[BlueOnyx:04707] Re: send mail Relay exploit

Michael Stauber mstauber at blueonyx.it
Mon Jun 7 18:25:00 -05 2010 

Hi Hugo,

> since friday our server has been exploited as a relay for several domains
> who are spammers

Do you have SMTP-Auth enabled? If not, enable it. But from what I see it in 
your logs it should be on already.  With SMTP-Auth enabled only users 
authenticated with their username and password can send emails through your 
server.

> Here is some logs

>From those log lines only one entry indicates the actual relaying of emails 
through your server:

Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694: 
from=<tbent at wanadoo.co.uk>, size=1509, class=0, nrcpts=50, 
msgid=<201006072122.o57LMj4U023694 at ns1.abaco.net.mx>, proto=ESMTP, daemon=MTA, 
relay=adsl1888.4u.com.gh [41.210.18.88]

Someone from the IP [41.210.18.88] sent a 1509 byte large mail to 50 
recipients in one go. The line "proto=ESMTP" indicates that he used SMTP-Auth 
to authenticate against Sendmail and that was apparently done with a valid 
username and password.

Then the next snippet shows how four of the 50 generated emails were sent out:

Jun  7 16:23:16 ns1 sendmail[23755]: o57LMj4U023694: 
to=<fultonmr at aol.com>,<fultimeslackervb at aol.com>,<fulmoon19 at aol.com>,<fulltipz at aol.com>, 
delay=00:00:27, xdelay=00:00:02, mailer=esmtp, pri=1591509, 
relay=mailin-02.mx.aol.com. [205.188.155.110], dsn=2.0.0, stat=Sent (2.0.0 Ok: 
queued as 3EC3F38000CAD)

This went to some AOL users in one go.

So it appears someone has guessed, sniffed or brute forced the login details 
of one of your email users.

How to find out which account that's from?

Check /var/log/maillog and find the entries immediately above this one:

Jun  7 16:23:14 ns1 sendmail[23694]: o57LMj4U023694: 
from=<tbent at wanadoo.co.uk> [...]

There should be a line like this:

Jun  7 16:23:14 ns1 sendmail[XXX]:  AUTH=server, relay=adsl1888.4u.com.gh 
[41.210.18.88], authid=USERNAME, mech=PLAIN, bits=0

That shows "authid=" and the username they used to send the email.

Or you can use cat and grep to search for it like this:

cat /var/log/maillog | grep AUTH=server | grep 41.210.18.88

That searches for "AUTH=server" (which identifies the SMTP-Auth logins) and 
for the IP address of the sender of the email. That will return all matching 
log entries and the "authid=" part will reveal the compromised username.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list