You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Tor-Einar Jarnbjo <to...@jarnbjo.name> on 2008/10/29 21:34:08 UTC
Re: Current abuse of James 2.3.0 as open relay
Tor-Einar Jarnbjo schrieb:
> I didn't notice until I realized that outgoing mails seemed to "hang"
> somewhere, but obviously someone has been able to use my James server
> as an open relay a few days ago and my outgoing spool repository was
> filled up with undeliverable mails. After deleting the mails from the
> spool table, the server seem to work fine again now.
Hi,
I'll pick up my own mail from June again and report, that it happened
again. I'm more or less 100% convinced that my James installation is
configured properly, but the last few days, a "spam wave" managed to
fill up my spool table again with SMTP connects from a UK IP address.
Both sender and recipient addresses were mostly in the .uk TLD and not
local. After the server managed to forward some of the mails, about
40,000 mails were left in the spool table and choked the server
completely, making it unable to process regular outgoing mails.
The first log entries in the smtpserver log looked like this:
27/10/08 13:14:17 INFO smtpserver: Connection from
wvps212-241-x-x.vps.webfusion.co.uk (212.241.x.x)
27/10/08 13:14:18 INFO smtpserver: Successfully spooled mail
Mail1225109658790-1134809 from ...@abbey.co.uk on 212.241.221.21 for
[...@telewest.co.uk, ...@yahoo.co.uk, ...@backhome.co.uk,
...@yahoo.co.uk, ...@ukonline.co.uk, ...@ukonline.co.uk,
...@headboy.co.uk, ...@esc.cam.ac.uk, ...@europoint.co.uk,
...@telewest.co.uk, ...@4thenet.co.uk, ...@telewest.co.uk,
...@yahoo.co.uk, ...@yahoo.co.uk, ...@esc.cam.ac.uk,
..@blueyonder.co.uk, ...@blueyonder.co.uk, ...@doctors.net.uk,
...@doctors.org.uk, ...@grim.abel.co.uk]
(I've deleted the user part of the e-mail addresses and the last two
numbers in the client IP address, but there's nothing obiously wrong
with them.)
After this, the same client managed to open more than 5000 connections
over the next two days and filled up my server.
Is there anything I can do to more easily find the reason why James
thinks it's ok to spool these mails without authentication from the
client? I've looked into the source code, but did of course not find
anything obviously wrong. The only thing I can see is that SMTP
authentications are logged, which makes me sure that the spammer has not
managed to hack a username/password combination, but is indeed sending
these mails without logging in.
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
I guess the only way to be sure of what is going on is to capture the
complete network conversation that goes on when this address connects...
but I don't know what tools you could use for that. Switching all the
logging to debug would create a lot of unusable output.
I presume you have a firewall in place that only opens the bare minimum
of ports to the outside world? I would hope that the manager port is
not open for example.
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
Stefano Bagnara schrieb:
> Did you get thousands of unathorized "relay" like in June?
>
It was similar. The spammer managed to deliver about 100.000 mails, of
which 60.000 were forwarded and 40.000 left in the spool because of the
recipients mail server not accepting the mail for some reason.
> Did they originated from a single IP? Did it successfully sent ALL mails
> or first started with some failure? Does it connect with multiple
> connections or a single connection?
>
All mails originated from the same IP, there were no errors to start
with (as I experienced in June) and the mails were sent using different
SMTP connections. I think without exception, the client connected, sent
one message to 20 different recipients, disconnected and repeated this
procedure about 5000 times with some breaks over a period of 24 hours.
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Stefano Bagnara <ap...@bago.org>.
Tor-Einar Jarnbjo ha scritto:
> Stefano Bagnara schrieb:
>> Have you tried to reproduce the same FROM/TO in an SMTP conversation
>> originated remotely to see if JAMES replies you what you expect?
>>
>
> Hi Stefano,
> yes I have. It answers with:
>
> 530 5.7.1 Authentication Required
>
> Regards,
> Tor
Did you get thousands of unathorized "relay" like in June?
Did they originated from a single IP? Did it successfully sent ALL mails
or first started with some failure? Does it connect with multiple
connections or a single connection?
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
Stefano Bagnara schrieb:
> Have you tried to reproduce the same FROM/TO in an SMTP conversation
> originated remotely to see if JAMES replies you what you expect?
>
Hi Stefano,
yes I have. It answers with:
530 5.7.1 Authentication Required
Regards,
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Stefano Bagnara <ap...@bago.org>.
Tor-Einar Jarnbjo ha scritto:
> The connections causing the spam hickup this week were _not_
> authenticated, or at least James did not log any authentication attempt:
>
> 27/10/08 13:14:17 INFO smtpserver: Connection from
> wvps212-241-x-y.vps.webfusion.co.uk (212.241.x.y)
> 27/10/08 13:14:18 INFO smtpserver: Successfully spooled mail
> Mail1225109658790-1134809 from ...@abbey.co.uk on 212.241.x.y for
> [...@telewest.co.uk, ...@yahoo.co.uk, ...@backhome.co.uk,
> ...@yahoo.co.uk, ...@ukonline.co.uk, ...@ukonline.co.uk,
> ...@headboy.co.uk, ...@esc.cam.ac.uk, ...@europoint.co.uk,
> ...@telewest.co.uk, ...@4thenet.co.uk, ...@telewest.co.uk,
> ...@yahoo.co.uk, ...@yahoo.co.uk, ...@esc.cam.ac.uk,
> ...@blueyonder.co.uk, ...@blueyonder.co.uk, ...@doctors.net.uk,
> ...@doctors.org.uk, ...@grim.abel.co.uk]
>
> To me, it looks very much as if James is actually accepting to relay
> these messages without authentication, although the config file
> indicates that it shouldn't.
>
> Tor
Have you tried to reproduce the same FROM/TO in an SMTP conversation
originated remotely to see if JAMES replies you what you expect?
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
Hi Tor,
> I had a few rounds again today with spam relaying and thought I'd be
> kind enough to relay to you (haha) what happened. The spammer did
> indeed authenticate and probably managed to find the password of one
> of my user accounts (with a very common account name) using a
> dictionary attack.
Thanks for the update. It's good to know it wasn't because of a
security problem with James. What a relief!
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
Tor-Einar Jarnbjo schrieb:
> I'll leave it with that for the moment and "hope" that I'll experience
> a similar attack soon and get some more information out of the SMTP log.
I had a few rounds again today with spam relaying and thought I'd be
kind enough to relay to you (haha) what happened. The spammer did indeed
authenticate and probably managed to find the password of one of my user
accounts (with a very common account name) using a dictionary attack. At
least I've learned not to trust even clever people to choose a secure
password.
I would however suggest that you increase the log level of the login
auth command to info and add the authenticated user name to the log
output. That would probably have saved me from lot of work to begin with.
Regards,
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
Stefano Bagnara schrieb:
> Maybe I found an answer to this looking at source code.
> AuthCmdHandler logs at INFO level the "AUTH method PLAIN succeded" but
> only at DEBUG level an "AUTH method LOGIN succeded".
> So maybe your client is using the LOGIN style to auth.
>
> You probably want to increase your log level for SMTPServer to DEBUG...
>
I did take a look at the AuthCmdHandler myself, but missed the fact that
the LOGIN authentication was logged at debug level. I've patched
AuthCmdHandler to log the username as well and changed the log level to
DEBUG. I can of course not guarantee that noone has managed to
compromise a password and is abusing an existing account for relaying
spam, but I ruled that out, since the lack of log output made me believe
that the client was not authenticated.
I've tried to find any kind of information in the other log files and
found lots of POP3 connections from a similar IP address (same hosting
company) a few days earlier. It might be possible that someone has
managed to find a POP3 password with a dictionary attack and used it
later to get authenticated SMTP access. It's not clear to me however
from the POP3 log if a login was successful or failed, as it only logs
"connection from ..." and then "connection for <user name> ... closed".
I'll leave it with that for the moment and "hope" that I'll experience a
similar attack soon and get some more information out of the SMTP log.
Many thanks to you and David for helping me out!
Regards,
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Stefano Bagnara <ap...@bago.org>.
Tor-Einar Jarnbjo ha scritto:
>> As I said earlier I can't see anything wrong. In general, from 3.2
>> onwards if you have turned SMTP authentication on you can be sure that
>> any attempt to send a message to a non-local address will require SMTP
>> Authentication.
> Obviously, it doesn't. If I send a mail regulary to a remote host from
> my own mail client, the SMTP authentication is logged by James:
>
> 31/10/08 21:28:05 INFO smtpserver: Connection from
> ppp-62-216-221-238.dynamic.mnet-online.de (62.216.221.238)
> 31/10/08 21:28:05 INFO smtpserver: AUTH method PLAIN succeeded
> 31/10/08 21:28:05 INFO smtpserver: Successfully spooled mail
> Mail1225484885644-22503 from tor-einar@jarnbjo.name on 62.216.221.238
> for [tor-einar.jarnbjo@xxx]
>
> The connections causing the spam hickup this week were _not_
> authenticated, or at least James did not log any authentication attempt:
>
> 27/10/08 13:14:17 INFO smtpserver: Connection from
> wvps212-241-x-y.vps.webfusion.co.uk (212.241.x.y)
> 27/10/08 13:14:18 INFO smtpserver: Successfully spooled mail
> Mail1225109658790-1134809 from ...@abbey.co.uk on 212.241.x.y for
> [...@telewest.co.uk, ...@yahoo.co.uk, ...@backhome.co.uk,
> ...@yahoo.co.uk, ...@ukonline.co.uk, ...@ukonline.co.uk,
> ...@headboy.co.uk, ...@esc.cam.ac.uk, ...@europoint.co.uk,
> ...@telewest.co.uk, ...@4thenet.co.uk, ...@telewest.co.uk,
> ...@yahoo.co.uk, ...@yahoo.co.uk, ...@esc.cam.ac.uk,
> ...@blueyonder.co.uk, ...@blueyonder.co.uk, ...@doctors.net.uk,
> ...@doctors.org.uk, ...@grim.abel.co.uk]
>
> To me, it looks very much as if James is actually accepting to relay
> these messages without authentication, although the config file
> indicates that it shouldn't.
Maybe I found an answer to this looking at source code.
AuthCmdHandler logs at INFO level the "AUTH method PLAIN succeded" but
only at DEBUG level an "AUTH method LOGIN succeded".
So maybe your client is using the LOGIN style to auth.
You probably want to increase your log level for SMTPServer to DEBUG...
I read the RcptCmdHandler code at least 20 times to find an explanation
to your issue and I saw no possible bugs there. So either your user is
authenticated or he is from an authorized network.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
Tor,
>> * Your smtpserver has 'authorizedAddresses' set to '127.*' which is
>> fine. However, this will allow any process running on your server to
>> send remote email without requiring SMTP authorization. Is it
>> possible you have a web app running on your server which is being
>> used by the spammer to send email?
> Allowing localhost unauthorized access is on purpose, but I'm sure
> that the webapps running on the same host are not causing the spam
> relaying. First of all, all code in the webapps only allow one
> recipient per message, second, James is logging the SMTP connection
> from a remote IP address. This time, all connections came from a
> virtual server hosted by a UK company.
Could you check your web server logs to see if you notice any web
activity from this same IP address at around the same time your James
logs noticed the spams?
If there is no sign of any activity then we can probably discount the
web-apps being misused.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
David Legg schrieb:
> I've had a chance to look over your file and didn't find any glaring
> errors. Here are some suggestions you may like to look into: -
>
> * The nntpserver is enabled. Unless you need it, I would disable it.
I noticed it myself, but it shouldn't be relevant to my current issue.
> * Your smtpserver has 'authorizedAddresses' set to '127.*' which is
> fine. However, this will allow any process running on your server to
> send remote email without requiring SMTP authorization. Is it
> possible you have a web app running on your server which is being used
> by the spammer to send email?
Allowing localhost unauthorized access is on purpose, but I'm sure that
the webapps running on the same host are not causing the spam relaying.
First of all, all code in the webapps only allow one recipient per
message, second, James is logging the SMTP connection from a remote IP
address. This time, all connections came from a virtual server hosted by
a UK company.
> * In your transport processor you have deliveryThreads set to '1'.
> This is OK if you are short of memory but it will mean your entire
> mail sending capability will be halted if the address you are sending
> to is not responding properly (eg because of Tarpitting or
> Teergrubing). I've set mine to 4 which seems to be adequate.
That shouldn't be a problem, I only have a few hundred outbound mails daily.
> * I notice you have left '&fetchmailConfig;' in your config. Again
> unless you need fetchmail I would remove it.
I could do that, but the default fetchmail config starts with <fetchmail
enabled="false">, so I assumed that it doesn't bother including it in
config.xml.
> Hope that helps.
Not really :(
> As I said earlier I can't see anything wrong. In general, from 3.2
> onwards if you have turned SMTP authentication on you can be sure that
> any attempt to send a message to a non-local address will require SMTP
> Authentication.
Obviously, it doesn't. If I send a mail regulary to a remote host from
my own mail client, the SMTP authentication is logged by James:
31/10/08 21:28:05 INFO smtpserver: Connection from
ppp-62-216-221-238.dynamic.mnet-online.de (62.216.221.238)
31/10/08 21:28:05 INFO smtpserver: AUTH method PLAIN succeeded
31/10/08 21:28:05 INFO smtpserver: Successfully spooled mail
Mail1225484885644-22503 from tor-einar@jarnbjo.name on 62.216.221.238
for [tor-einar.jarnbjo@xxx]
The connections causing the spam hickup this week were _not_
authenticated, or at least James did not log any authentication attempt:
27/10/08 13:14:17 INFO smtpserver: Connection from
wvps212-241-x-y.vps.webfusion.co.uk (212.241.x.y)
27/10/08 13:14:18 INFO smtpserver: Successfully spooled mail
Mail1225109658790-1134809 from ...@abbey.co.uk on 212.241.x.y for
[...@telewest.co.uk, ...@yahoo.co.uk, ...@backhome.co.uk,
...@yahoo.co.uk, ...@ukonline.co.uk, ...@ukonline.co.uk,
...@headboy.co.uk, ...@esc.cam.ac.uk, ...@europoint.co.uk,
...@telewest.co.uk, ...@4thenet.co.uk, ...@telewest.co.uk,
...@yahoo.co.uk, ...@yahoo.co.uk, ...@esc.cam.ac.uk,
...@blueyonder.co.uk, ...@blueyonder.co.uk, ...@doctors.net.uk,
...@doctors.org.uk, ...@grim.abel.co.uk]
To me, it looks very much as if James is actually accepting to relay
these messages without authentication, although the config file
indicates that it shouldn't.
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
Hi Tor,
> I've sent you the config file in a private mail with the passwords
> deleted (I hope :-).
I've had a chance to look over your file and didn't find any glaring
errors. Here are some suggestions you may like to look into: -
* The nntpserver is enabled. Unless you need it, I would disable it.
* Your smtpserver has 'authorizedAddresses' set to '127.*' which is
fine. However, this will allow any process running on your server to
send remote email without requiring SMTP authorization. Is it possible
you have a web app running on your server which is being used by the
spammer to send email?
* Since you are using SMTP authentication you can safely get rid of the
anti-relay mailet check at the end of the transport processor - just
delete the following:
<!-- CHECKME! -->
<!-- This is an anti-relay matcher/mailet combination -->
...
<!-- If you are using SMTP authentication then you can (and
generally -->
<!-- should) disable this matcher/mailet pair. -->
<mailet match="All" class="ToProcessor">
<processor> relay-denied </processor>
<notice>550 - Requested action not taken: relaying
denied</notice>
</mailet>
* In your transport processor you have deliveryThreads set to '1'. This
is OK if you are short of memory but it will mean your entire mail
sending capability will be halted if the address you are sending to is
not responding properly (eg because of Tarpitting or Teergrubing). I've
set mine to 4 which seems to be adequate.
* I notice you have left '&fetchmailConfig;' in your config. Again
unless you need fetchmail I would remove it.
Hope that helps. As I said earlier I can't see anything wrong. In
general, from 3.2 onwards if you have turned SMTP authentication on you
can be sure that any attempt to send a message to a non-local address
will require SMTP Authentication. The one big exception to this is any
message sent to James which originated from the server itself (from a
web application for example) is not challenged by the SMTP server.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
David Legg schrieb:
> I'd be happy to give your config.xml file a once-over if you send it
> to me (sanitized or otherwise).
Hi David,
I'd appreciate that a lot. I've sent you the config file in a private
mail with the passwords deleted (I hope :-).
Regards,
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
I'd be happy to give your config.xml file a once-over if you send it to
me (sanitized or otherwise).
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by Tor-Einar Jarnbjo <to...@jarnbjo.name>.
Hi David,
> From the partial smtpserver log you showed I wonder if the spammer is
> simply trying to send a message containing lots of RCPT commands. If
> that's the case then turning on tarpitting [1] may help to regulate
> how quickly the spammer can stuff your machine.
That would probably reduce the problem, but I am more interested in
actually solving it. James shouldn't accept the mails at all without
authentification, since the RCPT list doesn't contain any local addresses.
Tor
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: Current abuse of James 2.3.0 as open relay
Posted by David Legg <da...@searchevent.co.uk>.
Hi Tor,
> I'm more or less 100% convinced that my James installation is
> configured properly, but the last few days, a "spam wave" managed to
> fill up my spool table again with SMTP connects from a UK IP address.
>
> Is there anything I can do to more easily find the reason why James
> thinks it's ok to spool these mails without authentication from the
> client? I've looked into the source code, but did of course not find
> anything obviously wrong. The only thing I can see is that SMTP
> authentications are logged, which makes me sure that the spammer has
> not managed to hack a username/password combination, but is indeed
> sending these mails without logging in.
From the partial smtpserver log you showed I wonder if the spammer is
simply trying to send a message containing lots of RCPT commands. If
that's the case then turning on tarpitting [1] may help to regulate how
quickly the spammer can stuff your machine.
I have the following in my config.xml file: -
<smtpserver enabled ="true">
...
<handler>
...
<handlerchain>
...
<handler command="RCPT"
class="org.apache.james.smtpserver.RcptCmdHandler">
<maxRcpt> 100 </maxRcpt>
<tarpitRcptCount> 20 </tarpitRcptCount>
<tarpitSleepTime> 5000 </tarpitSleepTime>
</handler>
...
</handlerchain>
</handler>
</smtpserver>
Regards,
David Legg
[1] http://www.palomine.net/qmail/tarpit.html
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org