amavis für mailversand missbraucht?

#1
Hallo, habe ISPC 3.0.5.3 auf Debian Squeeze laufen, ganz aktuell gepatched.
Ddie Tage wurde mein Server zum Spamversenden missbraucht.
Bemerkenswert finde ich dass es offensichtlich - soweit ich das aus dem LOG erkennen kann - via amavis realisiert wurde.
Ich gehe davon aus dass von einer Mailadresse das Kennwort erraten wurde. Allerdings sollte eigentlich lt. Config ein Versand großer Mailmengen gar nicht möglich sein....

Das ist mal der relevant Eintrag aus dem LOG wo der Angreifer das erste mal sich erfolgreich eingeloggt und dann eine Mail versendet hat

Jan 12 05:07:25 node176 postfix/smtpd[10387]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:07:26 node176 postfix/smtpd[10387]: A5C8720753: client=rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74], sasl_method=LOGIN, sasl_username=molln@kunde.tld
Jan 12 05:07:28 node176 postfix/cleanup[10966]: A5C8720753: message-id=<>
Jan 12 05:07:28 node176 postfix/qmgr[2421]: A5C8720753: from=<molln@kunde.tld>, size=523, nrcpt=1 (queue active)
Jan 12 05:07:28 node176 postfix/smtpd[10971]: connect from localhost[127.0.0.1]
Jan 12 05:07:28 node176 postfix/smtpd[10387]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:07:28 node176 postfix/smtpd[10971]: 8484220BB7: client=localhost[127.0.0.1]
Jan 12 05:07:28 node176 postfix/cleanup[10966]: 8484220BB7: message-id=<20140112040728.8484220BB7@node176.provider.tld>
Jan 12 05:07:28 node176 postfix/smtpd[10971]: disconnect from localhost[127.0.0.1]
Jan 12 05:07:28 node176 postfix/qmgr[2421]: 8484220BB7: from=<molln@kunde.tld>, size=1026, nrcpt=1 (queue active)
Jan 12 05:07:28 node176 amavis[10772]: (10772-03) Passed CLEAN, [71.43.115.74] [71.43.115.74] <molln@kunde.tld> -> <g.miller948@yahoo.com>, mail_id: dUvXzjG74eTM, Hits: 0.376, size: 523, queued_as: 8484220BB7, 168 ms
Jan 12 05:07:28 node176 postfix/smtp[10968]: A5C8720753: to=<g.miller948@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=1.9/0/0/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10772-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8484220BB7)
Jan 12 05:07:28 node176 postfix/qmgr[2421]: A5C8720753: removed
Jan 12 05:07:30 node176 postfix/smtp[11015]: 8484220BB7: to=<g.miller948@yahoo.com>, relay=mta5.am0.yahoodns.net[66.196.118.34]:25, delay=1.5, delays=0.01/0.01/0.53/0.94, dsn=2.0.0, status=sent (250 ok dirdel)
Jan 12 05:07:30 node176 postfix/qmgr[2421]: 8484220BB7: removed
Da die Zahl der Mails restriktiert ist kam es dann zu folgende Einträgen:
Jan 12 05:10:58 node176 postfix/anvil[9124]: statistics: max connection rate 8/60s for (smtp:71.43.115.74) at Jan 12 05:01:59
Jan 12 05:10:58 node176 postfix/anvil[9124]: statistics: max connection count 2 for (smtp:71.43.115.74) at Jan 12 05:01:59
Jan 12 05:10:58 node176 postfix/anvil[9124]: statistics: max message rate 2/60s for (smtp:213.222.33.2) at Jan 12 05:01:33
Danach kommen eine ganze Menge Einträge in dieser Art:

Jan 12 05:13:28 node176 postfix/smtpd[11240]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:38 node176 postfix/smtpd[11242]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:38 node176 postfix/smtpd[10962]: lost connection after EHLO from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:38 node176 postfix/smtpd[10962]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:39 node176 postfix/smtpd[11235]: lost connection after AUTH from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:39 node176 postfix/smtpd[11235]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:40 node176 postfix/smtpd[11242]: warning: rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 12 05:13:40 node176 postfix/smtpd[11242]: lost connection after AUTH from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:40 node176 postfix/smtpd[11242]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:41 node176 postfix/smtpd[11240]: warning: rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 12 05:13:41 node176 postfix/smtpd[11240]: lost connection after AUTH from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:41 node176 postfix/smtpd[11240]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:43 node176 postfix/smtpd[10962]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:13:44 node176 postfix/smtpd[11240]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:27:41 node176 postfix/smtpd[11640]: connect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:27:42 node176 postfix/smtpd[11640]: 4CD0C20753: client=rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74], sasl_method=LOGIN, sasl_username=molln@kunde.tld
Jan 12 05:27:42 node176 postfix/cleanup[11679]: 4CD0C20753: message-id=<>
Jan 12 05:27:42 node176 postfix/qmgr[2421]: 4CD0C20753: from=<molln@kunde.tld>, size=523, nrcpt=1 (queue active)
Jan 12 05:27:42 node176 postfix/smtpd[11683]: connect from localhost[127.0.0.1]
Jan 12 05:27:42 node176 postfix/smtpd[11640]: disconnect from rrcs-71-43-115-74.se.biz.rr.com[71.43.115.74]
Jan 12 05:27:42 node176 postfix/smtpd[11683]: B83542086C: client=localhost[127.0.0.1]
Jan 12 05:27:42 node176 postfix/cleanup[11679]: B83542086C: message-id=<20140112042742.B83542086C@node176.provider.tld>
Jan 12 05:27:42 node176 postfix/smtpd[11683]: disconnect from localhost[127.0.0.1]
Jan 12 05:27:42 node176 postfix/qmgr[2421]: B83542086C: from=<molln@kunde.tld>, size=1026, nrcpt=1 (queue active)
Jan 12 05:27:42 node176 amavis[10772]: (10772-12) Passed CLEAN, [71.43.115.74] [71.43.115.74] <molln@kunde.tld> -> <g.miller948@yahoo.com>, mail_id: CpXvRb9pcSSN, Hits: 0.376, size: 523, queued_as: B83542086C, 160 ms
Jan 12 05:27:42 node176 postfix/smtp[11680]: 4CD0C20753: to=<g.miller948@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.61, delays=0.44/0/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10772-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B83542086C)
Jan 12 05:27:42 node176 postfix/qmgr[2421]: 4CD0C20753: removed
Hier nun der eigentliche Part:
Jan 12 05:28:18 node176 amavis[11834]: (11834-02) Passed CLEAN, [71.43.115.74] [71.43.115.74] <jagaimo@mua.biglobe.ne.jp> -> <jobs.fges@admin.in.th>,<a.turneresq@outlook.com>,<w.westunion@qq.com>,<g.miller948@yahoo.com>,<iyowababy@yahoo.com>, mail_id: kShhaN3046sf, Hits: 28.347, size: 1416, queued_as: E5D3D2086C, 670 ms
Jan 12 05:28:18 node176 postfix/smtp[11680]: 3CFB020753: to=<jobs.fges@admin.in.th>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11834-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E5D3D2086C)
Jan 12 05:28:18 node176 postfix/smtp[11680]: 3CFB020753: to=<a.turneresq@outlook.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11834-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E5D3D2086C)
Jan 12 05:28:18 node176 postfix/smtp[11680]: 3CFB020753: to=<w.westunion@qq.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11834-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E5D3D2086C)
Jan 12 05:28:18 node176 postfix/smtp[11680]: 3CFB020753: to=<g.miller948@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11834-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E5D3D2086C)
Jan 12 05:28:18 node176 postfix/smtp[11680]: 3CFB020753: to=<iyowababy@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=1.2/0/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=11834-02, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as E5D3D2086C)
Jan 12 05:28:18 node176 postfix/qmgr[2421]: 3CFB020753: removed
Jan 12 05:28:19 node176 postfix/smtp[11872]: E5D3D2086C: host mta7.am0.yahoodns.net[63.250.192.45] said: 451 4.3.2 Internal error reading data (in reply to MAIL FROM command)
Jan 12 05:28:19 node176 postfix/smtp[11872]: E5D3D2086C: lost connection with mta7.am0.yahoodns.net[63.250.192.45] while sending RCPT TO
Jan 12 05:28:20 node176 postfix/smtp[11870]: E5D3D2086C: to=<a.turneresq@outlook.com>, relay=mx3.hotmail.com[65.55.92.184]:25, delay=1.2, delays=0.02/0.02/0.67/0.46, dsn=2.0.0, status=sent (250 <20140112042818.E5D3D2086C@node176.provider.tld> Queued mail for delivery)
Jan 12 05:28:21 node176 postfix/smtp[11836]: E5D3D2086C: to=<jobs.fges@admin.in.th>, relay=723327919.pamx1.hotmail.com[65.54.188.109]:25, delay=2.2, delays=0.02/0.01/1.6/0.55, dsn=2.0.0, status=sent (250 <20140112042818.E5D3D2086C@node176.provider.tld> Queued mail for delivery)
Dann wurde es so richtig lustig...
Jan 12 05:39:47 node176 amavis[10772]: (10772-20) Passed CLEAN, [71.43.115.74] [71.43.115.74] <jagaimo@mua.biglobe.ne.jp> -> <a.saeed@acicdxb.ae>,<a.rayah@adcci.gov.ae>,<a.prola@aristoncavi.com>,<a.qazzaz@censc.ae>,<a.moustafa-t@cgiar.org>,<a.moustafa@cgiar.org>,<a.radhia@cgiar.org>,<a.sarker@cgiar.org>,<a.roosimaa@colliers.ee>,<a.perera@da-desk.com>,<a.saheb@darahem.ae>,<a.sadaqa@ejb.com.sa>,<a.mhri@gmail.com>,<a.r.hosseinzadeh@gmail.com>,<a.rashid@haskoning.ae>,<a.nazar@hotmail.com>,<a.r.gems@hotmail.com>,<a.rashad80@hotmail.com>,<a.nejatian@icarda-aprp.ae>,<a.oubouziane@itharagroup.com>,<a.rahmani@manicompany.com>,
Also auch gewollt sollte es einem User nicht möglich sein so viele Mails zu versenden. Und dennoch ist es passiert.

Gibt es eine Erklärug dafür?

Danke vorweg an alle die sich besser auskennen als ich.
 

Till

Administrator
#2
Wahrscheinlich emails mit sehr vielen to, cc oder bcc adressen. Denn was amavis dir da zeigt ist eine mail mit vielen empfängern, die amavis ja beom scannen auflöst um sie z.B. gegen eine interne blacklist zu matchen und daher loggt amavis das auch. Schau Dir mal die emails in der mailqueue mit postcat an, da siehst Du zum einen über welchen account versendet wurde und kannst das passwort dort ändern und zum anderen siehst du auch die mail header.
 

Werbung

Top