Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » spam issue (loads of emails being sent without my consent)
  •  
twinpawer

Messages: 3
Karma: 0
Send a private message to this user
Lately, i've received an email from my hosting company about abuse from my server, sending loads of emails.

I'm not that expert in administration/configuration of Kerio, but as far as I know it is not configured as an open relay. I did tests online from:

http://www.abuse.net/relay.html

And it resulted that it is NOT an open relay.

I went to check the Logs/Mail in the administration, and there seem to be a great amount of lines written every minute (about 300 or more). Below is a brief section of the log:
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49388682-00001fd3, Recipient: <atmcard_code_22<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jennzoo<_a.t_>hotmail.com>, Result: delayed, Status: 4.1.8 421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed. Reason for rate limitation is related to IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jeralovesu<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jeramyandkelsey<_a.t_>hotmail.com>, Result: delayed, Status: 4.1.8 421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed. Reason for rate limitation is related to IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jeremiahlarsen<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jeremyrill<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jeronini13<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
[07/Dec/2008 12:29:38] Sent: Queue-ID: 49376e23-00000595, Recipient: <jerrell_hamilton<_a.t_>yahoo.com>, Result: delayed, Status: 4.4.1 421 4.7.1 [TS03] All messages from 92.48.102.126 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html


The settings for 'SMTP Server' in the administration are as follows.

Relay Control
-------------

Allow relay only for:
+ Users from an IP Address group: (127.0.0.1, and server IP)
+ Uses authenticated through SMTP
+ Users previously authenticated through POP3

STMP Delivery is set to use an SMTP relay, of 127.0.0.1/25.

Any information would be greatly appreciated!

Thanks & Regards,


CasaSoft, Malta - Web Design & Advanced Web Development
www.casasoft.com.mt
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
For every submitted mail, there should be a line saying something slong the lines of

[DATE] Recv: Queue-ID: 293fea91-0100e711, Service: SMTP, From: <sender<_a.t_>example.com>, To: <recipient<_a.t_>example.com>, Size: 10716, Sender-Host: 199.1.241.62

The value after "Sender-Host" is the IP address where the mails originate. Does that IP ring a bell? Search for it in the other logs and see if someone perhaps have succeeded in stealing someone's credentials or if there's a bot on the loose, using a user's SMTP authentication to spam from the client.
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
I am pretty sure that a weak password on one of your mail user accounts has been cracked and is now abused for sending mail.

First, I would clear the queue (there might be serveral thousand mails in there), and give the user a strong password.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I would agree with the others. The mail logs are the first place to look. You can verify if it's your server actually sending the mail, track down what account is being used to send it, and where it originates.

I'm a bit of a loss with your relay settings though.
Quote:

Users from an IP Address group: (127.0.0.1, and server IP)

Why? The server shouldn't need this setting. Any mail it sends isn't considered a relay. The only time you might need something like this set up is if you have an external application on the same machine that can't handle authentication.

Quote:

STMP Delivery is set to use an SMTP relay, of 127.0.0.1/25
This could be why you have the above setting enabled. Why are you relaying back to yourself? I would think this should cause a loop causing no mail to be delivered. Any mail sent to external addresses is sent to your relay server, which is your own machine. The message is accepted as an unauthenticated relay because of the previous setting, then sent to the SMTP relay server for remote delivery, which again, is yourself.

Scott
  •  
twinpawer

Messages: 3
Karma: 0
Send a private message to this user
freakinvibe wrote on Mon, 08 December 2008 12:05

I am pretty sure that a weak password on one of your mail user accounts has been cracked and is now abused for sending mail.

First, I would clear the queue (there might be serveral thousand mails in there), and give the user a strong password.



I think you were right. I went through the mail logs, and checked the queue-ID for one of the spam-messages in the queue. It tracked down to a user account, and I changed his password. No more emails are being sent, and I even changed the kerio administration password to a more secure one, although it already was quite secure (12 characters, including upper case, lowercase and numbers).

Yes there were around 15,000 messages in the queue, and they all had a recipient list of about 20 - 30 emails, making a huge amount of emails being sent which was slowing down my server, apart from the spam it was sending. Hopefully it is fixed, thanks a lot for your help!


CasaSoft, Malta - Web Design & Advanced Web Development
www.casasoft.com.mt
Previous Topic: Webmail - Archived Folders - Admin User
Next Topic: Custom Holiday Schedules
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Sep 25 08:18:04 CEST 2017

Total time taken to generate the page: 0.00421 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.