• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

spammers bypassing qmail logging

M

mediashaker

Guest
Spammers are brute forcing plesk email passwords then authenticating using base 64 encoding on the username. The built in qmail logging can't handle this and will just show (null) instead if the username used. This makes it almost impossible to find out which account has been compromised (without using wireshark)..

Example of spammer using base64 encoding on plesk box:
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]

Can you please patch qmail so we can at least see the base64 encoding instead of (null) ?
 
mediashaker said:
Spammers are brute forcing plesk email passwords then authenticating using base 64 encoding on the username. The built in qmail logging can't handle this and will just show (null) instead if the username used. This makes it almost impossible to find out which account has been compromised (without using wireshark)..

Example of spammer using base64 encoding on plesk box:
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]

Can you please patch qmail so we can at least see the base64 encoding instead of (null) ?
Click to expand...

What exactly OS and Plesk version do you use?
(what is the output of #cat /usr/local/psa/version command)
 
Output you requested

[root@plesk-web0 ~]# cat /usr/local/psa/version
8.6.0 CentOS 4.2 86080722.02
 
Perhaps this is also why from two users sending/receiving mail from their Treo Smartphones, I'm also getting nulls:
(usernames/IPs changed)

Aug 27 06:24:25 localhost smtp_auth: SMTP connect from (null)@(null) [70.196.123.123]
Aug 27 06:24:25 localhost smtp_auth: smtp_auth: SMTP user user_1 : logged in from (null)@(null) [70.196.123.123]
Aug 27 08:57:26 localhost smtp_auth: SMTP connect from (null)@(null) [70.112.123.123]
Aug 27 08:57:26 localhost smtp_auth: smtp_auth: SMTP user user_2 : logged in from (null)@(null) [70.112.123.123]

cat /usr/local/psa/version
8.6.0 CentOS 5 86080722.00
 
Architecture

I'm on a regular intel core 2 dual (i686 SMP)
 
CPU GenuineIntel, Intel(R) Xeon(R)CPU E5320 @ 1.86GHz
Version psa v8.6.0_build86080822.20 os_CentOS 5
OS Linux 2.6.9-023stab044.11-enterprise

I haven't seen any more (null)@(null)'s since I fixed a problem with my resolv.conf. Now I get (null)@domain.tld
 
more serious than I thought!

It looks like this bug is more serious that I originally posted. It looks like base64 encoding ANY user name will allow the user to authenticate .. all they need is a valid password from the server ..

Someone has reported it on securityfocus!
http://www.securityfocus.com/archive/1/495881/30/0/threaded

I think this might have been patched in plesk 8.6.1 ...
 
Big Spam Problem!!!

I CANT FIX THIS!!!

Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: SMTP connect from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]
Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: smtp_auth: SMTP user [email protected] : logged in from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]

[root@WH7 log]# cat /usr/local/psa/version
8.6.0 CentOS 4.2 86080930.08

PLEASE HELP!
 
Any updates?

Anyone have an update on this issue? I think I'm experiencing this problem with one of my boxes.
 
I finally "solved" the problem by upgrading to Plesk 9 and switching my MTA to Postfix, which has turned out to be much better at preventing spam. With Postfix, I have so much more control than I did with Qmail. Qmail died long ago when it's author lost interest.

The users I had that were once showing up with (null)@ addresses now show up with the correct username.

Helpful Postfix config pages:
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.akadia.com/services/postfix_uce.html
http://www.postfix.org/SASL_README.html

One note about using Postfix with Plesk... you really need to write a customized /etc/postfix/main.cf to make Postfix do what you want, but after that, using Plesk to modify mail server settings can cause some of your customizations to be discarded. I keep a backup of my working main.cf just in case I forget this.
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

D
Question [Passenger] Log level not working ? Log filled with debug statistics
Replies
11
Views
2K
Maarten.
M
G
Question Unable to send emails via phpmailler (codeigniter) smtp to hotmail.
Replies
2
Views
2K
Grepher76
G
E
Issue Error after moving ibdata1 file temporarily from /var/lib/mysql
Replies
6
Views
5K
mow
M
M
Question Info about deleting some PSA package
Replies
2
Views
1K
masaro
M
Christoph Farnleitner
File owner in subscription is unequal to sys user (actual file owner-name is set to a FTP-user name)
Replies
2
Views
1K
Christoph Farnleitner
Christoph Farnleitner
Back
Top