1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

spammers bypassing qmail logging

Discussion in 'Plesk for Linux - 8.x and Older' started by mediashaker, Aug 10, 2008.

  1. mediashaker

    mediashaker Guest

    0
     
    Spammers are brute forcing plesk email passwords then authenticating using base 64 encoding on the username. The built in qmail logging can't handle this and will just show (null) instead if the username used. This makes it almost impossible to find out which account has been compromised (without using wireshark)..

    Example of spammer using base64 encoding on plesk box:
    maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
    maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
    maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
    maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]

    Can you please patch qmail so we can at least see the base64 encoding instead of (null) ?
     
  2. dash

    dash Regular Pleskian Staff Member

    28
    40%
    Joined:
    Sep 26, 2007
    Messages:
    204
    Likes Received:
    47
    What exactly OS and Plesk version do you use?
    (what is the output of #cat /usr/local/psa/version command)
     
  3. mediashaker

    mediashaker Guest

    0
     
    Output you requested

    [root@plesk-web0 ~]# cat /usr/local/psa/version
    8.6.0 CentOS 4.2 86080722.02
     
  4. BMcKinney

    BMcKinney Guest

    0
     
    Perhaps this is also why from two users sending/receiving mail from their Treo Smartphones, I'm also getting nulls:
    (usernames/IPs changed)

    Aug 27 06:24:25 localhost smtp_auth: SMTP connect from (null)@(null) [70.196.123.123]
    Aug 27 06:24:25 localhost smtp_auth: smtp_auth: SMTP user user_1 : logged in from (null)@(null) [70.196.123.123]
    Aug 27 08:57:26 localhost smtp_auth: SMTP connect from (null)@(null) [70.112.123.123]
    Aug 27 08:57:26 localhost smtp_auth: smtp_auth: SMTP user user_2 : logged in from (null)@(null) [70.112.123.123]

    cat /usr/local/psa/version
    8.6.0 CentOS 5 86080722.00
     
  5. hardweb

    hardweb Guest

    0
     
    The above is a bug, on what architecture is the OS based?
     
  6. mediashaker

    mediashaker Guest

    0
     
    Architecture

    I'm on a regular intel core 2 dual (i686 SMP)
     
  7. BMcKinney

    BMcKinney Guest

    0
     
    CPU GenuineIntel, Intel(R) Xeon(R)CPU E5320 @ 1.86GHz
    Version psa v8.6.0_build86080822.20 os_CentOS 5
    OS Linux 2.6.9-023stab044.11-enterprise

    I haven't seen any more (null)@(null)'s since I fixed a problem with my resolv.conf. Now I get (null)@domain.tld
     
  8. mediashaker

    mediashaker Guest

    0
     
    more serious than I thought!

    It looks like this bug is more serious that I originally posted. It looks like base64 encoding ANY user name will allow the user to authenticate .. all they need is a valid password from the server ..

    Someone has reported it on securityfocus!
    http://www.securityfocus.com/archive/1/495881/30/0/threaded

    I think this might have been patched in plesk 8.6.1 ...
     
  9. chileno

    chileno Guest

    0
     
    Big Spam Problem!!!

    I CANT FIX THIS!!!

    Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: SMTP connect from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]
    Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: smtp_auth: SMTP user user@domain.xxx : logged in from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]

    [root@WH7 log]# cat /usr/local/psa/version
    8.6.0 CentOS 4.2 86080930.08

    PLEASE HELP!
     
  10. C4talyst

    C4talyst Guest

    0
     
    Any updates?

    Anyone have an update on this issue? I think I'm experiencing this problem with one of my boxes.
     
  11. BMcKinney

    BMcKinney Guest

    0
     
    I finally "solved" the problem by upgrading to Plesk 9 and switching my MTA to Postfix, which has turned out to be much better at preventing spam. With Postfix, I have so much more control than I did with Qmail. Qmail died long ago when it's author lost interest.

    The users I had that were once showing up with (null)@ addresses now show up with the correct username.

    Helpful Postfix config pages:
    http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
    http://www.akadia.com/services/postfix_uce.html
    http://www.postfix.org/SASL_README.html

    One note about using Postfix with Plesk... you really need to write a customized /etc/postfix/main.cf to make Postfix do what you want, but after that, using Plesk to modify mail server settings can cause some of your customizations to be discarded. I keep a backup of my working main.cf just in case I forget this.
     
    Last edited by a moderator: Jun 10, 2009
Loading...