>> Hi,
>>
>> On 9/27/2011 3:28 PM, Stephane Bortzmeyer wrote:
>> > On Tue, Sep 27, 2011 at 03:16:39PM +0300,
>> >> Received: from 82.128.14.236 ([82.128.14.236])
>> >
>> > That's the important info which was *not* in your logs (fix your logs
>> > urgently: you cannot manage a system which does not log the IP
>> > addresses of the clients). Is 82.128.14.236 one of your legitimate
>> > users? Afrinic's database tells us it is Multilinks
>> > Telecommunications, in Nigeria, at the other end of Africa. Do you
>> > know them?
>>
>> I know them for spamming.
>> Including authenticating as real users (with weak passwords) before
>> sending spam on remote (from them) servers.
>>
>>
>> > Anyway, you now know the origin of the spam: talk to them, fire them,
>> > block them in the firewall, lecture them, etc, depending on your
>> > relationship with them.
>>
>> if the spammers authenticated as real users on your server
>> (who has user ID 539 ???),
>> then change passwords and try to enforce password strength.
>>
>> Greetings,
>> Frank
>>
>> _______________________________________________
>> afnog mailing list
>> http://afnog.org/mailman/listinfo/afnog

More information about the afnog mailing list