Difference between revisions of "Coping With Postfix Mail Server Attacks"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(Mail Relay Attack)
(SCENARIO: Local User account compromised or sending spam from compromised system)
 
(7 intermediate revisions by one user not shown)
Line 67: Line 67:
 
You're going to see a lot of forged addresses.  In this example, HawaiiVacationDeals@eiroeir.eu is clearly forged.
 
You're going to see a lot of forged addresses.  In this example, HawaiiVacationDeals@eiroeir.eu is clearly forged.
  
The IMMEDIATE plan:
+
==== DETERMINE SENDER SOURCE ====
 
+
(1.) DETERMINE SENDER SOURCE
+
  
 
It is possible that your own server is the source.  This is possible in a couple different ways:
 
It is possible that your own server is the source.  This is possible in a couple different ways:
Line 79: Line 77:
 
Take a look at the mail queue
 
Take a look at the mail queue
 
  mailq
 
  mailq
 +
 +
Recommendation: make a copy of the mailq output.  You may need this later.
 +
mailq > /tmp/mailq.txt
  
 
Use postcat to start going through the mail in the queue based on Queue ID.  For example, if the ID is '9AFA82C0499'
 
Use postcat to start going through the mail in the queue based on Queue ID.  For example, if the ID is '9AFA82C0499'
 
  postcat -vq 9AFA82C0499
 
  postcat -vq 9AFA82C0499
 
 
  
(3.) TAKE PREVENTATIVE MEASURES
+
==== SCENARIO: Local User account compromised or sending spam from compromised system ====
 +
 
 +
If you grep for the message ID (9AFA82C0499in in our example) within /var/log/mail.log you should find a log line indicating the sasl_username.  With that username you can see just how much spam the account is responsible for attempting to send or sending:
 +
cat /var/log/maillog|grep <username>
 +
 
 +
Disable the account
 +
passwd -l <username>
 +
 
 +
<blockquote>
 +
'''Problem With virtual_alias_maps User Mail Forward'''
 +
 
 +
Is there a mail forward virtual_alias_maps (''virtusertable'')?  For example, you have a local user nicole having mail forwarded to her aol account. (nicole@foo.com -> nicole4400@aol.com)  In this example foo.com is a locally hosted domain.  Mail is being forwarded to an external mailbox on a remote system.  You need to disable this by # or delete then reload.  ''When you add mail forwards like this it can complicate spam control and dealing with compromised accounts or customer systems.''
 +
</blockquote>
 +
 
 +
Next, block the IP address of the account.  The user may have a dynamic IP address.  Consider this a temporary measure just to get things under control.  At some point the user is going to attempt to contact you because his or her mail is no longer working. You can do this using IPTABLES.
 +
 
 +
There may continue to be much activity for a duration because all of the remote hosts your server was trying to send spam to will continue to send bounce replies.
 +
 
 +
If you look at the mail queue again, and do not see any legitimate mail being queued, you can purge the mail queue.
 +
postsuper -d ALL
 +
WARNING! - do not do this unless you are positive that there is no legitimate mail in the queue.  All mail from the queue will be deleted.  This is simply a measure to help get things under control.
 +
 
 +
If you continue to see additional queued messages appearing when using mailq then it is likely there remains a mail forwarding rule such as mentioned above.  All mail forwarding for the user account must be eliminated.
 +
 
 +
=== Tools to Fight Attacks and Spam ===
  
You can prevent future attacks by using some commonsense mail server settings for postfix and implementing a tool like fail2ban
+
* fail2ban
 +
* [http://www.postfix.org/POSTSCREEN_README.html Postfix Postscreen]

Latest revision as of 11:06, 9 April 2015

There are a number of different attacks possible. You might encounter a Brute Force Dictionary Attack on Dovecot or a basic mail relay attack. Those are only two common examples out of many possibilities. This article deals with relay attacks.

Related / See Also:

Mail Relay Attack

Assuming you are _not_ running an open relay, there are attacks which may seek to verify the relay or to attempt delivery to local users.

Too many "smtp -t unix -u" processes

1005 ?        S      0:00 smtp -t unix -u
1006 ?        S      0:00 smtp -t unix -u
1007 ?        S      0:00 smtp -t unix -u
1008 ?        S      0:00 smtp -t unix -u
1009 ?        S      0:00 smtp -t unix -u
1010 ?        S      0:00 smtp -t unix -u
1011 ?        S      0:00 smtp -t unix -u
1012 ?        S      0:00 smtp -t unix -u
1013 ?        S      0:00 smtp -t unix -u
1014 ?        S      0:00 smtp -t unix -u
1015 ?        S      0:00 smtp -t unix -u
1016 ?        S      0:00 smtp -t unix -u
1017 ?        S      0:00 smtp -t unix -u
1018 ?        S      0:00 smtp -t unix -u
1019 ?        S      0:00 smtp -t unix -u
1020 ?        S      0:00 smtp -t unix -u
1021 ?        S      0:00 smtp -t unix -u
1022 ?        S      0:00 bounce -z -n defer -t unix -u
1023 ?        S      0:00 smtp -t unix -u
1024 ?        S      0:00 smtp -t unix -u
1025 ?        S      0:00 smtp -t unix -u
1026 ?        S      0:00 smtp -t unix -u
1027 ?        S      0:00 smtp -t unix -u
1028 ?        S      0:00 smtp -t unix -u
1030 ?        S      0:00 smtp -t unix -u
1031 ?        S      0:00 smtp -t unix -u
1032 ?        S      0:00 smtp -t unix -u
1033 ?        S      0:00 smtp -t unix -u
1034 ?        S      0:00 smtp -t unix -u
1035 ?        S      0:00 smtp -t unix -u
1036 ?        S      0:00 smtp -t unix -u
1038 ?        S      0:00 dovecot/pop3-login

Someone is attacking your email server. The server is spawning too many smtp processes and is slow or nearly not responsive.

Lets verify. Check the mail queue using either 'postqueue -p' or 'mailq' command.

mailq

You can find a lot of useful commands like mailq in our Postfix Tips and Tricks page.

You might see lots of entries that look similar to this:

4790F2C0DD7     2898 Mon Apr  6 13:08:07  MAILER-DAEMON
(connect to bny234.rayinsuranceclearly.ninja[94.228.216.234]:25: Connection timed out)
                                        Angela.Sloan@bny234.rayinsuranceclearly.ninja

They might say "Connection timed out" or "Connection refused"

437AC2C07BB     9359 Tue Apr  7 18:05:33  MAILER-DAEMON
         (connect to 1fxxn8s.eiroeir.eu[8.39.223.104]:25: Connection refused)
                                        HawaiiVacationDeals@eiroeir.eu

You're going to see a lot of forged addresses. In this example, HawaiiVacationDeals@eiroeir.eu is clearly forged.

DETERMINE SENDER SOURCE

It is possible that your own server is the source. This is possible in a couple different ways:

  • You have a Perl or PHP script or something similar that is being exploited and used to relay spam
  • You have a system user that has had their account compromised

It is also possible that an external source is trying to relay mail though your mail server.

Take a look at the mail queue

mailq

Recommendation: make a copy of the mailq output. You may need this later.

mailq > /tmp/mailq.txt

Use postcat to start going through the mail in the queue based on Queue ID. For example, if the ID is '9AFA82C0499'

postcat -vq 9AFA82C0499

SCENARIO: Local User account compromised or sending spam from compromised system

If you grep for the message ID (9AFA82C0499in in our example) within /var/log/mail.log you should find a log line indicating the sasl_username. With that username you can see just how much spam the account is responsible for attempting to send or sending:

cat /var/log/maillog|grep <username>

Disable the account

passwd -l <username>

Problem With virtual_alias_maps User Mail Forward

Is there a mail forward virtual_alias_maps (virtusertable)? For example, you have a local user nicole having mail forwarded to her aol account. (nicole@foo.com -> nicole4400@aol.com) In this example foo.com is a locally hosted domain. Mail is being forwarded to an external mailbox on a remote system. You need to disable this by # or delete then reload. When you add mail forwards like this it can complicate spam control and dealing with compromised accounts or customer systems.

Next, block the IP address of the account. The user may have a dynamic IP address. Consider this a temporary measure just to get things under control. At some point the user is going to attempt to contact you because his or her mail is no longer working. You can do this using IPTABLES.

There may continue to be much activity for a duration because all of the remote hosts your server was trying to send spam to will continue to send bounce replies.

If you look at the mail queue again, and do not see any legitimate mail being queued, you can purge the mail queue.

postsuper -d ALL

WARNING! - do not do this unless you are positive that there is no legitimate mail in the queue. All mail from the queue will be deleted. This is simply a measure to help get things under control.

If you continue to see additional queued messages appearing when using mailq then it is likely there remains a mail forwarding rule such as mentioned above. All mail forwarding for the user account must be eliminated.

Tools to Fight Attacks and Spam