spammers bypassing qmail logging

[mediashaker]

Spammers are brute forcing plesk email passwords then authenticating using base 64 encoding on the username. The built in qmail logging can't handle this and will just show (null) instead if the username used. This makes it almost impossible to find out which account has been compromised (without using wireshark)..

Example of spammer using base64 encoding on plesk box:
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]

Can you please patch qmail so we can at least see the base64 encoding instead of (null) ?

 

[dash]

Spammers are brute forcing plesk email passwords then authenticating using base 64 encoding on the username. The built in qmail logging can't handle this and will just show (null) instead if the username used. This makes it almost impossible to find out which account has been compromised (without using wireshark)..

Example of spammer using base64 encoding on plesk box:
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:34:26 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: SMTP connect from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]
maillog.processed.3:Aug 7 13:35:31 plesk-web0 smtp_auth: smtp_auth: SMTP user : logged in from (null)@hrif-east-flr1.med.ualberta.ca [142.244.23.58]

Can you please patch qmail so we can at least see the base64 encoding instead of (null) ?

What exactly OS and Plesk version do you use?
(what is the output of #cat /usr/local/psa/version command)

 

[mediashaker]

Output you requested

[root@plesk-web0 ~]# cat /usr/local/psa/version
8.6.0 CentOS 4.2 86080722.02

 

[BMcKinney]

Perhaps this is also why from two users sending/receiving mail from their Treo Smartphones, I'm also getting nulls:
(usernames/IPs changed)

Aug 27 06:24:25 localhost smtp_auth: SMTP connect from (null)@(null) [70.196.123.123]
Aug 27 06:24:25 localhost smtp_auth: smtp_auth: SMTP user user_1 : logged in from (null)@(null) [70.196.123.123]
Aug 27 08:57:26 localhost smtp_auth: SMTP connect from (null)@(null) [70.112.123.123]
Aug 27 08:57:26 localhost smtp_auth: smtp_auth: SMTP user user_2 : logged in from (null)@(null) [70.112.123.123]

cat /usr/local/psa/version
8.6.0 CentOS 5 86080722.00

 

[hardweb]

The above is a bug, on what architecture is the OS based?

 

[mediashaker]

Architecture

I'm on a regular intel core 2 dual (i686 SMP)

 

[BMcKinney]

CPU GenuineIntel, Intel(R) Xeon(R)CPU E5320 @ 1.86GHz
Version psa v8.6.0_build86080822.20 os_CentOS 5
OS Linux 2.6.9-023stab044.11-enterprise

I haven't seen any more (null)@(null)'s since I fixed a problem with my resolv.conf. Now I get (null)@domain.tld

 

[mediashaker]

more serious than I thought!

It looks like this bug is more serious that I originally posted. It looks like base64 encoding ANY user name will allow the user to authenticate .. all they need is a valid password from the server ..

Someone has reported it on securityfocus!
http://www.securityfocus.com/archive/1/495881/30/0/threaded

I think this might have been patched in plesk 8.6.1 ...

 

[chileno]

Big Spam Problem!!!

I CANT FIX THIS!!!

Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: SMTP connect from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]
Feb 6 10:37:55 NMU-SRV-WH7 smtp_auth: smtp_auth: SMTP user [email protected] : logged in from (null)@18983005069.user.veloxzone.com.br [189.83.5.69]

[root@WH7 log]# cat /usr/local/psa/version
8.6.0 CentOS 4.2 86080930.08

PLEASE HELP!

 

[C4talyst]

Any updates?

Anyone have an update on this issue? I think I'm experiencing this problem with one of my boxes.

 

[BMcKinney]

I finally "solved" the problem by upgrading to Plesk 9 and switching my MTA to Postfix, which has turned out to be much better at preventing spam. With Postfix, I have so much more control than I did with Qmail. Qmail died long ago when it's author lost interest.

The users I had that were once showing up with (null)@ addresses now show up with the correct username.

Helpful Postfix config pages:
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.akadia.com/services/postfix_uce.html
http://www.postfix.org/SASL_README.html

One note about using Postfix with Plesk... you really need to write a customized /etc/postfix/main.cf to make Postfix do what you want, but after that, using Plesk to modify mail server settings can cause some of your customizations to be discarded. I keep a backup of my working main.cf just in case I forget this.