1 Topic by zipline (edited by zipline 2020-05-01 23:15:56)

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Topic: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

We're having a strange spam issue where it appears we have been exploited in some way. We have dozens of log entries like this:

2020-04-30 10:58:33 INFO [0.0040s] [155.94.154.152] RCPT, 10218-20-675074-1903-mike=domain.com@mail.leftidesire.rest -> mike@domain.com, DUNNO

2020-04-30 11:03:20 INFO [155.94.154.152] recipient throttle, leon@site.net -> msg_size (6419/15728640, period: 86400 seconds, time left: 13 hours, 1 minutes, 11 seconds)

2020-04-30 11:03:20 INFO [0.0050s] [155.94.154.152] END-OF-MESSAGE, 10218-20-535106-1903-leon=site.net@mail.leftidesire.rest -> leon@site.net, DUNNO

10218-20-675074-1903-mike=domain.com@mail.leftidesire.rest is not an email but mike@domain.com is and same for leon@site.net.

I thought this may be and exploited password issue but I am not so sure because we have these for at least 2 dozens different users on our server that I have found so far.

We do not allow users to send as an alias as far as I know. We are not sure how this has happened. Has anyone else seen something similar? We're at a loss as to how to curb this behavior.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

I have been digging deeper I also see a large number of emails sent from <> that are going to legitimate users on the system. They seem to be consistently spam and I am not sure how they're getting through the system.

I am not sure if this is a related issue or a different issue but I thought I would share for context.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

zipline wrote:

2020-04-30 10:58:33 INFO [0.0040s] [155.94.154.152] RCPT, 10218-20-675074-1903-mike=domain.com@mail.leftidesire.rest -> mike@domain.com, DUNNO
2020-04-30 11:03:20 INFO [155.94.154.152] recipient throttle, leon@site.net -> msg_size (6419/15728640, period: 86400 seconds, time left: 13 hours, 1 minutes, 11 seconds)
2020-04-30 11:03:20 INFO [0.0050s] [155.94.154.152] END-OF-MESSAGE, 10218-20-535106-1903-leon=site.net@mail.leftidesire.rest -> leon@site.net, DUNNO

- Why are these emails considered as spams? We don't know your logic here.
- Seems you're running an old iRedAPD release, which version is it? You can run "ls -ld /opt/iredapd" to get the version number.

zipline wrote:

I also see a large number of emails sent from <> that are going to legitimate users on the system. They seem to be consistently spam and I am not sure how they're getting through the system.

MTA server may generate bounce message or non-delivery notification and sent as null sender ("<>"). You need to check its content before judging it's spam or not.

4 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

- Why are these emails considered as spams? We don't know your logic here.

The emails that are being sent by these types of users have clear SPAM subjects and body content. They're things about Cialis etc. I can easily tell that all of the messages sending using this pattern are not legitimate but I can't figure out what setting on the server is allowing these bogus users to send. I have found more than 50 different instances of these ghost emails sending as legitimate emails on the server with spam content.

I have also noticed emails similar to:

Host:   
iredmail.domain.com 
Sender ID:   
54.240.48.17
From:    01000171d5b44f2d-02ab1f0d-2f34-4a66-9109-c761c1e313ed-000000@amazonses.com
To:   
real@clientemail.com
Subject:    Biden responds to Tara Reade sex assault allegations... 'They aren't true. This never happened'...

The very strange thing is that these emails are sending from our server but we obviously don't host the domain amazonses.com and we also have the ability for unauthenticated relays disabled. These are also not legitimate emails and are typically a variety of spam messages.

It seems like somehow we're allowing odd relay type activity but we cannot figure out how that would be.


- Seems you're running an old iRedAPD release, which version is it? You can run "ls -ld /opt/iredapd" to get the version number.

lrwxrwxrwx 1 root root 13 Nov  1  2016 /opt/iredapd -> iRedAPD-1.9.1

The server is up-to-date but perhaps our iRedMail needs updating?

5 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

Here is another example I just pulled:

Host:   
iredmail.myserver.com 
Sender ID:   
193.160.142.87
From:    OverburdenedbyDebtDebtConsolidation-kpscott=domain.com@xrhapticsuit.com
To:   
kathie@otherdomain.com
Subject:    Get Your Debt Together | Debt Consolidation

In this case, both domain.com and otherdomain.com are real addresses on our server. The line in the from sends as that customer to the other domain on our server. Basically, somehow it appears someone is spamming our customers by using other customer emails masked. It is a really strange situation and I may not be reading it correctly but I am not sure how it started or how to combat it.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

- Programs are not human brains, although something is obvious to us, the programs may not understand it's spam. You need to check what SpamAssassin rules are matched for the emails.

zipline wrote:

lrwxrwxrwx 1 root root 13 Nov  1  2016 /opt/iredapd -> iRedAPD-1.9.1

The latest iRedAPD release is 3.6, seems you're way behind.
Which iRedMail release are you running? You can get the version number from file /etc/iredmail-release.

7 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

We are running version 0.9.4 which looks to be fairly old. Not sure how to upgrade the system. Is there a good way to do that?

On the spam problem, I don't think that SpamAssassin would really address the problem. It might catch some of the spam being sent to our customers but the real problem is someone is able to send spam from our server both to our clients and externally. It seems like SpamAssassin isn't really looking at the internal messages. I am not sure how they're able to do this from so many users. There appears to be some sort of an exploit but I am not sure where to start in trying to track it down or how to prevent it.

8 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

I have continued monitoring this problem and it seems that these messages are all to accounts with forwards and aliases. What seems to be happening is email is sent to the legitimate accounts then forwarded automatically without scanning to accounts connected as forwards. In some cases, these messages bounce back which then looks like another message to our customer because its a legitimate bounce with a spammy subject.

I have reviewed this post: https://forum.iredmail.org/topic10810-i … alias.html

sender_login_mismatch doesn't seem to impact the forwards and alias users for me.

I also have these settings in place:

smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf

Yet I still don't see that it is scanning the alias email it seems the server is just passing it through via both forwards and alias.

What am I missing?

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

Check file /etc/postfix/master.cf, does the transport `pickup` has 'content_filter=` parameter like below:

pickup ...
    -o content_filter=smtp-amavis:[127.0.0.1]:10026

10 Reply by zipline

  • zipline
  • Member
  • Offline
  • Registered: 2016-01-19
  • Posts: 14

Re: Strange Spam Issue (mail.leftidesire.rest) with iRedMail

Check file /etc/postfix/master.cf

We found it but it is in the submission section I don't know if this is correct.

# Submission, port 587, force TLS connection.

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026