{"id":1106,"date":"2013-09-10T01:16:27","date_gmt":"2013-09-10T07:16:27","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=1106"},"modified":"2019-10-30T04:27:08","modified_gmt":"2019-10-30T10:27:08","slug":"spamming-in-a-qmail-enabled-plesk-server-finding-the-culprit","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/spamming-in-a-qmail-enabled-plesk-server-finding-the-culprit\/","title":{"rendered":"Spamming in a Qmail Enabled Plesk Server – Finding the Culprit"},"content":{"rendered":"

The following is the result of a live analysis done when spamming has been found from a Plesk<\/a> server with the qmail<\/a> mail server. This will help you to understand how to trace a qmail spamming in the server.<\/p>\n

[root@server ~]# \/var\/qmail\/bin\/qmail-qstat<\/p>\n

messages in queue: 758<\/p>\n

messages in queue but not yet preprocessed: 0<\/p><\/blockquote>\n

We do have 758 mails in the queue. Let’s examine the queue with qmail-qread. Seeing a bunch of strange email addresses in the recipient list? Usually, it is meaning spam.<\/p>\n

<\/p>\n

[root@server ~]# \/var\/qmail\/bin\/qmail-qread<\/p>\n

[…]<\/p><\/blockquote>\n

You can examine the email content of the emails in the queue using the Plesk interface or just less command. Firstly we should find messages id using qmail-qread, then find the file holding the email in \/var\/qmail\/queue with the find command.<\/p>\n

[root@server ~]# \/var\/qmail\/bin\/qmail-qread<\/p>\n

[…]<\/p>\n

18 Jul 2008 02:01:11 GMT #22094026 1552 <><\/p>\n

remote user@yahoo.com<\/p>\n

[…]<\/p>\n

[root@server ~]# find \/var\/qmail\/queue\/ -name 22094026<\/p><\/blockquote>\n

\/var\/qmail\/queue\/mess\/19\/22094026<\/p>\n

\/var\/qmail\/queue\/remote\/19\/22094026<\/p>\n

\/var\/qmail\/queue\/info\/19\/22094026<\/p>\n

[root@server ~]# less \/var\/qmail\/queue\/mess\/19\/22094026<\/p><\/blockquote>\n

Received: (qmail 10728 invoked from network); 22 Jul 2008 19:40:46 +0300<\/p>\n

Received: from unknown (HELO User) (86.107.221.138)<\/p>\n

by domain.com with SMTP; 22 Jul 2008 19:40:46 +0300<\/p>\n

Reply-To: <support@PayPal.Inc.com><\/p>\n

From: “PayPal”<support@PayPal.Inc.com><\/p>\n

Subject: Dispute Transaction<\/p>\n

Date: Tue, 22 Jul 2008 19:40:52 +0300<\/p>\n

MIME-Version: 1.0<\/p>\n

Content-Type: text\/html;<\/p>\n

charset=”Windows-1251”<\/p>\n

Content-Transfer-Encoding: 7bit<\/p>\n

X-Priority: 1<\/p>\n

X-MSMail-Priority: High<\/p>\n

X-Mailer: Microsoft Outlook Express 6.00.2600.0000<\/p>\n

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000<\/p>\n

[…]<\/p>\n

Oops, we do have some spam in the queue that’s received from the network (IP: 86.107.221.138). We should remove spam from the queue or the server IP address will finish listed in the RBLs, qmail-remove is the right tool for this job.<\/p>\n

Check the number of the spams with the spam pattern (PayPal.Inc.com in this case):<\/p>\n

[root@server ~]# qmail-remove -p ‘PayPal.Inc.com’<\/p><\/blockquote>\n

Now, remove spams (notice the -r switch), they all will end up in the \/var\/qmail\/queue\/yanked directory. Don’t forget to stop qmail daemon before (\/etc\/init.d\/qmail stop).<\/p>\n

[root@server ~]# qmail-remove -r -p ‘PayPal.Inc.com’<\/p><\/blockquote>\n

In a few minutes, we do have more emails with the same patterns from the same IP address.<\/p>\n

That’s great, we do have the opportunity to examine SMTP traffic from the spammers IP address. Run tcpdump and wait a few minutes.<\/p>\n

[root@server ~]# tcpdump -i eth0 -n src 86.107.221.138 \\or dst 86.107.221.138 -w smtp.tcpdump -s 2048<\/p><\/blockquote>\n

Examining log file with less or wireshark we found that spammer is sending spam using LOGIN authentication:<\/p>\n

220 server.domain.com ESMTP<\/p>\n

ehlo User<\/p>\n

250-server.domain.com<\/p>\n

250-AUTH=LOGIN CRAM-MD5 PLAIN<\/p>\n

250-AUTH LOGIN CRAM-MD5 PLAIN<\/p>\n

250-STARTTLS<\/p>\n

250-PIPELINING<\/p>\n

250 8BITMIME<\/p>\n

AUTH LOGIN<\/p>\n

334 VXNlcm5hbWU6<\/p>\n

dGVzdA==<\/p>\n

334 UGFzc3dvcmQ6<\/p>\n

MTIzNDU=<\/p>\n

235<\/p>\n

Interesting, let us decode the user\/pass to see which account is used:<\/p>\n

[root@server ~]# perl -MMIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’<\/p><\/blockquote>\n

test<\/p>\n

[root@server ~]# perl -MMIME::Base64 -e ‘print decode_base64(“MTIzNDU=”)’<\/p><\/blockquote>\n

12345<\/p>\n

So, someone created a test account with a weak password and someone else guessed it and is sending spam through the server.<\/p>\n

Let us find the domain owning of the mailbox.<\/p>\n

[root@server ~]# mysql -uadmin -p`cat \/etc\/psa\/.psa.shadow` psa<\/p><\/blockquote>\n

[…]<\/p>\n

mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name=’test’ AND a.password=’12345′;<\/p>\n

+———–+————+———-+<\/p>\n

| mail_name | name | password |<\/p>\n

+———–+————+———-+<\/p>\n

| test | example.com | 12345 |<\/p>\n

+———–+————+———-+<\/p>\n

1 row in set (0.01 sec)<\/p>\n

Next step is to delete test mailbox and send a warning to the client.<\/p>\n

To improve your server’s security you’ll need to enable:<\/p>\n

Server -> Mail -> Check the passwords for mailboxes in the dictionary<\/p>\n

Creating a mailbox test with password “12345” is a stupid thing and spammers just love to exploit it.
\nIf you require help, contact SupportPRO Server Admin<\/a><\/p>\n

\"Server<\/a><\/span>