Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Has my server been comprimised?
  •  
jdioriotx

Messages: 1
Karma: 0
Send a private message to this user
About 2 hours ago I noticed that we have been sending out unsolicited email like mad! 2 a sec for 2 hours. Iam running latest (w/o patch) on OSX 10.3.9. I have blocked port 25 on the firewall temporarily to prevent any new messages from coming in but we are overrun with too many that the machine bogs/crashes when I try and open the Message Queue.

How can I stop this madness? I'm desperate to kill all these bad emails and get up and running again. I have not changed anything recently so why did this happen?


Thanks

James

  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
1. Turn off the smtp service
2. Check that you are not an open relay
3. Look at your debug logs
4. Contact support
  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
Stop the mail server, go to the store directory and rename the queue folder to something else. Restart the mail server and the queue will be recreated and will be empty.

AFAIK there are no security vulnerabilities in 6.1.1 or 6.1.1 patch 1. Please scan your users machines for virus or spyware that might be sending spam. Also please ensure that your server is not configured to be an Open Relay. You can check this in the SMTP Server section of the Admin Console.

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Sounds like the Sober.X worm!

Had the same issue here with one computer having this worm. Since I put KMS SMTP open for the local LAN, the worm could go wild! I turned of SMTP completey for the moment and reconfigured an IP Address Group that only contains those (very limited) addresses that may use the SMTP service.

So even without being an open relay, it can be a problem if a computer on the LAN side is compromised.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
As Kerio_ktrumbull is saying, clear the queue first.

I had a similar thing some months ago, but studying the header of one of the spam mails in the queue, I found the answer:

Although our server was not an open relay, a spammer managed to send mail via the KMS, here is how:

In our company, we have an info<_at_>xyz.com user which has no own mailbox, it just forwards mails to a couple of us. As nobody ever logs in with that user, I didn't give it a password (silly me).

As we use SMTP authentication for sending mails, a spammer authenticated as the info user and sent all the crap. Giving the info user a secure password solved the problem.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
lutzIT

Messages: 4
Karma: 0
Send a private message to this user
I've noticed a strange and troubling phenomenon over the last two weeks. I receive between 30-40 "Filure Notice" or "Mail delivery failed: returning to sender" notices daily, usually sitting in my inbox when I get in every morning. I suspect it could be one of 3 things:

1. We have an open relay.
2. We have a virus/trojan on a PC sending out mail.
3. Spammers are spoofing our domain name and sending out messages.

I know we have #1 ruled out, because KMS is set to accept only LAN traffic. #2 or #3 seem plausible. What do some of you think? Will it help to limit outgoing email to <50 per hour (or some other similar number)? I set this:

[01/Dec/2005 09:30:19] administrator - update Antibombing set MaxConnectionsIP='5', MaxMessagesIP='50'

Also, is there a log I should be looking at? I don't see anything too suspicious in the 'mail' log, 'debug' log, or 'error' log.

P.S. My queue is not 'full' and there aren't 100's of messages going out every second.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Don't you read the news? It's been all over the news. There's a very aggressive new virus out. Like most of them now, it forges the from address.

http://www.securitypark.co.uk/article.asp?articleid=24617&am p;CategoryID=1

If you do a search on Google news for Sober.Y, you'll find hundreds of articles.

Scott
  •  
lutzIT

Messages: 4
Karma: 0
Send a private message to this user
Thanks for the link, I have, of course, heard of this outbreak. However I know for a fact that our company AV kills Sober.Y in zipped attachments. Also we don't see HUGE amounts of traffic characteristic of infections.

Any way to see who, if anyone, is spoofing us?
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
lutzIT wrote on Thu, 01 December 2005 17:11


1. We have an open relay.
2. We have a virus/trojan on a PC sending out mail.
3. Spammers are spoofing our domain name and sending out messages.


Put my $10,- on option 3 :-)

From address spoofing is something very easily done and I'm getting about 40.000 'delivery failure' notifications each month because of it. Already for years. This is not something new or recent.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
You probably won't see traffic characteristic of an infection necessarily. Just the effects of thousands of poorly configured mail servers handling, or not handling, the infected mail.

Anyhow... determining who is spoofing one of your addresses as the return address is not so easy. The best you could get would be an IP address from an NDR if it's provided. Trying to figure out who's behind the address is another matter entirely.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Right.
I just shift-delete the messages and never give it a seconds thought. Impossible to control anyway.
  •  
jeffleeismyhero

Messages: 62

Karma: 0
Send a private message to this user
I have the same thing going on... AOL keeps putting my server in their RBL because someone is spoofing my domain name. None of the mail is going through my server and none contains my IP addresses. The messages clearly have a compeletely different IP address in the headers yet I'm blocked, for the second time in 2 months.

I have taken every possible step to secure my server and make it known that it is a legitimate mail server that does not send spam, hell we only send about 10 emails to AOL a day anyway but it is frustrating when my users complain that their messages are not going through.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Are you sure it's because of spoofed mail using your domain name? IP addresses generally don't get blacklisted by RBL lists based on the domain name. They usually get listed either because of spam or backscatter from an IP, or the IP has been tested and found to be an open relay.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
One way of limiting the effects of people spoofing the from header with your domain is to register a SPF and/or Caller ID record for your domain.

Any receiving mailserver that is set to check these records will not accept messages with your spoofed domain anymore. (They will only accept messages from your domain if it was actually sent by your mailserver.)

You can setup KMS to check these, limiting the ammount of spoofed from addresses you receive...

Quote:

10. Microsoft Caller ID verification
Using Microsoft Caller ID anti-spam technology, Kerio MailServer checks whether an incoming email is actually being sent by the authorized mail server for that domain (hence the name, Caller ID). Kerio MailServer will decline all email messages with forged "From" addresses.

As a side effect, publishing own Caller ID also helps companies protect their reputation by eliminating the possibility of having their domain name hijacked for spam purposes.

To try Caller ID, just visit www.kerio.com/callerid and enter a mail domain in the search field.

11. SPF verification
Just like Caller ID, SPF (Sender Policy Framework), an emerging standard for domain authentication, helps counter forged "From" addresses in email. Using SPF in Kerio MailServer provides better guarantee that the email came from the domain that it asserts it came from.

SPF requires the owner of an Internet domain to modify DNS records and specify which servers are authorized to transmit e-mail for that domain.
jeffleeismyhero

Messages: 62

Karma: 0
Send a private message to this user
sedell wrote on Fri, 02 December 2005 13:35

Are you sure it's because of spoofed mail using your domain name? IP addresses generally don't get blacklisted by RBL lists based on the domain name. They usually get listed either because of spam or backscatter from an IP, or the IP has been tested and found to be an open relay.


This is more or less what I assume since AOL has not sent me any of the messages back. I know that I am not an open relay and none of the mail is going through my machine. Could it be that AOL is blocking a range of IPs and including mine unintentionally?
Previous Topic: Send mail to all users
Next Topic: Error sending passwd -ERR Authentication failed
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 12:16:33 CET 2017

Total time taken to generate the page: 0.00507 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.