Long time since I wrote something. I had a spamming story left half way through. Let me get to the meat of it right away…
The first step in the analysis was ascertaining the volume of e-mails still in queue. I must say Qmail is really good in handling the mail queue effectively(when compared to exim).
So, the queue status can be obtained by the following command.
—
# /var/qmail/bin/qmail-qstat
messages in queue: 9080
messages in queue but not yet preprocessed: 0
—
Here we have 9080 mails in the queue. If the server is under spamming, you are expected to have a bunch of strange email addresses in the recipient list.
Next I examined the queue using qmail-qread:
—
# /var/qmail/bin/qmail-qread
—
Reading the email content of the mails in the recipient list having strange email addresses with ‘less’ command, I got to something.
I had to get the message’s id and the file holding the particular email. I got the message’s id using qmail-qread, then the file holding the email in /var/qmail/queue using the ‘find’ command.
I have pasted one such example:
————————
# /var/qmail/bin/qmail-qread
28 Dec 2010 02:01:11 GMT #20094014 1465 <>
remote bob@example.com
# find /var/qmail/queue/ -name 20094014
/var/qmail/queue/mess/16/20094014
/var/qmail/queue/remote/16/20094014
/var/qmail/queue/info/16/20094014
# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 28 Dec 2010 19:40:46 +0300
Received: from unknown (HELO User) (xx.xx.xx.xx)
by domain.com with SMTP; 28 Dec 2010 19:40:46 +0300
Reply-To:
From: "Fred"
Subject: Buy Me!
Date: Tue, 28 Dec 2010 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
————————
From this, it’s evident that we have spam in the queue and it was received from the network (IP:xx.xx.xx.xx). I still did not know how exactly the spammer managed to use my server to send these mails. But I wanted to clear these e-mails stuck in the queue, so that it really does not create further problems.
Qmail-Remove, a tool for such tasks, was my first choice. It was indeed the right tool for this job. I checked the number of spam e-mails with the pattern “xx.xx.xx.xx” in this case:
———————
# qmail-remove -p xx.xx.xx.xx
———————
Since you have the list now, you need to stop the qmail daemon using the following command, before we could actually remove the spam -emails.
———–
# /etc/init.d/qmail stop
———–
To delete mails from queue, I used the ‘-r’ switch.
———————
# qmail-remove -r -p xx.xx.xx.xx
———————
This will remove all emails in queue with the above pattern in it and place it in /var/qmail/queue/yanked folder. It meant I got rid of the ones in the queue.
Now I just had to keep an eye on the queue, to see if the server was still doing its bit of spamming. Well, it did, and this time I liked it!
I ran a tcpdump and waited for few minutes. Well, for those who do not know what that command meant – well, its just a packet sniffer tool, which catches the packets and logs them as per the criterion specified along with the tool.
———————
# tcpdump -i eth0 -n src xx.xx.xx.xx or dst xx.xx.xx.xx -w spam.list -s 2048
———————
On examining the log file (spam.list), I could see that the spammer was sending spam using LOGIN authentication:
———————
250-xxx.abcd.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dMTUzdA==
334 UGFzc3dvcmQ6
QWeXDYM=
235 go ahead
———————
I then had to decode the user/pass to see which account was being used:
———————
# perl -MMIME::Base64 -e ‘print decode_base64(“dMTUzdA==”)’
bob
# perl -MMIME::Base64 -e 'print decode_base64("QWeXDYM=")'
qwerty
———————
Here the account bob was used for spamming. But then bob of which domain? I had to find the domain owning this mailbox. The following query helped me there :
———————
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='bob' AND a.password='qwerty';"
+-----------+------------+----------+
| mail_name | name | password |
+-----------+------------+----------+
| bob | yetanotherdomain123.com | qwerty |
+-----------+------------+----------+
1 row in set (0.01 sec)
———————
There you go, the mail account bob@yetanotherdomain123.com was used by spammers. All I did was to delete the mailbox, and notified the customer of the domain of this spamming activity.
Also sent in an update to the NOC with the details . Had no response for a day from them, and then an update letting me know that the ticket was being closed.
About the Author :
Nithin works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2008. He loves Music, Travelling and Linux, apart from blogging.
Co-authored by Sankar.H
very good article NIthin..