Spam sent via non-existant email addresses?

[jols]

Hi,

I just caught a bunch of spam being sent from logins to email addresses/accounts that were not established in the account's cPanel, they were apparently also able to send email from using just and only the cPanel access user ID.

The spammers were logging in using email account IDs like this:

[email protected]
[email protected]
[email protected]

But there are no such email address, even established as forwarders in this account.

How could they have done this, and especially with regard to sending email via non-existent addresses/accounts, how is this even possible?

Thanks for any advice.

 

[jols]

And just to be clear, this spam was sent FROM, not TO, the non-existing addresses, I am seeing dovecot_login logs in exim_mainlog that refer to various IPs logging into these address to send, what was obviously a phishing email scam.

 

[jols]

It appears the phenomena we experienced has something to do with the Dovecot "Master user/password" see:

Authentication/MasterUsers - Dovecot Wiki

Excerpt:

"Master users are configured by adding a new passdb with master=yes setting. The users in the master passdb cannot log in as themselves, only as other people. That means they don't need to exist in the userdb, because the userdb lookup is done only for the user they're logging in as."

Is anyone familiar with this? And does anyone know how we can remove this "master user" functionality in the dovcot email system?

 

[ThinIce]

Unsure on the dovecot master users, but it'd be interesting to see the full headers for the messages you're referring to, are they actually authenticating as non-existant users, or is it the main login / pop before smtp being used?

IIRC the cPanel control panel login is also a valid mail user on the system, therefore once authenticated I believe it will be able to send messages from any address @ a domain under that login, irregardless of whether there is a mailbox or forwarder with that address.

 

[jols]

Thanks for your response.

We have this in the header:
-host_auth dovecot_login

So I believe this was password auth. I am guessing that the spammer keylogged the main account password.

Still however this is strange that the spammer was able to send email at all, using non-existent email addresses, as well as the main account ID. I've made out a ticket many hours ago to cpanel.net. It's strange that there is still no response.

Regarding IIRC, I did not think we had that running at all. Is there a way to check?

Thanks again.

 

[ThinIce]

Thanks for your response.

We have this in the header:
-host_auth dovecot_login

So I believe this was password auth. I am guessing that the spammer keylogged the main account password.

Still however this is strange that the spammer was able to send email at all, using non-existent email addresses, as well as the main account ID. I've made out a ticket many hours ago to cpanel.net. It's strange that there is still no response.

Regarding IIRC, I did not think we had that running at all. Is there a way to check?

Thanks again.

My bad, replying quickly, I meant "if I recall correctly"!

 

[InterServed]

I can also confirm this , we started to see this behavior starting few hours ago and we undergo extensive research now.

Update1: Switching from Dovecot to Courier doesn't seem to make any difference.

 

[jols]

Indeed, just today something similar (or at least similarly strange) occurred, this time with a server using the Courier email system. Here are the details of anyone is interested:

We were alerted that spam was being broadcast from one of our hosting accounts. In this case the spammer was using an addon domain.

What's usual about this, is the we were NOT able to easily stop the outflow of spam simply by changing the effect account's password, which has always been the case. After the password change, the spammer was still able to log into the account to send spam messages.

Then I tried changing the main cPanel account password. Still no good, the spammer was still able to broadcast through this same, aforementioned email account.

Then I removed the email account in question. Still no good, the spammer was STILL able to perform courier logins (using the email account user ID for the account I just removed) to broadcast spam.

Then I unparked the addon domain in question, and AMAZINGLY the spammer was still able to log in to broadcast spam using the same email account ID.

The only thing that stopped the broadcast of spam was either doing a full restart of the exim system via WHM ("service exim stop" was not working via shell). Or for the fact that we finally blocked the incoming IP address that was logging in to send spam. I do not know because we performed both of these actions at the same time. I also inserted the effected email address/login in antivirus.exim so as to block the continuous outflow of spam.

We never had to go to this extent before to block spam from an obviously compromised email account. Before we had to do was access the effected email account via cPanel, then change the password, without having to restart exim, or block any incoming IPs, and this would be enough to start seeing failed logins in /var/log/exim_mainlog but not these days.

Before the recent, significant cPanel update, we were always just able to simply change the compromised email account's password, and then the spam would stop. But now, there are all of these steps that we obviously must also do. I'm still trying to figure out how the spammer was still able to broadcast spam, even after the effected email account was removed. I have a theory that because the spammer in this case was originating from a single IP address, that somehow he stayed connected to exim, with the same email sending credential, even after the account was removed.

Also, for the first time in nearly a decade of using cPanel servers, recently we are now seeing spam sent from logins to the primary email account, as well as spam sent from non-existent email addresses/accounts.

No complaints, but several hours ago we started a ticket opened at cPanel.net for this most recent incident, so far, no response:

3891145

The other ticket opened yesterday, has been responded to, but unfortunately we have yet to receive a response addressing the very unusual nature of the issue which is the fact that logins were occurring to non-existent email IDs:

3883201

This is a very concerning issue for us.

 

[ThinIce]

Interesting. For the next occurrence what are the contents at the time of

/etc/relayhostsusers
/etc/relayhosts

And do these match up with what you're seeing i.e. is there a matching entry whilst the spam is going out, that then disappears when the issue is resolved.

From your description what sounds most likely to me is that the IP is a relayer via antirelayd (logging into dovecot and then being allowed to send mail for 30mins without authentication). If not it does sound more likely you're dealing with something new.

 

[jols]

Good point.

If they are getting in there via the 30 minute window, by spoofing the server IP, (which is what I believe you are saying) then it seems that we may be able to just remove POP before Relay capability and use password authentication only... at least I "think" this could be at least one resolution for this if the issue is what you suggest.

By the way, this most recent incident involved a server with Courier, so I am coming to the conclusion that it's not a weakness in Dovecot as I had at first assumed.

 

[jols]

Update - Okay, I think I see what you mean now. Seems like this could explain why we deleted the email account, etc. and email was still getting sent out via that same login.

The first page of the following post describes out to switch off POP before RELAY, and I am very tempted to do so:

https://forums.cpanel.net/f5/smtp-not-requiering-authentication-14210-p2.html

Still however.... hmmm, would POP before RELAY explain how a spammer was able to log in using a non-existent email account login (as was the case in the prior incident)?

 

[InterServed]

Thanks for all the details jols. In our case we see many different ip's using this "spamming technique" and it started to spread to more and more domains. All this incidents happening to more people is sure not a coincidence and something "fishy" must be going on.
Will keep you all updated with all our findings as soon as we have more to share.

 

[jols]

Something else, new - The cPanel.net tech found that sendmail was continuously running on this particular server:

ps -ef | grep sendmail
root 5980 14297 0 06:16 pts/1 00:00:00 grep sendmail
mailnull 8184 1433 0 04:04 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t

So of course I killed this process, as this should never have been the case. But in theory this may explain why the spam send was so tough to stop once it got going. So, do run the process grep for sendmail to see if this is the case with you, and do let us know if you have any correlation with this finding.

- - - Updated - - -

Anyone know how to keep sendmail running continuously, while still allowing scripts to use sendmail to send notices and such?

 

[jols]

For what it's worth:

Improving Sendmail Security by Turning it Off

 

[ThinIce]

Update - Okay, I think I see what you mean now. Seems like this could explain why we deleted the email account, etc. and email was still getting sent out via that same login.

The first page of the following post describes out to switch off POP before RELAY, and I am very tempted to do so:

https://forums.cpanel.net/f5/smtp-not-requiering-authentication-14210-p2.html

Still however.... hmmm, would POP before RELAY explain how a spammer was able to log in using a non-existent email account login (as was the case in the prior incident)?

Depends what the auth details were for the spam messages on queue. An interesting point here is that POP before SMTP was supposed to be disabled by default on new installs of 11.32 cPanel & WHM 11.32 Release Notes for presicely this sort of reason

Looking at Require SMTP Authentication this appears to have been rescinded. Ho hum.

In tweak settings "Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP" is available which may help you rule this in / out.

- - - Updated - - -

Something else, new - The cPanel.net tech found that sendmail was continuously running on this particular server:

ps -ef | grep sendmail
root 5980 14297 0 06:16 pts/1 00:00:00 grep sendmail
mailnull 8184 1433 0 04:04 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t

So of course I killed this process, as this should never have been the case. But in theory this may explain why the spam send was so tough to stop once it got going. So, do run the process grep for sendmail to see if this is the case with you, and do let us know if you have any correlation with this finding.

- - - Updated - - -

Anyone know how to keep sendmail running continuously, while still allowing scripts to use sendmail to send notices and such?

Sendmail on cPanel systems should be provided by exim and not installed / running in it's own right.

[~]# rpm -q --whatprovides /usr/sbin/sendmail
exim-4.80-4.cp1136

The tech should have pointed this out really I'd have thought

 

[jols]

Okay, we just found sendmail running again on this same server. I need to figure out what is starting this up somehow.

ps -ef | grep sendmail
root 5980 14297 0 06:16 pts/1 00:00:00 grep sendmail
mailnull 8184 1433 0 04:04 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t

 

[Kurieuo]

I too just started noticing this.

Did something change in one of the recent cPanel versions that'd allow a relay exploit using POP before SMTP? I constantly watch the mail server, and this is the first I've come across someone being able to send through it from a non-existing email account.

I didn't even receive a relay alert from LFD like I normally do, but perhaps they came in under the 100 count that's been set. I couldn't see more than 60.

Have disabled POP before SMTP will see if it makes a difference.

Just wondering if anyone else had this issue know whether that fixes it?

jols, not sure what that command necessary means. Is sendmail being cronned to run... Did you figure out your issues...?

Thanks.