Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Server hi-jacked - postmaster@localhost? (Spam being sent through the postmaster account)
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
All,

I am running an older version of Kerio 7.3.2. Since we are migrating to gmail in the very near future, the support agreement has lapsed.

While we are making it these next few weeks, I think someone has commandeered our server. We have seen a gigantic increase in the number of spam messages being sent out (from zero previously) and it appears that they are coming from the address "postmaster<_at_>localhost." It's getting so bad that our ISP has had to shut off some of our router traffic because the amount of data we are moving is crashing their hardware.

Does anyone have any information about this? Can we prevent this address from sending spam? All I am looking for is a band-aid for the next few weeks while we transition our email to gmail. That's it.

Thank you so much for the help.

Rob
  •  
ORM

Messages: 140

Karma: 13
Send a private message to this user
Is postmaster@yourdomain a live account?

First log in as an admin and in relay control make sure you have set "users authenticated through SMTP for outgoing mail"

Then change the password for the Postmaster account or make another user an admin and remove it (as you are migrating away)
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
Postmaster is NOT a live account. This is why I thought it was odd.

I have set "users authenticated through SMTP for outgoing mail" as an option.

I have an admin account, but there is no alias for that to postmaster. Apparently, you can still send mail as the postmaster when there isn't one?
  •  
ORM

Messages: 140

Karma: 13
Send a private message to this user
If you have only just turned on that option you should be OK if none of your accounts are compromised

Clear out the queue & turn on debugging for SMTP. You will then be able to see the IP that is trying to connect.

  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
The option has been turned on for some time, but the postmster<_at_>localhost emails are still being sent. I don't see an alias for that in any of the user accounts. Can you tell me where to turn on debug? I have a ton of stuff in that log, but it's mostly user account errors that aren't related.
  •  
ORM

Messages: 140

Karma: 13
Send a private message to this user
OK it could well be then that you have a user account that is compromised. If the attack is coming from one IP then you could also block that IP at the firewall

To change what is shown in the log ctl click (mac) or right click (PC - i think) in the window and you will get a drop down list. Choose messages and select just SMTP server
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
Ok, I think I have uncovered something sinister. Check out this SMTP info:

[19/Feb/2013 15:35:01][3003011072] {smtps} Command HELO scriptinstalled.com
[19/Feb/2013 15:35:01][3003011072] {smtps} Sent reply to HELO: 250 mail.csi2.com
[19/Feb/2013 15:35:01][3003011072] {smtps} Command MAIL FROM:<postmaster<_at_>scriptinstalled.com>
[19/Feb/2013 15:35:01][2998784000] {smtps} Task 219306 handler BEGIN
[19/Feb/2013 15:35:01][3019919360] {smtps} Task 219307 handler BEGIN
[19/Feb/2013 15:35:01][2998784000] {smtps} Task 219306 handler starting
[19/Feb/2013 15:35:01][2998784000] {smtps} SMTP server session begin; client connected from smtp121.iad.emailsrvr.com:60327
[19/Feb/2013 15:35:01][2998784000] {smtps} Looking up address 207.97.245.121 in DNS blacklist SpamHaus SBL-XBL...
[19/Feb/2013 15:35:01][3019919360] {smtps} Task 219307 handler starting
[19/Feb/2013 15:35:01][3019919360] {smtps} SMTP server session begin; client connected from smtp122.iad.emailsrvr.com:32908
[19/Feb/2013 15:35:01][3019919360] {smtps} Looking up address 207.97.245.122 in DNS blacklist SpamHaus SBL-XBL...
[19/Feb/2013 15:35:01][2998784000] {smtps} Address 121.245.97.207.zen.spamhaus.org not found in DNS blacklist SpamHaus SBL-XBL
[19/Feb/2013 15:35:01][2998784000] {smtps} Looking up address 207.97.245.121 in DNS blacklist SORBS RHSBL...
[19/Feb/2013 15:35:01][3003011072] {smtps} Sent reply to MAIL: 250 2.1.0 Sender <postmaster<_at_>scriptinstalled.com> ok
[19/Feb/2013 15:35:01][3019919360] {smtps} Address 122.245.97.207.zen.spamhaus.org not found in DNS blacklist SpamHaus SBL-XBL
[19/Feb/2013 15:35:01][3019919360] {smtps} Looking up address 207.97.245.122 in DNS blacklist SORBS RHSBL...
[19/Feb/2013 15:35:01][3003011072] {smtps} Command RCPT TO:<Sean.Haley<_at_>csi2.com>
[19/Feb/2013 15:35:01][3003011072] {smtps} Sent reply to RCPT: 550 5.1.1 Mailbox <Sean.Haley<_at_>csi2.com> does not exist
[19/Feb/2013 15:35:01][3003011072] {smtps} Command QUIT
[19/Feb/2013 15:35:01][3003011072] {smtps} SMTP server session end
[19/Feb/2013 15:35:01][3003011072] {smtps} Task 219304 handler END

Scriptinstalled.com is definitely a site that does what the domain says. I am thinking this is a script that has somehow been deployed on my server. I will see what I can do to explore that on their end. Does it appear that way to you?
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
Emails originating from postmaster<_at_>localhost are usually DSN report messages or bounce messages (ie. from antispam).

Petr Dobry
Product Development Manager | Kerio
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
Fair enough, but someone is using postmaster<_at_>localhost to send out spam. I cannot figure out where it is coming from. Is there an easy place to look for this? I did enable the debug log to show SMTP server, but it's quite verbose. I guess I will just have to wait and see. I'd love to be able to discern between INCOMING email and OUTGOING email. That would certainly make it easier to view the logs. Can I do this?
  •  
Petr Dobry (Kerio)

Messages: 782
Karma: 61
Send a private message to this user
That's easy. In debug log "SMTP server" logs all incoming emails, "SMTP client" logs all outgoing emails.

Petr Dobry
Product Development Manager | Kerio
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You should upgrade your server. "Postmaster" email is a bug in mail log in old Kerio Connect versions. It is displayed instead of empty sender address in DSN reports issued by the server. It's obvious that your server generates lots of reports, probably because of email being delivered to nonexistent users in your domain or spams.
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
Is upgrading to the last 7.x.x version free, even if I am on an expired agreement? If so, I will upgrade. If not, I guess I will need to expedite the move to google's servers. The Kerio product has been great over the past 7 years, but we are at a point where we cannot afford the time to maintain it (and issues like this), so outsourcing mail is the logical choice.

Thanks for the help!

Rob
  •  
xrob

Messages: 7
Karma: 0
Send a private message to this user
Here is where the problem lies. Definitely with the postmaster<_at_>localhost account. Can I upgrade to free to the latest 7.x.x version with an expired service agreement?

[20/Feb/2013 08:41:03][3039997952] {smtpc} Sending email to SMTP server beclawed.clice.info, delivering mail from <>
[20/Feb/2013 08:41:03][3039997952] {smtpc} Connecting to 94.242.239.75 (beclawed.clice.info) using local interface 0.0.0.0...
[20/Feb/2013 08:41:03][3033657344] {smtpc} Got reply: 250 2.1.5 Recipient OK
[20/Feb/2013 08:41:03][3033657344] {smtpc} Sent DATA command
[20/Feb/2013 08:41:03][3039997952] {smtpc} Cannot connect to beclawed.clice.info (IP address 94.242.239.75, local interface 0.0.0.0).
[20/Feb/2013 08:41:03][3033657344] {smtpc} Got reply: 354 Start mail input; end with <CRLF>.<CRLF>
[20/Feb/2013 08:41:03][3033657344] {smtpc} Sending message body...
[20/Feb/2013 08:41:47][3033657344] {smtpc} Data sent, got reply: 250 2.6.0 <B8461AD8-DFF4-45A4-9DD0-C8A33B021A23<_at_>csi2.com> [InternalId=4866508] Queued mail for delivery
[20/Feb/2013 08:41:47][3033657344] {smtpc} QUIT sent, got reply: 221 2.0.0 Service closing transmission channel
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You can upgrade to any version, which has been released while your software maintenance was valid. This issue is addressed in Kerio Connect 7.4.0. So if your software maintenance expires after April 24, 2012 then you can upgrade to this version (or possibly newer).
Previous Topic: Archive Folder
Next Topic: Outlook not Syncing with KOC
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 22:29:49 CEST 2017

Total time taken to generate the page: 0.00527 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.