SMTP Auth Spam Mail Attack

Home » CentOS » SMTP Auth Spam Mail Attack
CentOS 3 Comments

Hi All

I have a server which seems to be getting spam relayed through it.

The story is this…..

User reported loads of undeliverables being received so I had a trawl through the logs.

So the attacker connects to our server using SMTP auth……..

Oct 5 15:17:53 www sendmail[6972]: AUTH=server, relay=pppoe9.net109-120-27.se1.omkc.ru [109.120.27.9] (may be forged), authid=jon, mech=LOGIN, bits=0

This then seemingly passes the AUTH for the user jon and allows the system to send e-mails such as the following.

Oct 5 15:17:58 www sendmail[6982]: r95EHqoc006972:
to=, ctladdr= (516/100), delay:00:05, xdelay:00:02, mailer=esmtp, pri00552, relay=mailin-03.mx.aol.com. [205.188.156.193], dsn=2.0.0, stat=Sent (2.0.0
Ok: queued as B648F3800008D)

Now there seem to be 2 user names that appear in the logs with the authid one is jon as above and the other is jon@xxxxx.co.uk (obviously I have replaced the real domain with xxxxx)

Now the interesting thing is that there are only a handful of sites on the server and they are set up so the site has a main username and any other addresses that need to accept mail are set as aliases.

So in effect there is only one user per domain with one email account.

So despite the main account not being “jon” or “jon@xxxxx.co.uk” and there are no users on the domain with those usernames, SMTP auth accepets the user and authenticates correctly to allow the relay through.

I have checked the server with an external SMTP checker, and it is not an open relay. I have changed the password on the domain in question and they are still getting in. I have tried changing the password and sending mail with the old password, this gets .. relying denied, so SMTP auth is working ok. I have been through the server and looked at each domain for these users, I did find one called jon on an old domain which I have now deleted, just in case this was accepting the SMTP auth.

Has anyone any idea how they can be authenticating against SMTP auth with a username that does not exist on the server ?

Any pointers towards next steps appreciated, as I am running out of ideas to try and lock this server down.

Cheers

Paul.

3 thoughts on - SMTP Auth Spam Mail Attack

  • Am 05.10.2013 18:19, schrieb Paul Shuttleworth:

    Hi Paul,

    you will have to show your Sendmail SMTP AUTH configuration together with all bits set for Cyrus SASL.

    Baseline is, there is or has been a user “jon” usable for SMTP AUTH as you have shown by the log entry:

    Oct 5 15:17:53 www sendmail[6972]: AUTH=server, relay=pppoe9.net109-120-27.se1.omkc.ru [109.120.27.9] (may be forged), authid=jon, mech=LOGIN, bits=0

    Alexander

  • Hi Alexander

    well the user jon has been deleted along with the entire domain the user was in, and they are still relaying, also how is the user jon@xxxxx.co.uk getting Authorised when that user does not exist. These are a couple of the latest successful relays from the logs.

    Oct 5 17:45:51 www sendmail[32567]: AUTH=server, relay1-202-20-171-kh.maxnet.ua [31.202.20.171] (may be forged), authid=jon, mech=LOGIN, bits=0
    Oct 5 19:47:23 www sendmail[20547]: AUTH=server, relay=[178.126.88.216], authid=jon@xxxxxxx.co.uk, mech=LOGIN, bits=0

    it shows an example of both of the users that are being accepted. I just am not sure how, when I am fairly sure they don’t actually exist.

    Paul.

  • domains don’t have passwords, user accounts do. if you had a jon user associated with domain1.com and another jon user associated with domain2.com how did you keep them straight? my usual solution is jon1, jon2 or jon_dom1 jon_dom2

    also, what PAM are you using for user accounts? simple passwd/shadow static files? LDAP/activedirectory/something centralized ?

LEAVE A COMMENT