• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Spam sent by our server using SMTP AUTH

U

uweiss

New Pleskian
Hello

Since today we have a big problem. Multiple spammers (most from china) are able to send spam through our server using smtp authentication. As soon i disable the smtp authentication they can not send spam anymore.

Two possibilities:
1. qMail has a bug with smtp auth
2. Someone catched an user and password from an user

I dumped some network traffic and tried it manually with telnet:
Code: 
$ telnet 12.34.56.78 25
Trying 12.34.56.78...
Connected to 12.34.56.78.
Escape character is '^]'.
220 myserver.domain.com ESMTP
EHLO gub
250-myserver.domain.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
aW5mbw==
334 UGFzc3dvcmQ6
YWRtaW4=
235 go ahead
mail from: [email protected]
250 ok
rcpt to: [email protected]
250 ok
data
354 go ahead
asdf
asdf
asdf
.
250 ok 1201260277 qp 16005
QUIT

What do you think about that?
Is there a way to find out which user account they may use??

Thank you very much for your help.
Urs
 
Hello

Has no one any ideas?
Today the same Problem started again. Only solution was to disable SMTP-Authentication. Can i somehow enable some more debugging on qmail to see which users are trying to connect over SMTP-Auth??

Or is there at least a possibility to block a recipient domain?

Thanks
Urs
 
I now found out that the communication is base64 encoded. So it is very simple to decode it and find out the user:

Code: 
aW5mbw==  ==>  info
YWRtaW4=  ==>  admin (great password....)

To find out which user and domain it is from i used this MySQL query within the psa database:

Code: 
select mail.mail_name,domains.name,accounts.password from mail,domains,accounts where accounts.password='admin' and mail.dom_id=domains.id and accounts.id=mail.account_id;

Maybe helps someone else.

Urs
 
Urs,

I think you will save a lot of people a lot of trouble in the future (as long as they know how to search the forum :) ).

Thank you very much for posting this very useful info.

Faris.
 
A follow up on this, if you go to Server->Mail and select "Check the passwords for mailboxes in the dictionary" this will do a reasonable job of enforcing good password selection on mailboxes for your users. It will absolutely catch joe accounts like this (info/admin, test/test, guest/guest, etc).
 
The password check option was enabled all the time. But don't seems to really work. I didn't had time to look why it does not work. Maybe tomorrow.
I disabled an re-enabled the option, but still can set the password "admin".

We will see....
 
OK, seems that the bin which checks the passwords does not work well:

Code: 
# /usr/local/psa/admin/sbin/checkpw admin
/usr/local/psa/etc/dict: magic mismatch
checkpw: System Error: unable to open dictionary files at path: /usr/local/psa/etc/dict.*
checkpw: System Error: unable to open dictionary files at path: /usr/local/psa/etc/dict.*

I found something about that after googeling a bit. The problem may occurs on 64-Bit machines only. I generated a dictionary to be sure that they are correct. Same error with them. So, i think it's a problem of the binary itself (/usr/local/psa/admin/sbin/checkpw).

Maybe this is fixed after updating to Plesk 8.3 (if i really do the update...)
 
Can you describe the steps you took to figure out which user was sending the spam? I am currently experiencing the same issue. Thank you for your time.
 
1. Dump some traffic with tcpdump or snort (whatever you like) f.ex. like this

# tcpdump -w /home/whatever/dump_1 not port ssh and port smtp
(This dumps in raw format to load the file into wireshark after download)

or maybe something like this if you want it readably directly in a file:

# tcpdump -el -vvv -XX -nn not port ssh and port smtp > dump_1


2. Then have a look into the file (in wireshark if you dumped the raw stuff or on command line) and search for "AUTH LOGIN" parts. Near there you should find the base64 encoded username and password (see example of the connection on my first post).
You may have to look a bit around to find the correct user which sends a lot of mails.


3. Decode the encoded user/pass with an online base64 decoder (you can find some of them on Google by serching for "online base64 decoder")

Hope that helps solving your problem
Urs
 
You must log in or register to reply here.

Similar threads

S
Question Lot of mails with topic : Postfix SMTP server
Replies
2
Views
1K
spip
S
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
7K
Wolfgang Reidlinger
W
Q
Question Postfix SMTP server: errors from unknown
Replies
1
Views
3K
IgorG
IgorG
G
Question Error: authentication failed, using Plesk for mailserver management only
Replies
0
Views
1K
gab
G
G
Question Unable to send emails via phpmailler (codeigniter) smtp to hotmail.
Replies
2
Views
3K
Grepher76
G
Back
Top