Mac OS X server sending spam

[cvanhoof]

Hi,
Customer called that they couldn't send emails anymore ( they also didn't get any reply or failure or undeliverable email back)
The situation is that this Mac OS x server with fixed ip and version installed : 10.9 was several times (3x in total) blacklisted and removed from the blacklist by the ISP.

Currently looking at the logs on the server and I was seeing in the smtp-logfile that there well still attempts from different IP's who where trying to send spam.

Is it that the server has an infection on it? good question ..... i have to find out....( i have to admit that this area is a bit new for me)
Does anyone have an idea on what software = malware scanner or so that i can try and scan on this Mac os x server? That would be great.....

Thanks a lot
Christophe

 

[nlinecomputers]

I was seeing in the smtp-logfile that there well still attempts from different IP's who where trying to send spam.

I'm not a mac guy so I can't help much. However, I must ask, what IPs are sending spam? Are these internal or external IPs. Doesn't sound like your server is infected. It sounds like you are an open relay. I take it 157.122.148.252 is the IP address of this mac?

 

[nlinecomputers]

https://mxtoolbox.com/SuperTool.aspx?action=blacklist:157.122.148.252&run=networktools

 

[Markverhyden]

Have you checked to see if it's an open relay. The bit of log you posted shows that they cannot log in so that is not the problem. Open relay is the biggest problem with self hosted systems. I've even had that myself a couple of times.

Edit: @nlinecomputers beat me too it. LOL!!!

 

[cvanhoof]

Yesterday i've checked and it's NOT (luckily) open relay....


Please enter IP number of the target host:

Top of Form


Port 25 is Open at 217.136.221.101

Bottom of Form

[Method 4 @ 1458897525]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <relaytest@mailradar.com>
<<< 554 5.7.1 <relaytest@mailradar.com>: Relay access denied
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

[Method 5 @ 1458897527]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <relaytest%mailradar.com@[217.136.221.101]>
<<< 554 5.7.1 <relaytest%mailradar.com@[217.136.221.101]>: Relay access denied
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

[Method 9 @ 1458897568]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <relaytest@mailradar.com@[217.136.221.101]>
<<< 554 5.7.1 <relaytest@mailradar.com@[217.136.221.101]>: Relay access denied
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

[Method 11 @ 1458897586]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <relaytest@mailradar.com@101.221-136-217.adsl-static.isp.belgacom.be>
<<< 554 5.7.1 <relaytest@mailradar.com@101.221-136-217.adsl-static.isp.belgacom.be>: Relay access denied
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

[Method 15 @ 1458897648]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <mailradar.com!relaytest@[217.136.221.101]>
<<< 554 5.7.1 <mailradar.com!relaytest@[217.136.221.101]>: Relay access denied
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

[Method 16 @ 1458897658]
<<< 220 mail.architect-aj.be ESMTP Postfix
>>> HELO mailradar.com
<<< 250 mail.architect-aj.be
>>> MAIL FROM: <antispam@[217.136.221.101]>
<<< 250 2.1.0 Ok
>>> RCPT TO: <mailradar.com!relaytest@[101.221-136-217.adsl-static.isp.belgacom.be]>
<<< 501 5.1.3 Bad recipient address syntax
>>> QUIT
<<< 221 2.0.0 Bye
[TEST PASSED]

All tested completed! No relays accepted by remote host!

 

[TurricanII]

It sounds like you have a username/password e.g. test/test. If you managed a few email servers that are exposed to the Internet you will routinely see the same couple of hundred logins tried in quick succession from time to time. Invariably the dictionary attack comes from infected sites or servers that are being abused by third parties, or China.

You do need to find the log extract for a successful SPAM email and post that - it should reveal the source IP and username that was used.

You should be able to disable authentication on the external SMTP server unless you need it. A simple way to fortify is to add another layer of security (and another revenue stream for you) by using an online SPAM filter such as Max Mail. You can then adjust the firewall that protects the OSX machine so that inbound and outbound SMTP traffic is only permitted from/to the Max Mail list of IP addresses.

The SPAM could also have been relayed out by an infected workstation inside the LAN, if the SMTP service has not been restricted, so you really need to check the SMTP log.

 

[cvanhoof]

howly ****
you are right with the username test .... just removed it (as we speak) .... probably this was the thing that it all started with....

The owner of the server has also set test as the password for the administrator account..... look no further i guess/asume?

 

[TurricanII]

Result! There are lots of common usernames that are hammered - admin, administrator, backup, guest, temp, test, demo, webmaster etc. - you really need to check for other easy target usernames.

As before, find out how to disable SMTP AUTH or put a SPAM filter between the mail server and the world and you will stop seeing the failed logins in your SMTP logs/protect against this problem.

 

[cvanhoof]

I'm not a mac guy so I can't help much. However, I must ask, what IPs are sending spam? Are these internal or external IPs. Doesn't sound like your server is infected. It sounds like you are an open relay. I take it 157.122.148.252 is the IP address of this mac?

the external IP is : 217.136.221.101 and internal : 192.168.0.123

 

[cvanhoof]

for your information : at the client side .....There are 2 windows machines i've checked for malware and other infections and nothing found.

 

[cvanhoof]

Result! There are lots of common usernames that are hammered - admin, administrator, backup, guest, temp, test, demo, webmaster etc. - you really need to check for other easy target usernames.

As before, find out how to disable SMTP AUTH or put a SPAM filter between the mail server and the world and you will stop seeing the failed logins in your SMTP logs/protect against this problem.

The owner has completely shut down the server yesterday ( doens't want to take any risks and he's on vacation now)

Another thing , they where using a residential ISP solution for sending email : relay.skynet.be .... when they are back from vacation we immediately migrate everything to exchange (office365) 4 mailboxes in total = small business owner

 

[nlinecomputers]

Office 365 will be a much better solution. Running your own email server just isn't feasible in today's world.

 

[Markverhyden]

The owner has completely shut down the server yesterday ( doens't want to take any risks and he's on vacation now)

Another thing , they where using a residential ISP solution for sending email : relay.skynet.be .... when they are back from vacation we immediately migrate everything to exchange (office365) 4 mailboxes in total = small business owner

Well, going to O365 is the nickle solution to the dime problem. But I'm a bit confused. In the beginning you said the server has a fixed IP but later say they are using ISP relay. There is no need to relay if the IP is truly fixed.

I'm a bit old fashioned and am still running my own email server. But I agree. O365 is really the best for customers these days if they need to use Exchange features. If they do not then an IMAP account from reliable company like Rackspace is also a great solution.

 

[YeOldeStonecat]

Just for a tip....we do this with every client that has a local e-mail server.

We do not expose SMTP ports to the whole world.
We always..always...put a bastion host in between our clients servers, and the internet. Our usual host is our spam filter appliance...for incoming e-mail. And their servers send out to our own outbound SMTP servers via authentication.
The clients firewalls...we open/forward port 25 to only allow inbound traffic from the IP range of our office (MX1) and failover (MX2) locations.
This really closes to the door on the mail server. Having port 25 or other alternate SMTP ports open to the whole world...and that server is getting poked and prodded every second of every day.

In addition to checking security on the mail server...locking it down to only what LAN and public IPs are necessary, and if any "no auth" connections are required (such as for MFPs)...limit that to an IP only.