1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

MAJOR SECURITY CONCERN: trash50534137@somedomain.com catch-all

Discussion in 'Plesk for Windows - 8.x and Older' started by Bogdan, Jan 17, 2007.

  1. Bogdan

    Bogdan Guest

    0
     
    Does anyone know why all domains created in Plesk that don't have a catch-all address specified are being created with default catch-all called trash50534137@domain.com with password trash50534137?

    This behavior is also present in Plesk 7.6.1,not only in 8.1. In Plesk 7.6.1 it used to fill out with all sorts of mails (usually spam sent to inexistent) and cause the client's disk usage to go sky high.

    But the security problem is mainly caused by that common password for all the mailboxes which anyone can use to log on the mailbox, see it's contents and even use to authenticate and send SPAM through the server.

    If anyone wants to recreate this it's easy:
    1. set up a domain in Plesk (mytest.com for example)
    2. open webmail (http://IP:8425, where IP is the IP you used to set up hosting for it)
    3. Login using the trash50534137 account (trash50534137@mytest.com)
    4. Send an email.

    You can also log on to trash50534137@mydomain.com with a mail client by specifying server's IP as the mail server in your mail client config.

    So, my question now, also asked in http://forum.swsoft.com/showthread.php?threadid=37058 several months ago, is what is this catch-all address used for? I'm sure it's not created by MailEnable (http://www.mailenable.com/forum/vie...previous&sid=cd119fef0cab0ae45856f8eb024a0b8d) but it also doesn't show up in my client's Control Panel either, so I wonder what's its purpose and if it's so important that it really needs to make my servers vulnerable!

    As a temporary and partial solution, I disabled catch-all emails on the entire server from MailEanble and I used MailEnable's Catchall Reporter and Remover (http://mailenable.com/addons_Diagnostic.asp) to remove all trash50534137 catch-alls, but that is far from being an answer to the problem.
     
  2. PaulC

    PaulC Regular Pleskian

    24
    57%
    Joined:
    Aug 5, 2001
    Messages:
    192
    Likes Received:
    0
    From what I have seen the use of the mailbox is for the "Discard" option for the mails. I have not looked at closely but the fact it has such a simple password is shocking.

    I'm sure a much elegant way would be to drop the message when its being checked by the message filter.
     
  3. Bogdan

    Bogdan Guest

    0
     
    sergius, any coment from a SWsoft representative on this, or are you guys just gonna ignore it and hope nobody notices?
     
  4. Bogdan

    Bogdan Guest

    0
     
    I sent a support ticket to SWsoft about this issue, hopefully they'll be able to shed some light.
     
  5. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Bogdan, thank you for report. This bug will be fixed ASAP.
     
  6. Bogdan

    Bogdan Guest

    0
     
    It has been over 28 hours and I haven't received absolutely no response from SWsoft support about this matter. In the mean time, I confirmed this on a fresh install of Windows Server 2003 Enterprise and Plesk 8.1.
     
  7. Bogdan

    Bogdan Guest

    0
     
    Almost 2 days and the only answer I got was to confirm that the problem is real and that this was forwarded to their incompetent developers.
     
  8. Bogdan

    Bogdan Guest

    0
     
    Can you give an ETA? I sent a ticket to you guys 3 days ago and still no patch? Is this that hard to fix?
     
  9. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Please check your ticket just now and give here feedback.
     
  10. Bogdan

    Bogdan Guest

    0
     
    This is what I received from the support engineer handling my ticket:
    OK, so as I understand, after applying the patch and running the .vbs script the trash50534137@somedomain.com catch-all will still be there but people won't be able to authenticate using it. As far as I see, this is only half of the problem solved, because all mail sent to inexistent mail accounts for somedomain.com will still be moved to trash50534137@somedomain.com and stored there for no reason at all. In time, trash50534137@somedomain.com will fill up with a lot of emails (mostly spam) that will add up to my clients' disk usage, they will start complaining and I will have to clean the accounts manually (this scenario happened on Plesk 7.6.1 and this let me to notice the problem).

    I haven't tested this behavior on Plesk 8.1, but I assume it's the same. Please correct me if I'm wrong.
     
  11. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    Bogdan, You are right partially.
    If you choose value "Discard" of option "Mail to nonexistent user" then MailEnable needs to do something with emails of these (nonexistence) users. ME provides domain option "Catchall email addresses/mailbox" for this purpose. Plesk specifies local mailbox "trash50534137" as value of this option. In one's part Plesk mail filter removes emails sent to this mailbox. In other words Plesk needs to simulate option "redirect to null" which is not supported by ME obviously.
     
  12. Bogdan

    Bogdan Guest

    0
     
    Hello,

    This patch is working perfectly, and sergius, you are right about mails not being stored in the trash mailboxes.
     
  13. Traged1

    Traged1 Guest

    0
     
    OK, we are seeing this on our servers as well, the password problem is gone, but customer disk space is being taken up by this trash mailbox, and so far it is not ever being cleared out.

    My question is then, how do we set the trash mail folder to automatically empty?
     
Loading...