Re: [exim] Unstoppable spam
On Tue, 24 Sep 2019 at 14:43, Cyborg via Exim-users
wrote:
> Am 24.09.19 um 11:07 schrieb Odhiambo Washington via Exim-users:
> > 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.ku...@ourdomain.tld
> > H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
> > X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
> > A=plain:benson.ku...@ourdomain.tld S=153471 id=4d95a1b3-5c91-471
> > e-5b9e-f8fe7aa1c...@ourdomain.tld T="Your order ?5634 is ready for the
> > transporting" from for
> > daniel.ow...@ourdomain.tld
>
> To answere you question, yes, it uses plaintext auth and yes, it looks
> like you auth is broken.
>
> I think you wanne have "POPbeforeSMTP" , which is a old mechanism to
> authenticate someone for SMTP.
>
> Better activate SMTP-AUTH.
>
I have ASMTP active, as you might have seen from the headers.
> Any client will support it, even OUTLOOK will do.
>
> The exim default config (for Fedora) has this to offer:
>
>
> # LOGIN authentication has traditional prompts and responses. There is no
> # authorization ID in this mechanism, so unlike PLAIN the username and
> # password are $auth1 and $auth2. Apart from that you can use the same
> # server_condition setting for both authenticators.
>
> LOGIN:
> driver = plaintext
> server_set_id = $auth1
> server_prompts = <| Username: | Password:
> server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
> server_advertise_condition = *
>
>
> Depending where you dovecot auths against, it may work directly.
>
> If it's a dabase, you may wanne use this:
>
> LOGIN:
> driver = plaintext
> server_set_id = $1
> server_prompts = <| Username: | Password:
> server_condition = "${if and { \
> {!eq{$2}{}} \
> {eq{1}{${lookup mysql{SELECT '1' FROM users WHERE
> user = '${quote_mysql:${local_part:$1}}' and passwort =
> password('${quote_mysql:$2}') }{$value}fail}} }} {yes}{no}}"
> server_advertise_condition = *
>
> (dont forget to enable a database connection first)
>
> Check you dovecot for the used auth mechanism, it seems to be faulty
I am using the dovecot authentication as spelt here:
https://wiki.dovecot.org/HowTo/EximAndDovecotSASL
And I don't think it is broken.
> or
> your attacker has access to you mailboxes and get the password anythime
> you set a new one.
>
No possible because my passwords are encrypted, not plaintext.
Thanks for helping me think it out.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
Am 24.09.19 um 11:07 schrieb Odhiambo Washington via Exim-users:
> 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.ku...@ourdomain.tld
> H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
> X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
> A=plain:benson.ku...@ourdomain.tld S=153471 id=4d95a1b3-5c91-471
> e-5b9e-f8fe7aa1c...@ourdomain.tld T="Your order ?5634 is ready for the
> transporting" from for
> daniel.ow...@ourdomain.tld
To answere you question, yes, it uses plaintext auth and yes, it looks
like you auth is broken.
I think you wanne have "POPbeforeSMTP" , which is a old mechanism to
authenticate someone for SMTP.
Better activate SMTP-AUTH.
Any client will support it, even OUTLOOK will do.
The exim default config (for Fedora) has this to offer:
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
LOGIN:
driver = plaintext
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
server_advertise_condition = *
Depending where you dovecot auths against, it may work directly.
If it's a dabase, you may wanne use this:
LOGIN:
driver = plaintext
server_set_id = $1
server_prompts = <| Username: | Password:
server_condition = "${if and { \
{!eq{$2}{}} \
{eq{1}{${lookup mysql{SELECT '1' FROM users WHERE
user = '${quote_mysql:${local_part:$1}}' and passwort =
password('${quote_mysql:$2}') }{$value}fail}} }} {yes}{no}}"
server_advertise_condition = *
(dont forget to enable a database connection first)
Check you dovecot for the used auth mechanism, it seems to be faulty or
your attacker has access to you mailboxes and get the password anythime
you set a new one.
best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
On 24/09/2019 09:40, Jasen Betts via Exim-users wrote: > On 2019-09-24, Odhiambo Washington via Exim-users wrote: > >> Authentication-Results: gw.ourdomain.tld;iprev=fail >> smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) >> smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped >> header.from=ourdomain.tld > > Is that a standard header? I've not seen exim adding that. https://tools.ietf.org/html/rfc8601 -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
On Tue, 24 Sep 2019 at 11:48, Jasen Betts via Exim-users < exim-users@exim.org> wrote: > On 2019-09-24, Odhiambo Washington via Exim-users > wrote: > > > Authentication-Results: gw.ourdomain.tld;iprev=fail > > smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) > > smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped > > header.from=ourdomain.tld > > Is that a standard header? I've not seen exim adding that. > Extracted that from the spam mail. > > It seems to say they did "auth plain" and gave an acceptable password. > (escpecially in combination with "esmtpsa" in the received header. > > Could there be some problem with your plain authenticator? What is it > authenticating against? > Not sure if there is a problem with my plain authenticator. Maybe, maybe not. I need a 3rd eye. It authenticates against dovecot: plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 > > Can you share the ' <= ' line for this email (1iCQpf-0002zI-7B) in the > exim logs it should be near Mon, 23 Sep 2019 19:05:01 +0300 > > Here is the log extract: 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.ku...@ourdomain.tld H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=plain:benson.ku...@ourdomain.tld S=153471 id=4d95a1b3-5c91-471 e-5b9e-f8fe7aa1c...@ourdomain.tld T="Your order ?5634 is ready for the transporting" from for daniel.ow...@ourdomain.tld 2019-09-23 19:05:01 1iCQpf-0002zI-7B => /var/spool/virtual/ourdomain.tld/daniel.owino/Maildir R=virtual_domains T=dovecot_virtual_delivery S=153618 2019-09-23 19:05:01 1iCQpf-0002zI-7B Completed -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
On 2019-09-24, Odhiambo Washington via Exim-users wrote: > Authentication-Results: gw.ourdomain.tld;iprev=fail > smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) > smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped > header.from=ourdomain.tld Is that a standard header? I've not seen exim adding that. It seems to say they did "auth plain" and gave an acceptable password. (escpecially in combination with "esmtpsa" in the received header. Could there be some problem with your plain authenticator? What is it authenticating against? Can you share the ' <= ' line for this email (1iCQpf-0002zI-7B) in the exim logs it should be near Mon, 23 Sep 2019 19:05:01 +0300 -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
Looks like "5.61.42.174" gets spammed via webmail (127.0.0.1) or got hacked and spams via script. Check that system. Am September 24, 2019 7:40:07 AM UTC schrieb Odhiambo Washington via Exim-users : >Hi all, > >One particular account on my server has been used to send spam >repeatedly. >I have changed the account's password so many times now that I believe >this >spam is not actually using their password for ASMTP, but probably a >hole on >the system which I am not able to detect. >I am requesting for a 3rd to help me figure out how this could be >happening. > >The header below is from one such spam. > >What weakness(es) is the spammer likely abusing? > >Return-Path: >Envelope-to: daniel.ow...@ourdomain.tld >Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300 >Authentication-Results: gw.ourdomain.tld;iprev=fail >smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) >smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped >header.from=ourdomain.tld >Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld >with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) >(envelope-from ) id 1iCQpf-0002zI-7B for >daniel.ow...@ourdomain.tld; Mon, 23 Sep 2019 19:05:01 +0300 >Content-Type: multipart/mixed; >boundary="=_NextPart_000_0010_01D572B4.9D8D2390" >From: >To: >Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?= >=?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?= >=?utf-8?Q?transporting?= >Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1c...@ourdomain.tld> >Date: Mon, 23 Sep 2019 16:04:50 + >MIME-Version: 1.0 >X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon, >23 Sep 2019 19:05:01 +0300 >X-MimeOLE: Produced By Microsoft MimeOLE >X-Spam-Flag: NO > > > > >-- >Best regards, >Odhiambo WASHINGTON, >Nairobi,KE >+254 7 3200 0004/+254 7 2274 3223 >"Oh, the cruft.", grep ^[^#] :-) >-- >## List details at https://lists.exim.org/mailman/listinfo/exim-users >## Exim details at http://www.exim.org/ >## Please use the Wiki with this list - http://wiki.exim.org/ -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
If the gw.ourdomain.tld is listed as authorized relayer in exim4 config, authentication isn't needed. Check the configuration that relaying is not authorized for gw.ourdomain.tld Best thing you can do is to restrict so BOTH an authorized IP *AND* a password is required to be authorized to relay, thus you also run clear of all those password-cracking robots out there. -Ursprungligt meddelande- Från: Exim-users För Odhiambo Washington via Exim-users Skickat: den 24 september 2019 09:49 Till: exim users Ämne: [exim] Unstoppable spam Hi all, One particular account on my server has been used to send spam repeatedly. I have changed the account's password so many times now that I believe this spam is not actually using their password for ASMTP, but probably a hole on the system which I am not able to detect. I am requesting for a 3rd to help me figure out how this could be happening. The header below is from one such spam. What weakness(es) is the spammer likely abusing? Return-Path: Envelope-to: daniel.ow...@ourdomain.tld Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300 Authentication-Results: gw.ourdomain.tld;iprev=fail smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped header.from=ourdomain.tld Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) (envelope-from ) id 1iCQpf-0002zI-7B for daniel.ow...@ourdomain.tld; Mon, 23 Sep 2019 19:05:01 +0300 Content-Type: multipart/mixed; boundary="=_NextPart_000_0010_01D572B4.9D8D2390" From: To: Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?= =?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?= =?utf-8?Q?transporting?= Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1c...@ourdomain.tld> Date: Mon, 23 Sep 2019 16:04:50 + MIME-Version: 1.0 X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon, 23 Sep 2019 19:05:01 +0300 X-MimeOLE: Produced By Microsoft MimeOLE X-Spam-Flag: NO -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Unstoppable spam
Hi all, One particular account on my server has been used to send spam repeatedly. I have changed the account's password so many times now that I believe this spam is not actually using their password for ASMTP, but probably a hole on the system which I am not able to detect. I am requesting for a 3rd to help me figure out how this could be happening. The header below is from one such spam. What weakness(es) is the spammer likely abusing? Return-Path: Envelope-to: daniel.ow...@ourdomain.tld Delivery-date: Mon, 23 Sep 2019 19:05:01 +0300 Authentication-Results: gw.ourdomain.tld;iprev=fail smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped header.from=ourdomain.tld Received: from [5.61.42.174] (helo=[127.0.0.1]) by gw.ourdomain.tld with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) (envelope-from ) id 1iCQpf-0002zI-7B for daniel.ow...@ourdomain.tld; Mon, 23 Sep 2019 19:05:01 +0300 Content-Type: multipart/mixed; boundary="=_NextPart_000_0010_01D572B4.9D8D2390" From: To: Subject: =?utf-8?Q?Message_has_been_disinfected_:Yo?= =?utf-8?Q?ur_order_=E2=84=965634_is_ready_for_the_?= =?utf-8?Q?transporting?= Message-ID: <4d95a1b3-5c91-471e-5b9e-f8fe7aa1c...@ourdomain.tld> Date: Mon, 23 Sep 2019 16:04:50 + MIME-Version: 1.0 X-Scanned-By: unscanned primary on gw.ourdomain.tld (41.57.X.X); Mon, 23 Sep 2019 19:05:01 +0300 X-MimeOLE: Produced By Microsoft MimeOLE X-Spam-Flag: NO -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
