SPAM from diff IP

[Artur]

Somehow these people are sending spam form several IP's on this machine and I'm receiving complaints from spamcop.

Here is a snippet of the header:

Received: (qmail 37742 invoked by uid 29966); Thu, 22 Sep 2005 20:49:34 +0200 (CEST)
Message-Id: <[email protected]>


Look at the UID 29966, this does not exist on the system and I don't understand why it's showing up. There is nothing in /tmp and its set noexec. we're running mod_security and the system seems to work well otherwise.

Any ideas even where to start looking?

 

[jamesyeeoc]

You did not put your own WAN IP addresses into the white list did you? If you did, then remove them.
The only thing you want in there would be 127.0.0.1/32

I know you read the thread in Plesk 6.0 forum, did you do or check ALL the suggestions?

I wouldn't worry too much about the unknown UID, I get those on my servers and have not been in the same situation you are in.

You have the server mail set for SMTP Auth required and NO CHECKMARK for POP3, right?

Have you checked to make sure ALL mail user passwords are not simple passwords?

You may want to post several full headers for people to be able to possibly analyze and offer further suggestions, the little snippet is not much to go on...

Of course, change your domain name (domain.com) and IP address (xx.yy.zz.nn) if you feel the need.

 

[Artur]

jamesyeeoc,

Everything from other threads has been checked and implemented. I know it cannot be a simple mail user because the origination IP is different on each email. So they are somehow controlling qmail or more likely uploading their own SMTP server.

The reason I posted that header, is because if you ever saw the [email protected] in the header, you would remember this issue. In the future I will post the full headers.

 

[Artur]

Ok here is a header with changed IP address and edited server names on our side. Any input would be very appreciated.


Return-Path: <[email protected]>
Delivered-To: spamcop-net-x
Received: (qmail 22114 invoked from network); 22 Sep 2005 11:21:50 -0000
Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)
by blade1.cesmail.net with SMTP; 22 Sep 2005 11:21:50 -0000
Received: from mailgate.cesmail.net ([216.154.195.36])
by c60.cesmail.net with ESMTP; 22 Sep 2005 07:21:49 -0400
X-IronPort-AV: i="3.97,138,1125892800";
d="scan'208"; a="282081394:sNHT34149236"
Received: from popmail.dircon.co.uk [194.112.32.33]
by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)
for x (single-drop); Thu, 22 Sep 2005 07:21:49 -0400 (EDT)
Received: from pfmx2.pop.uk.netscalibur.com (pfmx2.pop.uk.netscalibur.com [194.112.32.152])
by cyrus02.store.pop.uk.netscalibur.com (Cyrus v2.1.12) with LMTP; Thu, 22 Sep 2005 12:20:29 +0100
X-Sieve: CMU Sieve 2.2
Received: from rmx6.dircon.net (rmx6.dircon.net [80.168.70.183])
by pfmx2.pop.uk.netscalibur.com (Postfix) with ESMTP id D3AE4296130
for <x>; Thu, 22 Sep 2005 12:20:28 +0100 (BST)
Received: from qmx1.uk.netscalibur.com ([194.112.32.44])
by rmx6.dircon.net with smtp (Exim 4.34)
id 1EIP7s-000ANQ-2s
for x; Thu, 22 Sep 2005 12:20:28 +0100
Received: (qmail 8686 invoked from network); 22 Sep 2005 11:06:56 -0000
Received: from unknown (HELO something.eboundhost.com) (xxx.xxx.xxx.xxx)
by qmx1.uk.netscalibur.com with SMTP id 1127387209X8432X0; 22 Sep 2005 11:06:49 -0000
Received: (qmail 29753 invoked by uid 55219); Sat, 24 Sep 2005 01:09:51 +0200 (CEST)
Message-Id: <[email protected]>
From: "Sonja Addison" <[email protected]>
To: "pwhite" <x>
Date: Sat, 24 Sep 2005 01:09:51 +0200 (CEST)
Mime-Version: 1.0
Content-Type: text/plain
X-Envelope-To: x
X-Clara-Scan: content scanned according to recipient preferences
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade1
X-Spam-Level: **
X-Spam-Status: hits=2.7 tests=DATE_IN_FUTURE_24_48,HTTP_EXCESSIVE_ESCAPES
version=3.0.2
X-SpamCop-Checked: 192.168.1.105 216.154.195.36 194.112.32.33 194.112.32.152 80.168.70.183 194.112.32.44 12.161.146.118
X-NAS-Language: English
X-NAS-Bayes: #0: 1; #1: 2.17064E-025
Subject: [Norton AntiSpam] [#f7942] Mum was subjugated with me
X-NAS-Classification: 1
X-NAS-MessageID: 3458
X-NAS-Validation: {B30D210E-50C5-4C03-92B8-C85A76181D14}

 

[fabio]

same problem...


Received: (qmail 12651 invoked by uid 2520); 22 Sep 2005 18:52:22 +0200
Received: from xxxxxxxxxxxxxxxx by xxxxxxxxxxxxx (envelope-from <[email protected]>, uid 2020) with qmail-scanner-1.25st
(clamdscan: 0.86.2/1097. spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:1(61.59.10.96):.
Processed in 0.605636 secs); 22 Sep 2005 16:52:22 -0000
Received: from sw59-10-96.adsl.seed.net.tw (HELO xxxxxxxxxxxx) (61.59.10.96)
by xxxxxxxxxxxx with SMTP; 22 Sep 2005 18:52:21 +0200
Received: from 108.208.61.160 by ; Thu, 22 Sep 2005 19:44:52 +0300
Message-ID: <[email protected]>
From: "¤é»y±Ã¾Ç¡¹" <[email protected]>
Reply-To: "¤é»y±Ã¾Ç¡¹" <[email protected]>
To: [email protected]
Subject: *¤é»y»´ÃP¾Ç,»´ÃP¾Ç¤é»yeamovjsucukusbj
Date: Thu, 22 Sep 2005 14:45:52 -0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--6473803242464256157"
X-Priority: 3
X-MSMail-Priority: Normal

 

[Artur]

Fabio, you're having a completely different issue, your user id 2520 (qmail of some sort) is spamming. My issue is that the server is broadcasting from various IP addresses and the user id is not found on the machine.

 

[fabio]

Thanks for your reply.
Could you kindly help me about me problem?
Thanks
Fabio

 

[Artur]

Fabio,

No offense, but I started this topic to get help with my question. Try searching this board for SPAM and qmail and other such words, I'm sure you will find quite a few solutions. I'll send you a few ideas through a private message so this thread stays on topic.

 

[jamesyeeoc]

Ok, from further research, this "2005__________________mail@" seems to be a spammer/scammer at work. Mostly appears to be from outside the US (Asia, Africa, etc). As to why your own IPs are showing up, you don't have your own IPs listed in your firewall as ACCEPT do you? I normally put my own IPs into the INPUT - DROP since they should not be connecting from outside to our own servers (including 127.0.0.1).

The mysterious UID is really not that important IMO, I see non-existent UIDs in headers often, even when it's not spam.

Darn it, I keep having to re-edit this post, I keep looking at Fabio's posted headers <Grrrrrrrrr>

Fake HELO's and spoofing your IPs are possible, I get faked HELO's (the server's own self HELO) all the time, since I block the server's own IPs at the firewall I have not had IP spoofing problems.

As to the "Received:" lines and their dates, since SA kicked in the "DATE_IN_FUTURE_24_48" ruleset, I am not sure which of the posted "Received:" lines are in what valid date order.

Things to think about doing:

1. Block your server's own IP addresses at the firewall (on INPUT)

2. It may be possible to write a custom SA rule to give a high score to emails containing "2005__________________mail@" in the header

3. Implement MAPS on your server with at least a couple of servers, or if your clients have no need of communicating with certain countries, you could block Asia and Africa and Nigeria (as a minimum) either at the firewall level, or using blackholes.us (china.blackholes.us, nigeria.blackholes.us, etc) in the MAPS server list.

This is one reason to be careful about using MAPS at all. As I was writing this, I came across the fact that blackholes.us seems to be down and unresolvable by DNS. Any server which has any blackholes.us sites listed in MAPS will experience SMTP delivery delays since rblsmtpd will have to wait to timeout for each server which does not respond. blackholes.us has had various downtime in the past, so it is probably temporary, but in the mean time, your SMTP will suffer delays.

My general policy is not to use MAPS unless absolutely necessary, and if clients start complaining about delays the first thing I check is if the MAPS servers are up and responding.

 

[Artur]

great idea about outgoing IP block however, it's just a patch.

do you have syntax for this kind of block somewhere close by? I'd love to put it up in the short term while i look for a way to solve this.

not sure where else to go with this.

 

[jamesyeeoc]

If you are NOT using the Plesk Firewall and are on a RH type system:

Log into the server using SSH.

Issue the following command to add a rule to the INSERT chain:

iptables -A INPUT -s xx.yy.zz.nn/32 -i eth+ -j REJECT
(repeat for each IP you wish to block)
Then restart the iptables firewall:

service iptables restart

IMPORTANT NOTES:
1. Your network config on the server uses 'eth0', 'eth1', etc as the NIC interface names, if your server is setup differently then you will have to change the 'eth+' in the example to match your server's naming convention.

2. If you have multiple NIC's in the server, instead of putting multiple lines for each of eth0, eth1, eth2, etc, you can use eth+ to indicate 'all' eth interfaces.

3. The IP Address: xx.yy.zz.nn/32
You would replace this with your server IP and use the /32 for a single IP, or if you know what your CIDR is, like if you have a complete block (xx.yy.zz.1 to xx.yy.zz.255) you could use /8. Or you can specify each single IP using separate lines using the /32 (Too many possibilities and I don't want to teach a class on subnetting here on the forum)

4. Doing the command line method as outlined will not make the changes permanent, only until the next reboot. If you wish to make them permanent, then you will need to do something like:

iptables-save > /etc/sysconfig/iptables

Which on RH will write the current iptables configuration to it's startup file. Make a backup of the original /etc/sysconfig/iptables file!!