Select Page

Webhost’s Dairy : My X-mas wasn’t all just fun (part II/II)

Long time since I wrote something. I had a spamming story left half way through. Let me get to the meat of it right away…

The first step in the analysis was ascertaining the volume of e-mails still in queue. I must say Qmail is really good in handling the mail queue effectively(when compared to exim).


So, the queue status can be obtained by the following command.


# /var/qmail/bin/qmail-qstat
messages in queue: 9080
messages in queue but not yet preprocessed: 0

Here we have 9080 mails in the queue. If the server is under spamming, you are expected to have a bunch of strange email addresses in the recipient list.

Next I examined the queue using qmail-qread:


# /var/qmail/bin/qmail-qread

Reading the email content of the mails in the recipient list having strange email addresses with ‘less’ command, I got to something.

I had to get the message’s id and the file holding the particular email. I got the message’s id using qmail-qread, then the file holding the email in /var/qmail/queue using the ‘find’ command.

I have pasted one such example:

————————
# /var/qmail/bin/qmail-qread
28 Dec 2010 02:01:11 GMT #20094014 1465 <>
remote bob@example.com

# find /var/qmail/queue/ -name 20094014
/var/qmail/queue/mess/16/20094014
/var/qmail/queue/remote/16/20094014
/var/qmail/queue/info/16/20094014

# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 28 Dec 2010 19:40:46 +0300
Received: from unknown (HELO User) (xx.xx.xx.xx)
by domain.com with SMTP; 28 Dec 2010 19:40:46 +0300
Reply-To:
From: "Fred"
Subject: Buy Me!
Date: Tue, 28 Dec 2010 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

————————

From this, it’s evident that we have spam in the queue and it was received from the network (IP:xx.xx.xx.xx). I still did not know how exactly the spammer managed to use my server to send these mails. But I wanted to clear these e-mails stuck in the queue, so that it really does not create further problems.

Qmail-Remove, a tool for such tasks, was my first choice. It was indeed the right tool for this job. I checked the number of spam e-mails with the pattern “xx.xx.xx.xx” in this case:

———————
# qmail-remove -p xx.xx.xx.xx
———————

Since you have the list now, you need to stop the qmail daemon using the following command, before we could actually remove the spam -emails.

———–
# /etc/init.d/qmail stop
———–

To delete mails from queue, I used the ‘-r’ switch.

———————
# qmail-remove -r -p xx.xx.xx.xx
———————

This will remove all emails in queue with the above pattern in it and place it in /var/qmail/queue/yanked folder. It meant I got rid of the ones in the queue.

Now I just had to keep an eye on the queue, to see if the server was still doing its bit of spamming. Well, it did, and this time I liked it!

I ran a tcpdump and waited for few minutes. Well, for those who do not know what that command meant – well, its just a packet sniffer tool, which catches the packets and logs them as per the criterion specified along with the tool.

———————
# tcpdump -i eth0 -n src xx.xx.xx.xx or dst xx.xx.xx.xx -w spam.list -s 2048
———————

On examining the log file (spam.list), I could see that the spammer was sending spam using LOGIN authentication:

———————
250-xxx.abcd.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dMTUzdA==
334 UGFzc3dvcmQ6
QWeXDYM=
235 go ahead

———————

I then had to decode the user/pass to see which account was being used:

———————
# perl -MMIME::Base64 -e ‘print decode_base64(“dMTUzdA==”)’
bob
# perl -MMIME::Base64 -e 'print decode_base64("QWeXDYM=")'
qwerty

———————

Here the account bob was used for spamming. But then bob of which domain? I had to find the domain owning this mailbox. The following query helped me there :

———————
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='bob' AND a.password='qwerty';"
+-----------+------------+----------+
| mail_name | name | password |
+-----------+------------+----------+
| bob | yetanotherdomain123.com | qwerty |
+-----------+------------+----------+
1 row in set (0.01 sec)

———————

There you go, the mail account bob@yetanotherdomain123.com was used by spammers. All I did was to delete the mailbox, and notified the customer of the domain of this spamming activity.

Also sent in an update to the NOC with the details . Had no response for a day from them, and then an update letting me know that the ticket was being closed.

Nithin


About the Author :

Nithin works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2008. He loves Music, Travelling  and Linux, apart from blogging.


Co-authored by Sankar.H


Mail server

1 Comment

  1. very good article NIthin..

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES