Comandos de administración Qmail – Spam Plesk

Depending on the number of customers hosted on a server, find that account is sending spam can be difficult.

By Console we can see is the mail queue:

# /var/qmail/bin/qmail-qstat
messages in queue: 500
messages in queue but not yet preprocessed: 0

We 500 messages in the queue. Let the queue by qmail-read. Both queued mail without sending spam looks of.

# /var / qmail / bin / qmail-QReader
…

Examinamos el contenido de los mensajes en la cola usando el gestor de cola de correo de Plesk o bien el comando less. First we should find the message using qmail-qread, then the container file encontrarmos mail in / var / qmail / queue with the find command.

# /var/qmail/bin/qmail-read
[…]
20 John 2010 02:35:10 GMT #220458745 1552 <>
remote user@yahoo.com
[…]

#find /var/qmail/queue/ -name 220458745
/var/qmail/queue/mess/12/220458745
/var/qmail/queue/remote/12/220458745
/var/qmail/queue/info/12/220458745

# less /var/qmail/queue/mess/12/220458745

Received: (qmail 10728 invoked from network); 20 John 2010 02:35:10 +0100

Received: from unknown (HELO User) (90.91.92.93)

by domain.com with SMTP; 20 John 2010 02:35:10 +0100

Reply-To: <support@bankofamerica.com>

From: “PayPal”<support@bankofamerica.com>

Subject: Bank of america

Date: Tue, 20 John 2010 02:35:10 +0100

MIME-Version: 1.0

Content-Type: text/html;

charset=”Windows-1251″

Content-Transfer-Encoding: 7bit

X-Priority: 1

X-MSMail-Priority: High

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

[…]

Go, seem to have someone sending spam from the IP address: 90.91.92.93 (ip is a fictional example as mail data). Now we should remove these messages before they put us in the server ip blacklist.
Once removed, see that we still have the same messages.
It is time to use tcpdump to analyze the traffic of the ip that is giving us the can.

# tcpdump -i eth0 -n src 90.91.92.93 \or dst 90.91.92.93 -w smtp.tcpdump -s 2048

This analyze all incoming and outgoing traffic of the ip and store it in a file called smtp.tcpdump, which is then analyzed using the less command.

220 server.domain.com ESMTP
helo User
250-server.domain.com
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
MTIzNDU=
235 go ahead

Quizá esté algo más enrevesado o con caracteres de otra codificación, but what we have to look beneath the numbers 334, and find username and password.

We proceed to decode these strings using perl:

#perl –MIME::Base64 -e ‘print decode_base64(“dGVzdA==”)’
#perl –MIME::Base64 -e ‘print decode_base64(“MTIzNDU=”)’

This will reveal the user and password that has been authenticated that spammer and review the server, because a customer has created a user named "test" with contrasela "12345"

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
[…]
mysql> SELECT m.mail_name, d.name, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name=’test’ AND a.password=’12345′;
+———– ———— ———-
| mail_name | name | password |
+———– ———— ———-
| test | example.com | 12345 |
+———– ———— ———-
1 row in set (0.01 sec)

Well, now proceed to delete the account and repeat customer "NO PASSWORD MUST USE UNSAFE"

Se recomienda que se active en el servidor lo siguiente:

Server Settings > Mail > Check the passwords for mailboxes in the vocabulary.