You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Marc Chamberlin <ma...@marcchamberlin.com> on 2008/09/17 19:28:45 UTC
my mail server is compromised!
Well I am going to need some help from the James email server gurus. My
James 2.3.1 server, running under SuSE Linux 11.0, has definitely been
compromised and I need to get it fixed asap. There is a particular piece
of spam showing up in the mail lists now daily, that I have James
servicing, and all users of that list are getting it. (I suspect all
regular users of my mail server as well, at least my wife and I do...)
To me this indicates that mysql has been compromised as well since to my
understanding that is the only place where all the email address of my
clients are stored.
I have changed all of the system and my user account passwords, checked
for anything suspicious in the mysql database, changed all passwords
associated with users of mysql, and reconfigured James with the
necessary passwords... I have not asked all my James email users to
change their passwords yet, figured I would ask here first... James uses
smtp authorizations. The spam looks like it is either coming from my
personal account (I am the only non system user on this Linux system) or
it appears to be coming from the person to which the spam is sent i.e.
as if the receiver is also the sender. Same goes for the Reply To field
of the spam.
So what should I do next to stop this crap? Thanks for any and all help
offered...
Marc Chamberlin...
FYI - I tried to include a copy of the spam here for reference, but
the mail server for this mail list was overly aggressive and bounce my email.
Makes it rather hard to share information about who the particular spammer is.
In a nutshell to spam is selling replicated watches. The source code of the
spam email is encoded in base64, probably so as to bypass filters.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: my mail server is compromised!
Posted by David Legg <da...@searchevent.co.uk>.
Hi Marc,
>> Well, I'm no guru but I can tell you that, in all probability, your
>> server has not been compromised - in the sense that someone has
>> broken in and is merrily sending stuff in your name.
>>
> Thanks David for your reply and I hear what you are saying about
> trust... But in the past James has always verified that only members
> of a list server could send email to/through that list server. I have
> noted a lot of attempts by spammers to impersonate me or another user,
> when trying to send email to the list server but those attempts have
> always failed in the past. What has changed and why should this check
> now be failing.
Sorry, I didn't pick up on the fact that you were talking about a list.
I've not implemented that myself so I don't have first hand knowledge.
That said, I've just been looking at the code. I notice that the
CommandListServProcessor class simply calls mail.getSender() to check
that an incoming message is OK to post to the list. According to the
JavaDocs [1] this uses the MAIL FROM header of the email which as I
discussed in my first email is easy to forge by a spammer.
So, all a spammer has to do to get his nastiness posted on your list is
to send an email to your announce email address with a forged 'Mail
From' header that matches that of someone in your list's list of allowed
users.
That sounds to me like something a clever piece of spam technology could
do. For example, if any of your list's users has had an infected PC in
which the user's address book was stolen then your announce email
address and one or two of the list users addresses would be present.
The laws of chance would then dictate that sooner or later the right
combination got sent.
> My understanding of Bayesian filters is that they require some sort of
> feedback to train them on what is junk and what is not. I can
> understand how this is done in an email client but I couldn't
> understand how it would be done on a server.. So I never bothered with
> it...
The James Bayesian Analysis mailet does require you to feed it with ham
and spam messages. This is onerous at first but the effort quickly
diminishes as the amount of spam lessens. All you have to do is forward
the offending or innocent email as an attachment (something which
Thunderbird does automatically) to one of two special email addresses
hosted by your server.
> Also I am using SMTP Auth which requires a password to send email via
> the server, not simply SMTP.
SMTP Auth only requires a sender to be authorized if they are trying to
send an email out from the server. If an incoming email is destined for
someone local to your server it isn't required (if it was then random
people wouldn't be able to email you!). I'm not sure but I would think
people emailing your announce address would be treated as a local email
and wouldn't need a password.
> Are you in fact telling me to enable the Bayesian filter and that is
> my only hope?
I'm hoping someone else will chime in here, but I think you definitely
need something to perform more rigorous checks.
Regards,
David Legg
[1]
http://james.apache.org/server/2.3.1/apidocs/org/apache/mailet/Mail.html#getSender()
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: my mail server is compromised!
Posted by Marc Chamberlin <ma...@marcchamberlin.com>.
David Legg wrote:
> Hi Marc,
>
>> Well I am going to need some help from the James email server gurus.
>> My James 2.3.1 server, running under SuSE Linux 11.0, has definitely
>> been compromised and I need to get it fixed asap.
>
> Well, I'm no guru but I can tell you that, in all probability, your
> server has not been compromised - in the sense that someone has broken
> in and is merrily sending stuff in your name.
>
> A big problem with the standard SMTP protocol is that it is too
> trusting. If you talk to a server and tell it the following message
> is from Father Christmas then it believes you! It is very common for
> spam to simply lie about the 'from' and 'reply-to' fields.
>
> James has a number of techniques for reducing spam and trawling the
> mail archive will confirm that. The trouble is there is no one
> technique which will prevent all spam in a single go. As I have
> mentioned before on this list I am a big fan of Bayesian Analysis.
> This single bit of code on my James server only lets through about 5
> spams a day out of a total of 650! Your mileage may vary.
>
> Regards,
> David Legg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
Thanks David for your reply and I hear what you are saying about
trust... But in the past James has always verified that only members of
a list server could send email to/through that list server. I have noted
a lot of attempts by spammers to impersonate me or another user, when
trying to send email to the list server but those attempts have always
failed in the past. What has changed and why should this check now be
failing. We have never had spam get into a mail list before and trust me
the users are (were) grateful! I don't mind so much the crap sent to
regular users and yes I should enable the Bayesian Analyzer on James...
I have never had the time to figure out how but now the time may be
ripe... My understanding of Bayesian filters is that they require some
sort of feedback to train them on what is junk and what is not. I can
understand how this is done in an email client but I couldn't understand
how it would be done on a server.. So I never bothered with it...
Anywise I really need to keep the %$*&! spam out of the mail lists, that
is my primary concern... So again I ask, did one of em somehow manage to
break in and exploit some sort of flaw? How should I go about preventing
it? Also I am using SMTP Auth which requires a password to send email
via the server, not simply SMTP. Are you in fact telling me to enable
the Bayesian filter and that is my only hope?
Marc...
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: my mail server is compromised!
Posted by David Legg <da...@searchevent.co.uk>.
Hi Marc,
> Well I am going to need some help from the James email server gurus.
> My James 2.3.1 server, running under SuSE Linux 11.0, has definitely
> been compromised and I need to get it fixed asap.
Well, I'm no guru but I can tell you that, in all probability, your
server has not been compromised - in the sense that someone has broken
in and is merrily sending stuff in your name.
A big problem with the standard SMTP protocol is that it is too
trusting. If you talk to a server and tell it the following message is
from Father Christmas then it believes you! It is very common for spam
to simply lie about the 'from' and 'reply-to' fields.
James has a number of techniques for reducing spam and trawling the mail
archive will confirm that. The trouble is there is no one technique
which will prevent all spam in a single go. As I have mentioned before
on this list I am a big fan of Bayesian Analysis. This single bit of
code on my James server only lets through about 5 spams a day out of a
total of 650! Your mileage may vary.
Regards,
David Legg
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org