store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Oct 20, 2014 7:16 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: spam sent through SMTP account with poor password
Unread postPosted: Tue Jan 04, 2011 3:30 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Hello,

My ASL'd Centos5.5 (no ASL kernel) Plesk 10 server has recently been used to send spam out via an SMTP account with a poor password. This account had been used through Horde/IMP in the past to send out spam, and the password was changed, and the webmail disabled for the domain. I have a suspicion that there is a keystroke logger or other sort of monitor malware on the clients computer finding out their new info.

In any case, is there a way ASL can be beefed up to detect strange patterns in SMTP or webmail generated email? Or does it make sense to scan for spam email sent through an authenticated SMTP account?


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Tue Jan 04, 2011 4:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7935
Location: earth
Thats a though one, especially if the users come from dynamic IP space. You could use qmail-scanner to catch spam in outbound mail though


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Tue Jan 04, 2011 6:27 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
If you want to detect spam being sent from authenticated users then you would be better served scanning outgoing email for spam in general. Spamassassin does a wonderful job of discovering spam, so use qmail-scanner to do this. OTherwise, you're just duplicating something that already does the job perfectly.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Tue Jan 04, 2011 9:00 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Aug 04, 2010 2:52 pm
Posts: 257
Anyone that is scanning outgoing email on here? Like the results?


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Wed Jan 05, 2011 3:24 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
Sure, I'm scanning all in-and outgoing email. Sometimes you get a few false positives, but thats mainly people using a large html footer or signature and forgets to write a subject... They are normally in the LOW category spam though, so nothing is missing, just looks a little strange when the subject says spam.


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Wed Jan 05, 2011 9:54 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
We're using qmail-scanner as well. I don't believe there is a way to not scan outgoing e-mail when using qmail-scanner, right?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Wed Jan 05, 2011 12:30 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
Not that I'm aware of...


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 11:45 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
is there anything with postfix?

In our case we setup a master mail relay server that runs windows with a custom smtp sink we wrote that integrates into comtouch for spam scoring and keeps track of which domains and which email accounts send how much and we use that to rate limit and throttle messages on a daily and hourly basis and just silenty drops bad email.

Im sure there is something equivalent in linux but we already had something similar for our mail servers that we just modified slighly for our hosting environment.


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 12:34 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I recently contributed a patch to ART's qmail-scanner which doesn't scan outgoing e-mail if sent via port 587 (submission). It's in the stable channel now.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 12:49 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
why would you not want to scan outgoing email?
Couldnt some one still use that for sending spam no matter what port its on?


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 1:33 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
hostingguy wrote:
why would you not want to scan outgoing email?


Because it uses lots of resources and generates lots of false positives when your clients are on dial-up connections, etc. And some clients have huge mailinglists and scanning the same message for every recipient takes forever.

hostingguy wrote:
Couldnt some one still use that for sending spam no matter what port its on?


Submission (port 587) requires authentication, so qmail-scanner checks whether e-mail was sent via submission and then treats it as a message from a relay client (which it is) and skips scanning for that message. Only authenticated users can skip scanning outgoing messages. It's a great breakthrough for us, finally our users are able to use our SMTP servers again without getting flagged for being on a dial-up connection or other stupid reasons which are valid reasons for flagging incoming messages from other hosts, but not for messages from our own clients.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 1:35 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
if some one has a script that sends through localhost (or w/e mail server) on 587 using smtp auth couldnt they have their script send out a bunch of spam, or run dark mailer or have some insecure script that some one else exploits to send a bunch of spam?


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 1:42 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
hostingguy wrote:
if some one has a script that sends through localhost (or w/e mail server) on 587 using smtp auth couldnt they have their script send out a bunch of spam, or run dark mailer or have some insecure script that some one else exploits to send a bunch of spam?


You need credentials to be able to send messages through port 587. If exploit code is already on localhost then it could just use the sendmail interface without the need for credentials, so I don't really see the problem of having another way to send out e-mail which is harder to exploit since it needs valid credentials.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 1:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
In the case of large mailing lists if you detect that a user has submitted a large amount of messages in a short time period you can scan the first couple to make sure they are all basically the same thing (with out custom info like usernames, etc which will be different) by looking for a pattern and if the first email is good then you automaticlaly accept the rest if they match that same pattern as you know its not spam.

I personally think its not a good practice to allow email to be sent with out scanning it regardless of how it gets there and the best way to avoid customer impact is to accept the mail no matter what, queue it, and then send/offload the work is to have an upstream server that only does the scanning - but thats just my opinion.

I'm not trying to tell you how to run your server, Im just (badly) trying to make the point that no matter what port they are sending mail on and no matter how they get the mail there, they can still send spam or malware links, phishing emails, etc even if it requires credentials to do so.


Top
 Profile  
 
 Post subject: Re: spam sent through SMTP account with poor password
Unread postPosted: Fri Apr 22, 2011 1:59 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7935
Location: earth
Or for that matter when the smtp_auth accounts get compromised by bot nets, thats certainly a large source of the spam out there.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group