|
|
 |
|
 |
 |
|
 |
|
|
ArGoStuff User to User Support Forums
|
 |
|
 |
| Author |
Messages |
|
saigolives
Posts: 4
Online: 
ArGoNuke Recruit
 |
| 10-13-2008 4:06 PM |
|
Ok, I've been around mailserver for several years now, and I've never had to ask this, but does anybody know how to document and/or view the particular credentials used for smtp authentication in any particular transaction in the log files? Once every couple months I come into work and see our email server going crazy with distribution lists for what is obviously spam. It's as simple as stopping the server, deleting the emails from the _outbox folder, identifying the IP address in question (usually in Amsterdam) and writing it into my firewall proxy policies. The problem is, this weekend it started (I had 1.5MB log files per day when I got in this morning (and don't log anything more than the basic "Log to File" option), and as quickly as I can keep up with adding IP addresses (now I just use pattern matching to get whole blocks of of IP addresses when the whois gives me a ###.0.0.0 - ###.255.255.255 range belonging to the same party. Most of the IP addresses are from Amsterdam, but an increasing amount appear to be from Latin America.
I have SMTP authentication enabled, and can only assume somebody's login info has been compromised. I've closed all non-essential accounts, and have not had a recurrence just yet, but I've examined the emails in the _outbox folder when it starts, and am unable to find anything that would reveal how all this email is getting in to be relayed in the first place. I'm using version 1.8.8.8 on a multi-home Windows 2000 SP4 server that does have www services running to host some of the larger imagery on our hosted website, but no ftp server nor smtp server (as far as IIS goes)
Any help would be greatly appreciated.
|
|
|
|
|
mcorrow
Forum Moderator
Posts: 243
Online:
ArGoNuke Lt. JG
|
| 10-13-2008 4:19 PM |
|
If you have smtp logging on, you should see the userid/password in your log file. Some email clients encrypt it, but if you've got someone breaking in, I'll guess they did not use an email client.... Anyway, we had this happen once, and it was easy to take one of the emails that was being sent and track it to when it was submitted to the outgoing queue... That then told me which user was the one that had been compromised, I changed their password and notified them (by phone)...
HTH |
|
Matt |
|
|
saigolives
Posts: 4
Online:
ArGoNuke Recruit
|
| 10-13-2008 5:05 PM |
|
Here is an excerpt from one of the SMTP sessions that was logged:
10/13/2008 12:49:14 PM - Requested SMTP connection from 92.112.96.238
10/13/2008 12:49:14 PM - ( 364) 220 perleyhalladay.com ArGoSoft Mail Server Plus for WinNT/2000, Version 1.8 (1.8.8.8)
10/13/2008 12:49:14 PM - ( 364) EHLO kyiqg4233
10/13/2008 12:49:14 PM - ( 364) 250-Welcome ⏨.112.96.238], pleased to meet you
10/13/2008 12:49:15 PM - ( 364) 250-AUTH=LOGIN
10/13/2008 12:49:15 PM - ( 364) 250-AUTH LOGIN
10/13/2008 12:49:15 PM - ( 364) 250 HELP
10/13/2008 12:49:15 PM - ( 364) AUTH LOGIN
10/13/2008 12:49:15 PM - ( 364) 334 VXNlcm5hbWU6
10/13/2008 12:49:15 PM - ( 364) c2FsZXM=
10/13/2008 12:49:15 PM - ( 364) 334 UGFzc3dvcmQ6
10/13/2008 12:49:16 PM - ( 364) c2FsZXM=
10/13/2008 12:49:16 PM - ( 364) 235 Authentication successful
10/13/2008 12:49:16 PM - ( 364) MAIL FROM:
10/13/2008 12:49:16 PM - ( 364) 250 Sender "kyiqg4233@swbell.net" OK...
10/13/2008 12:49:17 PM - ( 364) RCPT TO:
10/13/2008 12:49:17 PM - ( 364) 250 Recipient "fastdude12000@yahoo.com" OK...
10/13/2008 12:49:17 PM - ( 364) RCPT TO:
10/13/2008 12:49:17 PM - ( 364) 250 Recipient "fathead030203@msn.com" OK...
10/13/2008 12:49:17 PM - ( 364) RCPT TO:
I'm guessing those are hashes that are indecipherable, and I'm presuming all the info in the headers is forged. The list of recipients continues and is then followed by:
10/13/2008 12:49:24 PM - ( 364) DATA
10/13/2008 12:49:24 PM - ( 364) 354 Enter mail, end with "." on a line by itself
10/13/2008 12:49:25 PM - Received 1262 bytes
10/13/2008 12:49:25 PM - ( 364) 250 Message accepted for delivery.
10/13/2008 12:49:25 PM - [ 365] Delivering to 16 recipients
10/13/2008 12:49:25 PM - [ 365] Attempting to deliver to the domain aol.com
And, for the record, it's still continuing despite having closed down all unnecessary accounts. Short of changing passwords 1-by-1 on 20-some accounts, and letting things sit for hours at a time in the hope that if it's going to continue you, it will do so in a timely manner lol, I'm at a loss to figure it out. I understand the latest version of MailServer Plus replaces those hashes with encrypted info, but I don't know if that would kick out the info I'm looking for. The problem is, several machines are used off-site, so I can't just set up a firewall rule, because incoming smtp traffic could have an employee as either the sender or the recipient (and quite frankly, I'm not skilled enough to know if I can set up an either/or condition in the proxy rule)
|
|
|
|
|
mcorrow
Forum Moderator
Posts: 243
Online:
ArGoNuke Lt. JG
|
| 10-13-2008 5:15 PM |
|
OK: I found a bas64 decoder at:
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
I cut/pasted the encrypted info, and it is a user named sales, password is sales
That's funny, because all users should also have a domain name attached to their username....
Hope this helps! |
|
Matt |
|
|
mcorrow
Forum Moderator
Posts: 243
Online:
ArGoNuke Lt. JG
|
| 10-13-2008 6:17 PM |
|
I think you have a problem on your server... no user account should be accessible without a domain name... I was able to log into this account via the web server... as an FYI: I changed the password, since we have given it in this forum... Email me and I'll let you know what I changed it to....
HTH |
|
Matt |
|
|
SteveT
Forum Administrator
Posts: 2594
Online:
ArGoNuke Admiral
|
| 10-13-2008 6:59 PM |
|
| Make sure you turn off the ability to create user accounts from the web interface. |
|
 Regards,
Steve Topilnycky
Top Cat Computing
http://www.topcatcomputing.com |
|
|
saigolives
Posts: 4
Online:
ArGoNuke Recruit
|
| 10-13-2008 7:21 PM |
|
Thanks for the help with the decoding. First of all, I disabled the create account ability from the get-go, since the web mail feature was why I upgraded from the free version to the plus version probably 5 years ago or so. Second of all, maybe it's different with the pro version since that one can handle multiple domains, but with the plus version, it was my understanding (and the way it works seems to corroborate it) that the login id is the recipient's email address without the @domain.com part. Third of all, my biggest problem was to identify the errant account in order to identify which machine had been compromised. With this little revelation though, I'm wondering if it's just a hacking routine correctly identifying the password as being the same as the email account (a practice I'd been using up until now for departmental addresses.) I'm hoping this is the case, since no less than 4 machines check this address, and mine (here at home) and a notebook routinely check it from outside our firewall at work.
I've already logged into the admin panel from off-site and changed the password, so there's no need to email for what you changed it to, but thank you for the thoughtfulness of changing it nevertheless. For the time-being, I set the smtp proxy on our firewall at work to restrict inbound smtp traffic to that where the recipient contains one of our domain names (effectively nixing off-site emailing, since the inbound smpt traffic would contain a FROM address containing our domain name - something I can undo from home once I chance the departmental address passwords from here). Then I guess the next thing to do is to keep an eye on things for the situation to re-occur and run that decoder on the resultant logon dialogue and further identify if it's a machine issue or was just a password-hacking routine (that wouldn't even have had to resort to a brute force algorithm to figure it out).
Thank you again for all your help.
|
|
|
|
|
mcorrow
Forum Moderator
Posts: 243
Online:
ArGoNuke Lt. JG
|
| 10-13-2008 7:47 PM |
|
| Hmmm.. According to the comparison page, all three versions can handle multiple domains. |
|
Matt |
|
|
saigolives
Posts: 4
Online:
ArGoNuke Recruit
|
| 10-13-2008 8:13 PM |
|
OK, maybe my wording seems a little ambiguous in light of marketing lol. Yes, the plus version can in fact handle multiple domains, but not separately. We currently have 4 domains registered at work, where 1 is the primary (hosted) one, and the other 3 are aliased to it, You can enter as many domains as you'd like into the configuration, but it apparently uses them to keep any email to those domains local (without requiring a DNS lookup and communicating with another email server). I can append any of the 4 domain names to the same email addresses, and it will short-circuit them so-to-speak to the self-same email server, but I cannot create a separate batch of email addresses for different domains.
For instance, our company name is hyphenated (Perley-Halladay Associates, Inc.) so I registered both with and without the hyphen. I think the actual one hosted as far as websites go is perley-halladay.com, but we use the perleyhalladay.com for everything, and there are 2 others (completely different but worth registering at the time) as well, all aliased to the primary hosted one. If I send one from...say...my address @perleyhalladay.com to another address at...say...@holdthecold.com, it knows to keep it in-house and just send it to the appropriate address set up for perleyhalladay.com, but I can't create separate addresses for the 2 domains. That, I understand, was a feature only available in the Pro version, but then again I'm running version 1.8.8.8 I think it is, and I think the plus version is up to 1.9-something. Hey, I've had us running an in-house email server for...like...7 or 8 years now, and the only cost was to upgrade from the free version to the 49.99 plus version many years ago in order to get the web interface the plus version offered (back before he even put ASP support in for it as I recall), and the few problems I've run into along the way, Archie has been great to help me out with. I love this software, and the fact that it's not microsoft nor main-stream has undoubtedly saved me a ton of headaches with regards to being targeted by viruses, worms, etc.
Kudos to Mr. Gogava!
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.7
|
|
|
|
|
|
 |
| Mail Server v1.0.5.9 | |
Mail Server
- Added additonal tracking of connections for SMTP and POP3: if they stay on for over 30 minutes, they are
getting disconnected;
- Fixed a problem with mailbags when they accept mail only when main server is down: in case of timeout
mailbags were still treating the main server as "available" and rejecting mail;
- Changed color coding of logs. Now red denotes only errors, delivery is green, POP3, SMTP, IMAP
connections - blue;
Web Interface
-
Fixed a problem, when session timeouts were causing errors in the windows system logs;
| | 1/2/2009 1:52:01 PM |
|
| Happy Holidays to All!!! | Just wanted to wish everybody Happy Holidays, and wish all the best to all in 2009
Looking forward to work with you next year!
Archie
| | 12/23/2008 10:13:32 PM |
|
| Mail Server Pro v1.8.9.6 |
- Improved Export to .NET function - sometimes email messages were not getting exported, because
the database of email messages was not up to date. Now each folder gets rebuilt before the export
function;
| | 12/2/2008 11:19:02 PM |
|
| Email Address Validator | We have discontinued our email address validation service, and launched new web site:
http://www.emailaddressvalidator.com
It provides the web service interface to validate lists of email addresses. We hope that our service will help to reduce unwanted traffic on Internet, ensuring that mail is sent only to valid and legitimate addresses.
Sign up now, and get 150 free validations!
| | 11/25/2008 10:13:02 AM |
|
| Mail Server v1.0.5.8 | |
Mail Server
- Mailbags now have an option to accept mail only when specified server is down - will help to fight
with spam which attempt to deliver mail bypassing the main server;
- When delivering mail, if main exchanger returns 4xx reply (temporary problem), the server will not
try other exchangers, will retry later the main exchanger;
- Server options moved from registry to a XML file. 64 bit versions of Vista and 2008 server appear
to be having access rights problems to the Windows registry, and the change will make our server more
compatible with 64 bit versions;
- Added an option to specify the number of lines on the log screen, when using the user interface.
Was causing memory problems if left running for long time;
- Fixed couple of problems, which were showing when SQL server was set up to use
case sensitive SQL statements;
- Made changes in the remoting interface to allow logging in using aliases;
Web Interface
- Made changes to allow logging in using aliases;
- When viewing folders, web interface now displays the name of logged in user;
| | 11/12/2008 2:31:31 PM |
|
|
|
|
|
 |
 |
|
 |
|
|
|
|
|
 |
 |
|
 |
|