Enable SMTP Auth logging

[mikey2312]

So, I've inherited a few hundred Plesk/Parallels Linux servers and a few of the users have issues with exploited servers sending spam. It appears that the senders are auth'd but I can't tell what user is being used. How do I turn of smtp_auth logging? I see the log entries for "relaylock" but nothing else that hints to who is being used. Any ideas how I can enable this?

 

[breun]

It's usually vulnerable scripts that are used to send spam. In that case a sendmail wrapper script as explained in http://kb.odin.com/en/1711 is pretty effective.

 

[mikey2312]

Thanks for the link. It's not always a script, but it sometimes is so I appreciate the link. However, what about SMTP auth? I don't get any logs about what user is being used.

Oct 31 01:54:30 relaylock: /var/qmail/bin/relaylock: mail from 24.235.103.34:33509 (wsp05956164wss.cr.net.cable.rogers.com)

I can use iptables to block out this IP, but it doesn't fix the problem. How do I find out what username/password they're using?


Michael

 

[breun]

Those relaylock messages are pretty meaningless. That line says that that IP address created a connection to your server, but it doesn't indicate that any mail was actually accepted or sent.

 

[mikey2312]

Right, I know... relaylock is useless.... so how do I do this? How do I find out what username/password has been compromised so I can contact the customer.

If you can imagine, when you're in a large hosting situation with tens of thousands of customers and Plesk installs, this is bound to happen. I can tell you from experience that it IS happening and we need a way to locate these problems. I can't possibly be the way one who has this issue.

 

[faris]

I was going to say just install spamdyke (www.spamdyke.org) because that gives you very comprehensive logging (not the password). However, something at the back of my mind is saying you should not need to do this - you should be able to see usernames when they authenticate anyway?

But apparently not, so take a look at spamdyke.

Note that spamdyke does not work with pop-locking (pop before relay). Mind you, you'd need to turn that off to get a better grip on what's happening anyway.

Faris.

 

[mikey2312]

?!?

I can't believe that there's no answer to this. Did they seriously not think about this? We have a situation where we're hosting tens of thousands of domains and run this Plesk software on thousands of servers. Invariably, we have spam problems on a very small percentage of users but it kills me that I can't figure out how this is done. I partly blame Qmail because the writer didn't seem to care about such things, but I REALLY blame Parallels/Plesk for selling a software package that makes this impossible.

 

[dlenn845]

I can't believe that there's no answer to this. Did they seriously not think about this? We have a situation where we're hosting tens of thousands of domains and run this Plesk software on thousands of servers. Invariably, we have spam problems on a very small percentage of users but it kills me that I can't figure out how this is done. I partly blame Qmail because the writer didn't seem to care about such things, but I REALLY blame Parallels/Plesk for selling a software package that makes this impossible.

Did you ever find a solution to this, I am a long time user of qmail and know that on a standard install there is MUCH more logging available. I have a situation where I need to know what 500 series errors are occuring in the smtp connections.

 

[elstar]

Hello
I have the same problem with qmail
In my qmail logs from /usr/local/psa/var/log/maillog I see only the encrypted user :

May 30 07:37:21 host smtp_auth: SMTP connect from (null)@216-207-229-186.dia.static.qwest.net [216.207.229.186]
May 30 07:37:21 host smtp_auth: smtp_auth: SMTP user Mn#010PáÆ : logged in from (null)@216-207-229-186.dia.static.qwest.net [216.207.229.186]


So, user appear in encrypted mode: SMTP user Mn#010PáÆ
How can I see the real smtp user?
I ask because some users send spams and I cannnot identify who is the bad user


Thank you

Thanks for the link. It's not always a script, but it sometimes is so I appreciate the link. However, what about SMTP auth? I don't get any logs about what user is being used.

Oct 31 01:54:30 relaylock: /var/qmail/bin/relaylock: mail from 24.235.103.34:33509 (wsp05956164wss.cr.net.cable.rogers.com)

I can use iptables to block out this IP, but it doesn't fix the problem. How do I find out what username/password they're using?


Michael

 

[wdriver]

Not sure about the unencrypting the usernames. But here is a suggestion to see who is using SMTP. Everything is logged in the maillog so run:
grep smtp_auth /usr/local/psa/var/log/maillog
That command will pull back all of the lines in the current maillog matching smtp_auth

If you want results emailed to you daily about who is using smtp, setup a cronjob under root in PLESK and run about 3am:
grep smtp_auth /usr/local/psa/var/log/maillog | /usr/lib/sendmail [email protected]
Note: Depending on your server you may have to change the sendmail path, check correct sendmail path with:
which sendmail

To monitor information on who is SMTP'ing in real time run:
tail -f /usr/local/psa/var/log/maillog | grep smtp_auth
Note: This will only show data when someone uses smtp through your server, so just wait if your not getting data straight away.

Hope this helps, all of the above works find for me on PSA 8.6 linux.

Wayne.

 

[dlenn845]

Thats great for knowing who is using smtp properly, my question pertains to the duration of the connection PRIOR to any auth. I want to know who is connecting to port 25 and what they are doing. For instance, I suspect I have someone(s) connecting and not using auth trying to find local users. a message that I get on a standalone qmail install would contain something like: Date, IP, rcpt, error

If I were to see lots of these I would know that somebody is trying to go to [email protected], then [email protected] then [email protected] you see the point? tracking who logges in and presents valid credentials is definaltly usefull for some issues, just not mine.

 

[faris]

Yes, it is really annoying that the plesk qmail logging is so poor. Unfortunately, short of compiling qmail from scratch, with the plesk modifications patched in, there's nothing much you can do (that I know of)

Faris.

 

[atomicturtle]

You could use something like snort(www.snort.org) to do that as well.

 

[arctic_ged]

I am having similar problems as Michael, I was attacked last week had 42,000 emails in a mail queue, I managed to clear the queue after installing Qmail-Remove. A lot of these emails are being sent to @ yahoo.com.tw email addresses so i used this command to remove them # qmail-remove -r -p yahoo.com.tw .

This attack then happened the following day and during this attack I suspended all my domains one by one until I found which email accounts were being used for the attack.

Just as I thought this was the end... yesterday i was attacked one more time and today i spend the whole day going through the logs trying to find which email account was being used unfortunately all i see is a lot of relaylock: /var/qmail/bin/relaylock: mail records from various IP address from Japan, China, Russia etc. but no where in the logs can I find who was authenticated in the first place.

Does anyone know what I should do, is there something I can install which will give me greater detail in the logs, I know that this will happen again in the near future and I need to be able to find this compromised email account as soon as possible.

 

[Faris Raouf]

There's a couple of things you can do.

The simplest is to use tcpdump. e.g.

#tcpdump -Z root port 25 -vvvvvvvvvvvvvvvvv -C 10 -W 10 -w captest-port-25

This will capture all traffic on port 25 and dump it to a file called captest-port25.001

It will continue to do so until the file has reached 10Mb in size and will then switch to .002
It will create no more than 10 of these files before starting at the beginning.

However, with the attack in progress, you can just do the capture for a little while, then CTRL-C.

The resulting file can be viewed in Windows using Microsoft Network Monitor (free download from Microsoft) as long as you rename the file .cap when you copy it to your PC. You can also just look at the file directly in your system using a text editor.

You should be able to see the smtp transaction taking place, including the username used to authenticate.

However, if you have pop-before-relay enabled then they may be authenticating by receiving before sending, which will be a pain for you to trace. Looking very carefully at the sequence of events in your maillog may help here.

In fact looking at your maillog at the point just before the attack happens is well worth while. At the very least you'll be able to identify the IP address the attack is coming from, and be able to block it, even if you can't immediately figure out the username being uses.

You may also want to try to install spamdyke, which offers superior logging along with anti-spam features, but I suspect this is not the time to do that....

There may be other alternatives to all this -- my suggestions may not be the best option to use.

 

[arctic_ged]

Hi Faris,

Thanks for your reply, I will give it a go. Im also looking into spamdyke as you sugested.

regards,
Ged.

 

[musictus]

I'm having the same trouble, see details at http://forum.parallels.com/showthread.php?p=444050#post444050

Anybody could help me to trace the compromised account?