Spammer authenticates somehow with email alias!

[RealAbraCadaver]

Well I made a mistake with the first post because it didn't show up for almost 1/2 hour, and now both are deleted or locked, so apologies for the third one:

A spammer is able to authenticate and send spam using an alias [email protected] which is an alias of a real mailname.

OS: CentOS 6.5 (Final)
Panel version: 11.5.30 Update #32

Installed mail server Postfix

Relaying
authorization is required:
SMTP

I cleared the queue, but the spam messages were all from [email protected] and had multiple lines like:

X-No-Relay: not in my network

I see lots of these with differing clients:

Feb 11 16:09:11 u17411632 postfix/smtpd[16157]: 54842322D7: client=unknown[195.7.47.219], sasl_method=LOGIN, [email protected]
Feb 11 16:09:11 u17411632 postfix/smtp[12874]: B830F322CE: to=<[email protected]>, relay=mx2.comcast.net[2001:558:fe2d:70::22]:25, delay=4.1, delays=3.2/0/0.55/0.32, dsn=2.0.0, status=sent (250 2.0.0 R99B1n0070HDTPJ0F99BDH mail accepted for delivery)

Using grep on the log created from here: http://kb.parallels.com/en/114845 I don't see anything from /var/www/vhosts.

What is going on here?!?!

 

[RealAbraCadaver]

So this has never happened before an no one has any ideas/more info required?

 

[Christian_S]

See this about authenticate using alias:
http://forum.parallels.com/showthre...-SMTP-authenticated-sessions-for-mail-aliases

And this about X-No-Relay: not in my network:
http://kb.parallels.com/en/115472

 

[RealAbraCadaver]

OK, thanks. I read both of those articles but I assumed that the spammer would need my password for the real email and use it with the alias. I guess I thought this unlikely, but it seems to be the only way, they must have brute forced my password? I read another post where the user DID change his password and the spammer was still able to send using the alias.

Thanks!

 

[Christian_S]

Yes, password is still needed.

But currently password for alias is not updated (always). See
http://forum.parallels.com/showthread.php?297677-Mail-password-update-aliases-not-updated

You can use e.g. https://www.atomicorp.com/products/asl.html to stop brute force attacks

 

[RealAbraCadaver]

Yes, password is still needed.

But currently password for alias is not updated (always). See
http://forum.parallels.com/showthread.php?297677-Mail-password-update-aliases-not-updated

Great info thanks! So I need to delete all aliases and recreate them? Are you aware of a fix?

Thanks!

 

[Christian_S]

We had to delete and recreate aliases yesterday. But today it seems to work ok.

You can use /usr/local/psa/admin/bin/mail_auth_view
to check password for email address and aliases.