A quick guide on how to find the hacked accounts, and prevent this re-occurring.
Upgrade to our current release
- Download the latest release
- Use the config checker in the web admin tool and apply recommended settings.
Find the hacked account.
- tellmail send_top
- tellmail showq
- search rbl website http://multirbl.valli.org/
Use this command to list the top senders, usually the last 1-2 listed will be the hacked accounts.
tellmail send_top
Next examine msg*.rec log entries for these accounts, and find the 'Subject' of the sent messages, does it look like spam? If so disable the accounts in question (or change their passwords).
Next use:
tellmail showq
This will list message waiting to send, again this may help you identify problem messages/senders.
You may wish to use the command 'tellmail delete_contains SOMESPAMCONTENT' to delete queued messages that the spammer was trying to send.
Lastly search an RBL website to see if you have been blacklisted, if so, then for each blacklisting you need to contact the rbl and ask to be removed (at least for those that are not automatic).
Check for accounts with weak passwords
Lastly you should run this command to find any accounts with trivially crackable passwords. tellmail test_weak We've built a faster more extensive password checker into nwauth, if you have the latest version of it you can do this: nwauth -version +OK nwauth 4.3e capa=cluster2 nwauth -testweak +DATA Info: testing for 999 common passwords, pass 1 +DATA Cracked: crack2@xyz.com +DATA Info: testing for variations on common passwords, pass 2
Settings to enforce better passwords:
g_create_pass_digit "true"
g_hack_touser "true"
g_create_pass_recheck "true"
g_create_pass_mixed "true"
Stop phishing!
Add this setting: Version 7.6 required.
setting g_phish_block "true"This will replace url's in messages that are 'not' from friends, with a link that goes to your own mail server and warns the user not to proceed, the warning page then gives them the original link, and two links to websites to analyze the link. As well as a button to whitelist that domain in future.
Find forwarding accounts
Use this command to find all user accounts with a forwarding setting, these could result in your server being blacklisted and should be inspected or removed.
tellmail find_users "" fwd ""
Register for feedback.
Some systems like Google/Yahoo etc may allow you to register to get reports of spam coming from your server, registering with these services will give you a good heads up on details of the spam and make it much easier to resolve the origin account on your system.
Reading msg*.rec log entries.
Log entries for an incoming message look like this:
9 21:35:30[130766127] Rcpt 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 0 "" 9 21:35:31[130766127] Received 208.117.50.44 return@address.com <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "Relay=islocal, nrcpt=1, f="Booking.com" <email.campaign@sg.booking.com>, s=[Chris - Whakapapa Village and Adelaide! There's a deal with your name on it!]" 9 21:35:32[130766127] Aspam 208.117.50.44 return@address.com <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "notrust *****: 5.8 sd=5.8 l=0.00 nok=2/0 m=2 nf=0 Close 0.05(X-SpamContent:clean) 0.95(X-myrbl:Color=brown) 0.91(isclickimage2) 0.82(isclickimage1) 0.20(X-Phrase:clean) 0.37(dkimok) 0.37(genuine) 0.60(spfpass) 0.46(X-NotAscii:utf) 0.53(X-LangGuess:English) 0.49(X-Verify-Helo:+OK) SanScore 0.0 5.8 Sval 5.8" 9 21:35:32.00 [130766127] Spam 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "[o4.sg.booking.com] SpamDetect" 9 21:35:32.00 [130766127] Stored 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "[o4.sg.booking.com] Stored locally /home/surgemail/netwin.co.nz/hc/gf/chrisp/mdir/new/1470796532.2114_15646.netwin.netwinsite.co" Cpu time used 0 cpu seconds
For an outgoing message it looks like this:
9 21:39:48[130766226] Rcpt 115.188.8.177 <myaccount@fake.co.nz> <user@destination.com> 0 "" 9 21:39:49[130766226] Received 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "Relay=smtpauth=myaccount@fake.co.nz, nrcpt=1, s=[test]" 9 21:39:49[130766226] NOSPAM 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "trusted origin so skipping spam filtering g_smite_skip_relay" 9 21:39:53.00 [130766226] Sent 115.188.8.177 <myaccount@fake.co.nz> <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "[115-18-8-177.jetstream.xtra.co.nz] Delivered to remote host 12.9.234.50 used SSL - 250 message sent ok "
In both cases the line you want when hunting a hacked account is the 'Received' entry, this shows you why the message was accepted by your server.
- smtpauth=user@xyz.com (The user gave valid smtp auth credentials, which are listed.)
- g_relay_allow_ip (The sender is from a trusted ip address you have listed)
- islocal (The message is to a local account/domain, or was being forwarded by one)
To find this look for the Relay=... text in the line, e.g. in this example the message is relayed because the sender authenticated correctly as myaccount@fake.co.nz
9 21:39:49[130766226] Received 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "Relay=smtpauth=myaccount@fake.co.nz, nrcpt=1, s=[test]"
The number in square brackets lets you find all related log entries, e.g. search on 130766226 in the above example
In some cases you will need to find events just before a log entry, to find what caused the message to be sent, to do this search on the date and time, e.g. "9 21:39:4" in the above example...
Settings to help auto detect spammers.
One or more of your users will have their account hacked and abused to send spam sooner or later, you can make it much harder, and you can detect it and stop it early using these settings and policies.
# Login guesses per IP before it is automatically and permenently locked out. Use tellmail unlock ip.address to fix... G_HACKER_MAX "10" # If hacker attempts to login to one of these then the ip is instantly locked out. (Don't use accounts that exist) G_HACKER_POISON "root@*,administrator@*" # Only allow smtp logins if the user has previously logged in via imap/pop from the same address G_SAFE_SMTP "true" # Alert users when logins occur from unknown addresses that are not from australia or usa... G_SAFE_WARNING "true" g_safe_country "us,au" # Max messages an authenticated user can send per 30 minutes, e.g. 5000 G_SPAM_USER_MAX "2000" # Max outgoing messages per ipaddress/return path pair, 30 minutes, e.g. 5000 G_SPAM_FROM_MAX "2000" # Detect local users sending 'spam like' email and send a report to the manager. G_OUTGOING_N "5" # White list for people you know send mail that looks a bit dodgy. G_OUTGOING_WHITE "bob@here.com,1.2.3.4" # send manager an email if a local user sends more than 300 message in a day... G_USER_SEND_WARNING "300" g_user_send_ip "300" # Apply some more strict password checking, and alert users with simple passwords... G_CREATE_PASS_DIGIT "true" G_CREATE_PASS_RECHECK "true" G_HACK_TOUSER "true"
Settings to stop spoofing/forging of your domains.
- Turn on SPF and DKIM and DMARC for all your domains.
- Consider some of the below settings, some may cause false positives (blocking real email) so use with caution.
- Use the config checker!
g_dmarc_use "true"
g_dmarc_enforce "true"
g_spf_nofriend "true"
g_friends_obey_spf "true"
g_spf_enforce_local "true"
g_friends_obey_spf "true"
g_friends_local_match "true"
g_friends_spf "true" # requires 7.3p-36
g_from_stamp "true" # stamp forgeries in the spam headers but don't actually stop them.
# alternative is g_from_bounce setting (not recommended)
Optional settings depending on your tolerance for bouncing real messages.
g_from_exact "true" # Bounce if the from doesn't match the authenticated sender g_from_noforge "true" # Block some types of from forgery. g_from_noforgeme "true" # checks for the special case of 'from=to' g_from_check "true" # enables some checking of the from address. g_from_nofriend "true" # prevent friend matches for apparently forged return addresses.