AUTH CRAM-MD5 rehashes the password, but the userid is the important bit anyway.

Change that users password - and keep watching your logs...

This morning i noticed thousand delivery errors and i seen a lot of outgoing SMAP messages apparently routed by our mailserver !

Messages was i.e. from aliquam@aliquam.edu to elzehem@yahoo.com etc ...

Our server is configured to be NOT open relay and the authentication is imposed (i manage file AUTH.MER to do this), but messages continue to arrive and forwarded !

I do not understand this problem, some ideas ?!?

ALex.

Messages transiting in our server has this form:

"Received: from spooler by mydomain.com (Mercury/32 v4.52); 21 Jan 2013 09:36:50 +0100
Received: from Unknown (88.40.127.38) by mercury.mydomain.com (Mercury/32 v4.52) with ESMTP ID MG000B5E;
   21 Jan 2013 09:36:45 +0100
Message-ID: <22D859FBCEF749C5887DA669D2DB1683@efnr>
From: "Sylvia" <ut@velitegetlaoreet.ca>
To: <ajcafonso@hotmail.com>
Subject: are you here? please read my letter. I need just one minute of your time.
Date: Mon, 21 Jan 2013 02:36:11 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_1387_01CDF780.13540380"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912

This is a multi-part message in MIME format.

------=_NextPart_000_1387_01CDF780.13540380
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_1388_01CDF780.13540380"


------=_NextPart_001_1388_01CDF780.13540380
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Hello my dear friend, I hope you remember me. Some time ago, we have acqu=
ante with you on a dating site.You leave me your e-mail on this site ..."

... etc

 No FROM nor TO involves my domain, but message is delivered exactly as an open relay ...

ALex.

Below a typical connection history from SMTP log:

T 20130121 001043 50fb2221 Connection from 62.205.6.250
T 20130121 001043 50fb2221 EHLO Unknown
T 20130121 001044 50fb2221 AUTH CRAM-MD5
T 20130121 001044 50fb2221 MAIL FROM:<et@quisarcu.com>
T 20130121 001044 50fb2221 RCPT TO:<lauriki_10@hotmail.com>
T 20130121 001046 50fb2221 DATA - 952 lines, 70942 bytes.
T 20130121 001046 50fb2221 QUIT
T 20130121 001046 50fb2221 Connection closed with 62.205.6.250, 3 sec. elapsed.

ALex.

I suspect on that "AUTH CRAM-MD5" ... [:(]

ALex.

As I understand with authentification active and sucessful any mail will be accepted. You may disable relaying only on not authentificated connections.

So ... it seems at least one pair of username and password in your AUTH.MER is hacked.

[quote user="alexbromo"]

This morning i noticed thousand delivery errors and i seen a lot of outgoing SMAP messages apparently routed by our mailserver !

Messages was i.e. from aliquam@aliquam.edu to elzehem@yahoo.com etc ...

Our server is configured to be NOT open relay and the authentication is imposed (i manage file AUTH.MER to do this), but messages continue to arrive and forwarded ![/quote]

What boxes have you got ticked in MercuryS "Relaying control" ?

Is the spam all coming from the same IP address? Do you have any weak authentication passwords?

[quote user="FJR"]

As I understand with authentification active and sucessful any mail will be accepted. You may disable relaying only on not authentificated connections.

So ... it seems at least one pair of username and password in your AUTH.MER is hacked.

[/quote]

Thank you for reply.

It is possible that some user's password has been hacked ... how to verify what username/password is used to gain authorization to our SMTP ?

Thanks.

ALex.

This is my SMTP Connection control configuration that works well for many years: all four checks:

The SPAM is coming from hundred different addresses !

 ALex.

[quote user="alexbromo"]

This is my SMTP Connection control configuration that works well for many years: all four checks:

The SPAM is coming from hundred different addresses ![/quote]

How many users are in the auth.mer file?  If it isn't obvious which is the "guessable" password, you may find out something from a session log from a spam run.

We have approximately an hundred users in the AUTH.MER

I have the session logging, but only string about login is "250-AUTH CRAM-MD5 LOGIN <cr><lf>" and no username is reported, so how to see what password was hacked ?

ALex.

[quote user="alexbromo"]We have approximately an hundred users in the AUTH.MER[/quote]

And none of them use "password" or "123456" etc?

[quote]I have the session logging, but only string about login is "250-AUTH CRAM-MD5 LOGIN <cr><lf>" and no username is reported, so how to see what password was hacked ?[/quote]

That is the advertisment being sent from your server.  Further on is the encoded authentication. The user name is base64 encoded - use a website like http://www.base64decode.org/ to find out the name.

[quote user="alexbromo"]It is possible that some user's password has been hacked ... how to verify what username/password is used to gain authorization to our SMTP ?[/quote]

I'm not shure, because I don't use AUTH.MER (have Novell Netware with eDiretory). May be you have temporarily to enable session logging on module SMTPS and have a look there.

To place a momentary patch, should be an idea to place a filtering rule that permit outgoing only messages that match the criteria:

1) source mailbox contains "mydomain.com" + destination mailbox contains any domain

2) source mailbox name contains any domain and destination mailbox contains "mydomain.com"

other discarded !

ALex.

[quote user="alexbromo"]

To place a momentary patch, should be an idea to place a filtering rule that permit outgoing only messages that match the criteria:

1) source mailbox contains "mydomain.com" + destination mailbox contains any domain

2) source mailbox name contains any domain and destination mailbox contains "mydomain.com"

other discarded ![/quote]

You would do the same by removing authentication and just keeping the first two relaying controls.  But if auth is used frequently then that may not be an option.

How are you getting on decoding the username?

This issue is a real mistery ...

Below a part of SMTP session logfile named TCP012F.MS and created some minutes ago :

09:03:29.937: Connection from 217.165.87.28, Mon Jan 21 09:03:29 2013<lf>
09:03:29.953: << 220 mercury.mydomain.com ESMTP server ready.<cr><lf>
09:03:29.578: >> EHLO Unknown<cr><lf>
09:03:29.578: << 250-mercury.mydomain.com Hello Unknown; ESMTPs are:<cr><lf>250-TIME<cr><lf>
09:03:29.578: << 250-SIZE 0<cr><lf>
09:03:29.578: << 250-AUTH CRAM-MD5 LOGIN<cr><lf>
09:03:29.578: << 250-AUTH=LOGIN<cr><lf>
09:03:29.578: << 250 HELP<cr><lf>
09:03:30.687: >> AUTH CRAM-MD5<cr><lf>
09:03:30.687: << 334 PDEwMjU2ODcuMzQ2QHBvbGl0ZWNuaWNhLml0Pg==<cr><lf>
09:03:31.203: >> bW51bnppIDc4ZWJjNTUxNWE2MTg2MmVlZWFkNGQ0ZWYyNDc2ZDZi<cr><lf>

Note that, translating from Base64:

PDEwMjU2ODcuMzQ2QHBvbGl0ZWNuaWNhLml0Pg -> <1025687.346@mydomain.com> 
bW51bnppIDc4ZWJjNTUxNWE2MTg2MmVlZWFkNGQ0ZWYyNDc2ZDZi -> mnunzi 78ebc5515a61862eeead4d4ef2476d6b

where the only string wit a sense is mnunzi that is a user of my Mercury/32 (but 78ebc5515a61862eeead4d4ef2476d6b is NOT the password ... where is the password ?) :(

Then LOG proceed with authentication successful (?!?) and the rest of message is sent ... (it is SPAM mail with a .ZIP attachment)

09:03:31.203: << 235 Authentication successful.<cr><lf>
09:03:31.796: >> MAIL FROM:<pede@ut.ca><cr><lf>
09:03:31.796: << 250 Sender OK - send RCPTs.<cr><lf>
09:03:32.359: >> RCPT TO:<adiyuda@telkom.net><cr><lf>
09:03:32.359: << 250 Recipient OK - send RCPT or DATA.<cr><lf>
09:03:33.015: >> DATA<cr><lf>
09:03:33.015: << 354 OK, send data, end with CRLF.CRLF<cr><lf>
09:03:33.625: >> Message-ID: <D78C518B305D43AA94DFE1EE3493F36E@upvua><cr><lf>
09:03:33.625: >> From: "Hyacinth" <pede@ut.ca><cr><lf>
09:03:33.625: >> To: <adiyuda@telkom.net><cr><lf>
09:03:33.625: >> Subject: This business life is taking all of me. I need vacation.<cr><lf>
09:03:33.625: >> Date: Mon, 21 Jan 2013 02:05:32 -0600<cr><lf>
09:03:33.625: >> MIME-Version: 1.0<cr><lf>
09:03:33.625: >> Content-Type: multipart/mixed;<cr><lf>
09:03:33.625: >> boundary="----=_NextPart_000_1998_01CDF77B.CB1288C0"<cr><lf>
09:03:33.625: >> X-Priority: 3<cr><lf>
09:03:33.625: >> X-MSMail-Priority: Normal<cr><lf>
09:03:33.625: >> X-Mailer: Microsoft Windows Mail 6.0.6001.18416<cr><lf>
09:03:33.625: >> X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18645<cr><lf>
09:03:33.625: >> <cr><lf>
09:03:33.625: >> This is a multi-part message in MIME format.<cr><lf>
09:03:33.625: >> <cr><lf>
09:03:33.625: >> ------=_NextPart_000_1998_01CDF77B.CB1288C0<cr><lf>
09:03:33.625: >> Content-Type: multipart/alternative;<cr><lf>
09:03:33.625: >> boundary="----=_NextPart_001_1999_01CDF77B.CB1288C0"<cr><lf>
09:03:33.625: >> <cr><lf>
09:03:33.625: >> <cr><lf>
....
...."

[:'(]

ALex.

[quote user="alexbromo"]This issue is a real mistery ...

Below a part of SMTP session logfile named TCP012F.MS and created some minutes ago :

09:03:30.687: >> AUTH CRAM-MD5<cr><lf>
09:03:30.687: << 334 PDEwMjU2ODcuMzQ2QHBvbGl0ZWNuaWNhLml0Pg==<cr><lf>
09:03:31.203: >> bW51bnppIDc4ZWJjNTUxNWE2MTg2MmVlZWFkNGQ0ZWYyNDc2ZDZi<cr><lf>

Note that, translating from Base64:

PDEwMjU2ODcuMzQ2QHBvbGl0ZWNuaWNhLml0Pg -> <1025687.346@mydomain.com> 
bW51bnppIDc4ZWJjNTUxNWE2MTg2MmVlZWFkNGQ0ZWYyNDc2ZDZi -> mnunzi 78ebc5515a61862eeead4d4ef2476d6b

where the only string wit a sense is mnunzi that is a user of my Mercury/32 (but 78ebc5515a61862eeead4d4ef2476d6b is NOT the password ... where is the password ?) :([/quote]

Because the sender has asked to use "AUTH CRAM-MD5", it's a salted hash of the password (read more at http://en.wikipedia.org/wiki/CRAM-MD5).

[quote]Then LOG proceed with authentication successful (?!?) and the rest of message is sent ... (it is SPAM mail with a .ZIP attachment)

09:03:31.203: << 235 Authentication successful.<cr><lf>
....[/quote]

You have the username, now you can force the password change.

I changed user's password, then i found a secondo user with account hacked and i changed his password too ...

I woluld know how this is possible ... perhaps exist a family of trojans that can steal users' password stored in the mail client (Outlook, Windows Live Mail) ?

 ALex.

[quote user="alexbromo"]I woluld know how this is possible ... perhaps exist a family of trojans that can steal users' password stored in the mail client (Outlook, Windows Live Mail) ?[/quote]

Many options:

• very simple password
• user takes same password elsewhere
  
• pishing
  
• Trojan or keyboard-Logger on PC of user
• brute force: check logs of all your servies accessable from internet: SMTP, FTP, HTTP ...
  (sometimes my FTP-Logs looking very interesting ... therefore no admin account is allowed to use FTP ;-)
• Sniffing the internet (or even your internal network): all your servies where passwords are send via net should be encryted (i.e. StartTLS or SSL with all mailservices).
• ...

Getting a network secure isn't that simple ... :-(

Yes, it's true ... getting networks secure is a real challenge. :(

However, after two password change the situation seems to be calmed (cross fingers).

Thank you guys, today you have helped me incredibly and i learned a lot,

ALex.