You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Kenneth Wombo <ke...@hotmail.com> on 2009/07/24 22:57:24 UTC
RE: Tracking down source of spam
(subject of the thread was originally "Accepting mail to addresses with routing instructions, from unauthenticated sources, when SMTP is set to be authenticated" but that turned out not to be an issue, so I changed to a better description.)
Stefano wrote:
> IMO there's nothing to be tracked/fixed. A mail to
> recipientname%recipientdomain@[my.server's.ip.address] is like a mail to
> recipientname@[my.server's.ip.address]. If the mailbox exists it will be
> delivered. If the mailbox does not exists it will bounce.
>
Sorry, I meant what do you think I should do next to try to track down the source of the spam I can see in the server logs? I realize that it's most likely my fault, that I misconfigured something or have otherwise caused the security breach myself, I'm just not quite sure where to go next; I've pored through the logs and I didn't see anything that indicated to me how the spam is getting through since I've got authentication configured.
If authentication is configured, is it safe to assume that the spammer somehow has gotten a username and password? There are only a handful of accounts and through the telnet remote admin interface I don't see any that I did not create myself. Is there an authentication log or some way to turn something like that on? Or is there some combination of settings that I might have set which could cause there to be an exception to authentication being required?
I can post my configuration xml if that's appropriate. Thanks for helping me and again I think that JAMES is a fabulous and well-engineered piece of software.
Ken
_________________________________________________________________
Stay in the loop and chat with friends, right from your inbox!
http://go.microsoft.com/?linkid=9671354
Re: Tracking down source of spam
Posted by Stefano Bagnara <ap...@bago.org>.
Kenneth Wombo ha scritto:
> (subject of the thread was originally "Accepting mail to addresses with routing instructions, from unauthenticated sources, when SMTP is set to be authenticated" but that turned out not to be an issue, so I changed to a better description.)
>
> Stefano wrote:
>> IMO there's nothing to be tracked/fixed. A mail to
>> recipientname%recipientdomain@[my.server's.ip.address] is like a mail to
>> recipientname@[my.server's.ip.address]. If the mailbox exists it will be
>> delivered. If the mailbox does not exists it will bounce.
>>
>
> Sorry, I meant what do you think I should do next to try to track down the source of the spam I can see in the server logs? I realize that it's most likely my fault, that I misconfigured something or have otherwise caused the security breach myself, I'm just not quite sure where to go next; I've pored through the logs and I didn't see anything that indicated to me how the spam is getting through since I've got authentication configured.
>
> If authentication is configured, is it safe to assume that the spammer somehow has gotten a username and password? There are only a handful of accounts and through the telnet remote admin interface I don't see any that I did not create myself. Is there an authentication log or some way to turn something like that on? Or is there some combination of settings that I might have set which could cause there to be an exception to authentication being required?
>
> I can post my configuration xml if that's appropriate. Thanks for helping me and again I think that JAMES is a fabulous and well-engineered piece of software.
Are you telling that you are sure that JAMES is trying to relay email to
recipientname@recipientdomain?
I guess JAMES is simply receiving that email and tread them as an email
for recipient@yourdomin. If recipient exists it gets delivered, if it
doesn't exist it bounces to the return-path.
So, in outgoing, you should only see bounces.
I don't see what username/password you mean and what you are trying to find.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Tracking down source of spam
Posted by David Legg <da...@searchevent.co.uk>.
Stefano wrote:
> Why are we excluding that they are bounces?
>
> If you send a message from someone@example.com to
> nonexistant@yourjamesdomain.com then james will receive the message, fail to
> find a local user named "nonexistant" and create a bounce to
> someone@example.com.
>
Good point.
Ken... as I said earlier I don't think you need worry too much about
your apparent spam records in the log files. As Stefano points out,
your server is probably trying to contact all these email addresses to
tell them that nobody by that name exists on your server... in other
words a bounce message. Unfortunately, this is almost as bad as a rogue
server because it causes what is known as 'backscatter'. Ideally, it
should use a little intelligence to decide if the incoming message that
caused the bounce was itself spam. If it is then there is no need to
send a bounce message.
You shouldn't turn bounce messaging off completely because that would
prevent legitimate bounces from informing the sender that their email
didn't get through.
I approach this by running all unauthenticated email through the spam
filter and only bouncing those messages which make it through the spam
filter but don't have a valid destination address.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Tracking down source of spam
Posted by Stefano Bagnara <ap...@bago.org>.
>
> 28/02/08 00:05:18 INFO James.Mailet: RemoteDelivery: Storing message
>> Mail1204048516460-8525-!297813-to-example.com into outgoing after 9
>> retries
>
>
>>
> This just means James has tried 9 times to deliver this email to the
> recipients mail server and is storing it for another go later. Eventually
> James will give up and possibly send you a bounce message.
>
> Again for domains I've never sent mail to. I don't run any mailing lists
>> or do any spamming myself.
>>
>> This isn't just spooling mail, this is actually trying to deliver it,
>> right?
>>
>>
>
> Unfortunately, yes. It looks like James is trying to send spam.
>
Why are we excluding that they are bounces?
If you send a message from someone@example.com to
nonexistant@yourjamesdomain.com then james will receive the message, fail to
find a local user named "nonexistant" and create a bounce to
someone@example.com.
Stefano
RE: Tracking down source of spam
Posted by Kenneth Wombo <ke...@hotmail.com>.
David Legg wrote:
> Unfortunately, yes. It looks like James is trying to send spam.
>
> If the laptop or PC you use to compose emails has been compromised with
> a virus it could be responsible for sending the spam via your James
> server. After all your PC knows how to authenticate itself.
>
> Next on the list of suspects could be a process running on your server
> and sending spam locally via James. This is possible if you have set up
> James to not require authentication from messages originating from the
> localhost IP address (127.0.0.1). Perhaps you have a web app on your
> server which allows messages to be sent and this has been compromised?
>
> Check your config file and see if the tag is set
> to 127.0.0.0/8 under the smtpserver> handler section. Like so...
>
>
> 25
>
> ...
> true
> 127.0.0.0/8
>
>
>
> This setting requires authorization except for anything originating from
> 127.0.0.1
>
In my config file the XML element values were already set to what you specified above. I checked to make sure that there wasn't a duplicate set of elements anywhere else in the file.
I've done several staggered tcpdump network packet captures for ports 25, 110, 465, and 995. In what I've seen so far all the port 25 traffic has been "legit" inbound spam and email coming to addresses in my domain, plus the outgoing delivery of the transmitted spam.
I see a bunch of inbound traffic on port 995 from my home computer's IP which is encrypted, of course, so I can't see what's inside the packets, but I just realized that I left Thunderbird open during all of the captures so it's probably just Thunderbird checking for new mail.
During the periods when I was capturing there wasn't any port 25 or port 465 traffic from my home or office computer's IP addresses. (And actually, there wasn't any port 465 traffic at all.)
I'll keep doing more packet captures, but is there any way to ask JAMES to log every SMTP authentication so that I can tenatively rule out whether or the spam is getting in that way?
I'm using the default file-based repositories; is it feasible that if an attacker had complete access to the OS on my server, they might be inserting messages into the spool by directly creating files? I could try setting up something to log the creation of files if that seems feasible to you.
Ken
_________________________________________________________________
More storage. Better anti-spam and antivirus protection. Hotmail makes it simple.
http://go.microsoft.com/?linkid=9671357
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Tracking down source of spam
Posted by David Legg <da...@searchevent.co.uk>.
Hi Ken,
> In the logs named dnsserver-yyyy-mm-dd-hh-mm.log there are failed lookups of domain names listed: lots and lots and lots of them, for email addresses I've never sent mail to - heck, for ccTLD's I've never sent mail to.
>
Don't worry about them. There is a setting in James which looks up the
domain mentioned in the from address. Therefore just because a domain
is mentioned in this log file it doesn't mean James was attempting to
send an email to it.
> In the logs named maillet-yyyy-mm-dd-hh-mm.log there are entries like the following:
>
> 28/02/08 00:05:18 INFO James.Mailet: RemoteDelivery: Temporary exception delivering mail (Mail1204048516460-8525-!297813-to-example.com:
>
This just means the destination mail server was refusing to accept any
email... probably because they use a technique called greylisting where
they automatically reject email from somewhere they haven't dealt with
before. If your server is a proper server and not a spam bot it will
attempt to deliver the email again and this time if enough time has
passed it will be let through.
> 28/02/08 00:05:18 INFO James.Mailet: RemoteDelivery: Storing message Mail1204048516460-8525-!297813-to-example.com into outgoing after 9 retries
>
This just means James has tried 9 times to deliver this email to the
recipients mail server and is storing it for another go later.
Eventually James will give up and possibly send you a bounce message.
> Again for domains I've never sent mail to. I don't run any mailing lists or do any spamming myself.
>
> This isn't just spooling mail, this is actually trying to deliver it, right?
>
Unfortunately, yes. It looks like James is trying to send spam.
If the laptop or PC you use to compose emails has been compromised with
a virus it could be responsible for sending the spam via your James
server. After all your PC knows how to authenticate itself.
Next on the list of suspects could be a process running on your server
and sending spam locally via James. This is possible if you have set up
James to not require authentication from messages originating from the
localhost IP address (127.0.0.1). Perhaps you have a web app on your
server which allows messages to be sent and this has been compromised?
Check your config file and see if the <authorizedAddresses> tag is set
to 127.0.0.0/8 under the smtpserver > handler section. Like so...
<smtpserver enabled="true">
<port>25</port>
<handler>
...
<authRequired>true</authRequired>
<authorizedAddresses>127.0.0.0/8</authorizedAddresses>
</handler>
</smtpserver>
This setting requires authorization except for anything originating from
127.0.0.1
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: Tracking down source of spam
Posted by Kenneth Wombo <ke...@hotmail.com>.
David Legg wrote:
> I think you are probably worrying unnecessarily. It is quite normal to
> see spam get accepted in your log files. It only truly becomes spam if
> James then delivers the queued email to someone's account rather than
> killing it somewhere further down the pipeline.
>
> By way of example let's track a recent spam email through my system (for
> security I've renamed my actual domain to mydomain.co.uk to avoid blushes).
>
In the logs named dnsserver-yyyy-mm-dd-hh-mm.log there are failed lookups of domain names listed: lots and lots and lots of them, for email addresses I've never sent mail to - heck, for ccTLD's I've never sent mail to.
In the logs named maillet-yyyy-mm-dd-hh-mm.log there are entries like the following:
28/02/08 00:05:18 INFO James.Mailet: RemoteDelivery: Temporary exception delivering mail (Mail1204048516460-8525-!297813-to-example.com:
28/02/08 00:05:18 INFO James.Mailet: RemoteDelivery: Storing message Mail1204048516460-8525-!297813-to-example.com into outgoing after 9 retries
Again for domains I've never sent mail to. I don't run any mailing lists or do any spamming myself.
This isn't just spooling mail, this is actually trying to deliver it, right?
Speaking of blushing, there are *five gigs* worth of these log messages stretching back two years. (I'm sure that volume of log files isn't unusual in general but it seems like alot for one individual's personal email.)
I'm not trying to corner anyone or demanding some sort of concession, and I really do believe that this is quite possibly my own fault somewhere along the line. I'm just looking for advice on how to analyze this.
Also, let me apologize for my responses taking such a long time, I'm on the road alot.
Stefano wrote:
> I don't see what username/password you mean and what you are trying to find.
I'm asking about whether the spammer is using a username/password that is necessitated when authentication is turned on, if I'm correct that the above log entries indicate that there's outgoing spam.
When I need a new email address I create an account with a password through the remote manager telnet interface. I then put the account name and server info into my mail client, Thunderbird. The first time Thunderbird sends an outgoing email it prompts me for a password and I enter the one that I created the account with. (This is a separate, 2nd password prompt from the one requested the first time Thunderbird downloads received mail, if I'm recalling correctly.) My understanding is that the point of turning on authentication is to make it necessary to have a username and password like this before any outgoing mail can be sent.
It might also help to explain - I'm a software developer and I'm pretty technical but I don't do much IT stuff and so this installation of JAMES is the only mail server I've ever managed. I learned everything I know about email from JAMES, basically.
Thanks again,
Ken
_________________________________________________________________
Stay in the loop and chat with friends, right from your inbox!
http://go.microsoft.com/?linkid=9671354
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Tracking down source of spam
Posted by David Legg <da...@searchevent.co.uk>.
Hi Ken,
> Sorry, I meant what do you think I should do next to try to track down
> the source of the spam I can see in the server logs?
Perhaps I can add to what Stefano has said already.
I think you are probably worrying unnecessarily. It is quite normal to
see spam get accepted in your log files. It only truly becomes spam if
James then delivers the queued email to someone's account rather than
killing it somewhere further down the pipeline.
By way of example let's track a recent spam email through my system (for
security I've renamed my actual domain to mydomain.co.uk to avoid blushes).
Looking in my smtpserver-2009-07-25-00-03.log file the first entry I see
is...
25/07/09 00:03:27 INFO smtpserver: Connection from 201.2.193.95
(201.2.193.95)
25/07/09 00:03:31 INFO smtpserver: Successfully spooled mail
Mail1248476610881-182307 from unsteadinessu@isc.iranet.net on
201.2.193.95 for [webmasterdd@mydomain.co.uk]
So... at first glance it looks like a spam email has been successfully
received by James and the spammers have won. But this is only half the
story because it hasn't actually been dropped into anyone's mailbox
yet. What you should do now is search your recent log files to see what
happened to this spooled email. In my case since I have the Bayesian
analysis filter setup I notice the following entry in the mailet log
file (mailet-2009-07-25-00-03.log) just after the spam message was
spooled: -
25/07/09 00:03:33 INFO James.Mailet: BayesianAnalysis:
X-MessageIsSpamProbability: 100%; From: unsteadinessu@isc.iranet.net;
Recipient(s): [webmasterdd@mydomain.co.uk]
From this I know that the email would be ghosted (destroyed) because
that's how I set up the pipeline.
I hope that helps.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org