PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Spam-Schleuder: Wie finde ich heraus was los ist?



[MORD]Locutus
29.09.15, 11:41
Hallo zusammen,

ich brauche etwas Hilfe um herauszufinden wo es auf meinem Server ein mögliches Sicherheitsleck gibt.

System: Ubuntu 14.04
Mail-Server: Postfix

Was ist passiert? Nun, ich hab heute morgen eine Reihe von Mails vom Mail-Daemon als unzustellbar zurück bekommen, die ich jedoch nicht versendet habe.
postqueue -p gibt folgendes aus:

D028611601B59 2496 Sat Sep 26 13:26:24 simbabamhamire@domain.de
(connect to mxla3.fanbox.com[208.69.101.102]:25: Connection timed out)
Kiss14@fanboxnotes.com

DB27E11601970 2629 Tue Sep 29 10:08:12 ms@domain.de
(host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip10nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
brianandshan@talktalk.net
bs.baker@talktalk.net

D2E34116014AE 2665 Sat Sep 26 08:28:58 SabrinaFinchNowell@domain.de
(host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip19nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
karen.rcdfc@talktalk.net
(host mx2.eclipse.kcom.com[213.249.242.206] refused to talk to me: 554-gula.eclipse.kcom.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
kim.smith@torbay.gov.uk
liz.cooper@torbay.gov.uk
ich habe meine eigene Domain oben durch "domain.de" ersetzt.

In der mail.log steht dann sowas drin:


Sep 29 11:09:59 h1825122 postfix/smtp[17815]: D2CE011601464: to=<helen.caines@torbay.gov.uk>, relay=mx2.eclipse.kcom.com[213.249.242.206]:25, delay=268864, delays=268863/0.2/1.1/0, dsn=4.0.0, status=deferred (host mx2.eclipse.kcom.com[213.249.242.206] refused to talk to me: 554-gula.eclipse.kcom.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)


Dann habe ich das Passwort zur Mail-Adresse die missbraucht wird geändert und seitdem steht folgendes in der mail.log


Sep 29 11:05:46 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<hNNzHt8glQB/AAAB>
Sep 29 11:06:42 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Tt/PId8g0QB/AAAB>
Sep 29 11:07:40 h1825122 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<lE9KJd8gtgB/AAAB>


hat jemand eine Idee, wie ich nun rausfinden kann wo genau das Leck in meinem System ist?

Danke und Grüße

corresponder
29.09.15, 11:53
füge:

mail.add_x_header = On

in deine php.ini
danach den apache neu starten.
dann kannst du in den apache logs besser sehen, wo es her kommt.
ich tippe auf php - also eine webseite auf deiner büxe.

grep die logs nach POST ab....

gruss

c.

Hitman
29.09.15, 11:55
Könnte eventuell Backscatter sein.

Schau doch mal nach den IDs D028611601B59, DB27E11601970 und D2E34116014AE im Logfile. I.d.R. steht davor, wer und von wo die eingeliefert wurden.

[MORD]Locutus
29.09.15, 12:01
@Hitman:

die sind alle im Log vorhanden:


Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: D028611601B59: from=<simbabamhamire@domain.de>, size=2496, nrcpt=20 (queue active)
Sep 29 09:15:58 h1233452 postfix/smtp[13886]: D028611601B59: to=<Kiss14@fanboxnotes.com>, relay=none, delay=244174, delays=244114/0.07/60/0, dsn=4.4.1, status=deferred (connect to mxla3.fanbox.com[208.69.101.102]:25: Connection timed out)
---
Sep 29 10:24:58 h1233452 postfix/qmgr[2181]: DB27E11601970: from=<ms@domain.de>, size=2629, nrcpt=20 (queue active)
Sep 29 10:24:59 h1233452 postfix/smtp[16071]: DB27E11601970: to=<brianandshan@talktalk.net>, relay=mx-c1.talktalk.net[62.24.202.3]:25, delay=1007, delays=1006/0.17/0.86/0, dsn=4.0.0, status=deferred (host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip04nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Sep 29 10:24:59 h1233452 postfix/smtp[16071]: DB27E11601970: to=<bs.baker@talktalk.net>, relay=mx-c1.talktalk.net[62.24.202.3]:25, delay=1007, delays=1006/0.17/0.86/0, dsn=4.0.0, status=deferred (host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip04nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
---
Sep 29 11:09:58 h1233452 postfix/qmgr[2181]: D2E34116014AE: from=<SabrinaFinchNowell@domain.de>, size=2665, nrcpt=20 (queue active)
Sep 29 11:09:59 h1233452 postfix/smtp[17811]: D2E34116014AE: to=<karen.rcdfc@talktalk.net>, relay=mx-c1.talktalk.net[62.24.202.3]:25, delay=268860, delays=268860/0.18/0.39/0, dsn=4.0.0, status=deferred (host mx-c1.talktalk.net[62.24.202.3] refused to talk to me: 554-in.ip19nec.int.opaltelecom.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Sep 29 11:09:59 h1233452 postfix/smtp[17812]: D2E34116014AE: host mx1.eclipse.kcom.com[213.249.242.206] refused to talk to me: 554-gula.eclipse.kcom.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.


Aber wer die eingeliefert hat sehe ich hier nicht. bzw "h1233452" ist mein hostname.

corresponder
29.09.15, 12:07
wer ist denn der eingehende mailserver, also welchen setzt du ein?

Hitman
29.09.15, 12:13
Poste doch mal die 5 bis 10 Zeilen die jeweils davor stehen.

Steht da vielleicht irgendwo nur <> ? (Spitzenklammern)

[MORD]Locutus
29.09.15, 12:22
@corresponder: Ich nutze postfix

@hitman

hier in der 2. Zeile ist ein <>




Sep 29 09:10:02 h1233452 postfix/smtpd[13808]: connect from localhost.localdomain[127.0.0.1]
Sep 29 09:10:02 h1233452 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<UtSrgN0gPAB/AAAB>
Sep 29 09:10:02 h1233452 postfix/smtpd[13808]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 29 09:10:02 h1233452 postfix/smtpd[13808]: disconnect from localhost.localdomain[127.0.0.1]
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: C95F11160135C: from=<BalogunFataiBabatunde@domain.de>, size=2540, nrcpt=20 (queue active)
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: 98FD711601962: from=<simbabamhamire@domain.de>, size=2216, nrcpt=11 (queue active)
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: E049F11601BAC: from=<louisadeligny@domain.de>, size=2643, nrcpt=20 (queue active)
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: 3CF27116012D5: from=<BalogunFataiBabatunde@domain.de>, size=2605, nrcpt=20 (queue active)
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: 8982311601BC8: from=<louisadeligny@domain.de>, size=2588, nrcpt=20 (queue active)
Sep 29 09:14:58 h1233452 postfix/qmgr[2181]: D028611601B59: from=<simbabamhamire@domain.de>, size=2496, nrcpt=20 (queue active)
Sep 29 09:14:58 h1233452 postfix/smtp[13882]: E049F11601BAC: to=<Ale.auteuil@anpe.fr>, relay=smtp1.pole-emploi.fr[109.26.209.71]:25, delay=243997, delays=243997/0.05/0.35/0, dsn=4.0.0, status=deferred (host smtp1.pole-emploi.fr[109.26.209.71] refused to talk to me: 554-smtp1.pole-emploi.fr 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
Sep 29 09:14:58 h1233452 postfix/smtp[13885]: 8982311601BC8: host mx1.klepierre.c3s2.iphmx.com[68.232.139.53] refused to talk to me: 554-esa2.klepierre.c3s2.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. 85.241.241.49 h1233452.stratoserver.net
Sep 29 09:14:59 h1233452 postfix/smtp[13884]: 8982311601BC8: lost connection with parmail19.bnpparibas.fr[159.50.176.38] while receiving the initial server greeting
Sep 29 09:14:59 h1233452 postfix/smtp[13885]: 8982311601BC8: host mx1.klepierre.c3s2.iphmx.com[68.232.133.103] refused to talk to me: 554-esa1.klepierre.c3s2.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. 85.241.241.49 h1233452.stratoserver.net
Sep 29 09:14:59 h1233452 postfix/smtp[13885]: 8982311601BC8: host mx2.klepierre.c3s2.iphmx.com[68.232.133.103] refused to talk to me: 554-esa1.klepierre.c3s2.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. 85.241.241.49 h1233452.stratoserver.net
Sep 29 09:14:59 h1233452 postfix/smtp[13885]: 8982311601BC8: to=<camille.aknin@fr.corio-eu.com>, relay=mx2.klepierre.c3s2.iphmx.com[68.232.139.53]:25, delay=243966, delays=243965/0.07/1/0, dsn=4.0.0, status=deferred (host mx2.klepierre.c3s2.iphmx.com[68.232.139.53] refused to talk to me: 554-esa2.klepierre.c3s2.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. 85.241.241.49 h1233452.stratoserver.net)
Sep 29 09:14:59 h1233452 postfix/smtp[13884]: 8982311601BC8: lost connection with parmail21.bnpparibas.fr[159.50.169.84] while receiving the initial server greeting
Sep 29 09:14:59 h1233452 postfix/smtp[13881]: 98FD711601962: host mx2.telkomsa.net[196.25.211.172] refused to talk to me: 554-as8.telkomsa.net 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

Huhn Hur Tu
29.09.15, 12:25
Im Zweifelsfall mal erfolgreiche Logins in der /var/log/auth.log herausparsen

fork
29.09.15, 12:36
Mir hilft meistens mein mailgrep Script. Das sucht mir zu einem Textmuster alle Protokollzeilen mit der zugehörigen MessageID raus.


#!/bin/bash

if [ "$#" -lt 1 ]; then
echo -e "\nProgram: mailgrep\n";
echo -e "Description: Show information about specific mailadresses from mail.log"
echo -e "\nUsage: $(basename $0) <email-address>\n"
exit 1
fi

address="$1"
tmp1=$(mktemp)
cd /var/log

echo "Digging Logfiles..."

{ zcat mail.log.2.gz ; cat mail.log.1 mail.log.0 mail.log; } 2>/dev/null \
| grep $address \
| awk '{print $6}' \
| cut -d: -f1 \
| sort \
| uniq \
| grep -E "[0-9A-F]{11}" >$tmp1


{
zcat mail.log.3.gz mail.log.2.gz
cat mail.log.1 mail.log.0 mail.log
} 2>/dev/null | fgrep -f$tmp1

rm -f $tmp1



Ansonsten Mailserver-IP(s) auf Blacklisting testen(z. B. mxtoolbox.com (http://mxtoolbox.com/blacklists.aspx))

Hier nochmal ein Script dass die POST-Requests zählt:



#!/bin/bash

# get the count of POST-Request from given apache access_log file.
# to figure out if there is an abuse for spamming ...


if [ $# -lt 1 ]; then
echo "Usage: $(basename $0): /path/to/apache_access_log_file"
exit 1
fi

access_log=$1

echo $access_log

cat $access_log | grep "200" | sed -re 's/^.*POST ([^ ]+) .*$/\1/' | sort | uniq -c | sort -k +1n | tail -n 5 | cut -c1-160


Das kannst Du für alle vorhandenen Dateien z. B. damit aufrufen:



locate access_log | xargs -n1 count_posts


Die Scripte wirst Du evtl. anpassen müssen oder einfach nur nutzen um zu verstehen, was Du zu tun hast.

[MORD]Locutus
29.09.15, 12:50
Ich habe hier mal den Mail-Kopf von einer Mail, die mein Mail-Daemon als unzustellbar zurück genommen hat:


Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Return-Path: <ms@domain.de>
Received: from localhost (localhost.localdomain [127.0.0.1])
by h1233452.stratoserver.net (Postfix) with ESMTP id 6920611601A5D;
Tue, 29 Sep 2015 10:34:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at h1233452.stratoserver.net
Received: from h1233452.stratoserver.net ([127.0.0.1])
by localhost (h1233452.stratoserver.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UQK8hsV9N-MA; Tue, 29 Sep 2015 10:34:53 +0200 (CEST)
Received: from mail.domain.de (5.147.199.146.dyn.plus.net [146.199.147.5])
(Authenticated sender: ms@domain.de)
by h1233452.stratoserver.net (Postfix) with ESMTPA id 52E7B11601E79;
Tue, 29 Sep 2015 10:34:51 +0200 (CEST)
Subject: From: Iordache Nicolae
From: Iordache Nicolae <ms@domain.de>
Content-Type: multipart/alternative;
boundary=Apple-Mail-7ADDD6DB-8327-75B7-A623-C7F31D645AF5
X-Mailer: iPad Mail (12H143)
Message-Id: <5adc6a01fe96$41adc3c9$5c4ed8b6$@domain.de>

in der vorletzten Zeile steht was von iPad Mail


@fork: Danke, ich geh es mal durch.

EDIT:
Das hier ist auch interessant und steht im Moment im mail.log


Sep 29 12:53:39 h1233452 postfix/smtpd[4953]: connect from s15531975.onlinehome-server.info[82.165.37.87]
Sep 29 12:53:42 h1233452 postfix/smtpd[4953]: warning: s15531975.onlinehome-server.info[82.165.37.87]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 29 12:53:42 h1233452 postfix/smtpd[4953]: lost connection after AUTH from s15531975.onlinehome-server.info[82.165.37.87]
Sep 29 12:53:42 h1233452 postfix/smtpd[4953]: disconnect from s15531975.onlinehome-server.info[82.165.37.87]
Sep 29 12:53:54 h1233452 dovecot: imap-login: Login: user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4957, secured, session=<8NFQoeAgcwB/AAAB>
Sep 29 12:53:54 h1233452 dovecot: imap(ms@domain.de): Disconnected: Logged out in=93 out=918
Sep 29 12:54:54 h1233452 dovecot: imap-login: Login: user=<ms@domain.de>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4979, secured, session=<I6/kpOAg8QB/AAAB>
Sep 29 12:54:54 h1233452 dovecot: imap(ms@domain.de): Disconnected: Logged out in=93 out=918
Sep 29 12:55:02 h1233452 postfix/smtpd[4953]: connect from localhost.localdomain[127.0.0.1]
Sep 29 12:55:02 h1233452 postfix/smtpd[4953]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
Sep 29 12:55:02 h1233452 postfix/smtpd[4953]: disconnect from localhost.localdomain[127.0.0.1]
Sep 29 12:55:02 h1233452 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<w8FTpeAgOQB/AAAB>
Sep 29 12:55:02 h1233452 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<cspTpeAg3gB/AAAB>
Sep 29 12:55:43 h1233452 postfix/smtpd[4953]: connect from 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]
Sep 29 12:55:45 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL PLAIN authentication failed:
Sep 29 12:55:51 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 29 12:55:51 h1233452 postfix/smtpd[4953]: disconnect from 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]


Wenn ich da sowas lese wie:


Sep 29 12:55:45 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL PLAIN authentication failed:
Sep 29 12:55:51 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

kann es dann sein, dass jemand mein E-Mail Passwort hat und sich einfach von außen über meine Adresse Spam verschickt?

Huhn Hur Tu
30.09.15, 07:29
Nicht erfolgreicher Login, kommt eben vor.


Sep 29 12:55:45 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL PLAIN authentication failed:
Sep 29 12:55:51 h1233452 postfix/smtpd[4953]: warning: 75-145-187-65-Illinois.hfc.comcastbusiness.net[75.145.187.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6


Mein verdacht ist eher ein Mailspoofing, da werden Mails mit deiner Domain von einem anderen Server verschickt, die Bouncemail landet natuerlich bei Dir.
Wenn du wirklich bedenken hast.

- Backup
- Server neu aufsetzten
- nur die Mails wieder einspielen

[MORD]Locutus
30.09.15, 15:49
Ich hab jetzt jeder meiner Domains einen SPF Eintrag verpasst und die IPs, die ständig versuchen Zugriff auf meinen Mail-Account zu kriegen über iptables gesperrt.

werde nun die logs mal im Auge behalten und schauen ob sich noch mal was tut.
Im Moment ist noch alles ruhig.