Spam E-Mails erkennen und entfernen

Wenn das System für den Spam Versand genutzt wurde, sollte man sich so schnell wie möglich auf die Suche nach der Quelle machen, um mögliche Blacklist-Einträge der eigenen IP-Adresse zu vermeiden.

In diesem Beispiel möchte ich zeigen, wie man auch ohne Spamerkennung per Sendmail Wrapper und X-Header die Ursache beim Schopfe packen kann.

Punkt 1: Die Mail-Queue begutachten

Wir rufen die Mail-Queue unter Postfix mit postqueue -p auf und sehen bereits jede Menge Spam E-Mails.

# mailq
[..]
A19A01A7481      715 Fri Feb 21 08:07:49  deirdre_kelly@tauernresidence.at
(delivery temporarily suspended: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         gerio7769@aol.com

A324A1A7E26      699 Sat Feb 22 06:41:27  cassandra_turner@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         ryanshay@aol.com

A34A01A7A6B      681 Fri Feb 21 20:04:56  alta_munoz@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         lseitelman@aol.com

AB2C4561DA6      744 Fri Feb 21 09:02:09  mollie_lester@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         mbarney555@aol.com

A493D590B20      765 Thu Feb 20 19:32:19  terri_duffy@tauernresidence.at
(delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html)
                                         canarien9561@aol.com

-- 32354 Kbytes in 12505 Requests.

Punkt 2: Spam wurde über ein PHP Script verschickt

Um den schuldigen Benutzer zu finden, öffnen wir ein paar dieser Postfix ID’s, beispielsweise AB2C4561DA6.

# postcat -q AB2C4561DA6
*** ENVELOPE RECORDS deferred/A/AB2C4561DA6 ***
message_size:             744             185               1               0             744
message_arrival_time: Fri Feb 21 09:02:09 2014
create_time: Fri Feb 21 09:02:09 2014
named_attribute: rewrite_context=local
sender_fullname: 
sender: xxx@xxx.de
*** MESSAGE CONTENTS deferred/A/AB2C4561DA6 ***
Received: by xxx.xxx.de (Postfix, from userid 4079)
	id AB2C4561DA6; Fri, 21 Feb 2014 09:02:09 +0100 (CET)
To: mbarney555@aol.com
Subject: Re:  Good day
From: "xxx" <xxx@xxx.de>
Reply-To: "xxx" <xxx@xxx.de>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <20140221080209.AB2C4561DA6@xxx.xxx.de>
Date: Fri, 21 Feb 2014 09:02:09 +0100 (CET)

In Zeile 10 findet man die User ID 4079, diese suchen wir nun in der /etc/passwd um den Benutzernamen herauszubekommen.

# grep 4079 /etc/passwd
web274:x:4079:4079::/var/www/web274:/bin/false

Wir wechseln in den Ordner indem sich die Apache Logfiles dieses Benutzers befinden.

  • Plesk: /var/www/vhosts/domain.de/statistics/logs/
  • Confixx: /var/www/webX/log/

Jetzt suchen wir in den access_log nach erfolgreichen POST Einträgen (Status 200).
Anbei seht ihr ein Beispiel wie die „Spammer“ mehrere PHP Scripte aufrufen um die Spam E-Mails zu versenden.

localhost:/var/www/web274# zcat log/old/access_log_2014_w9-0.gz 
[..]
68.71.243.135 - - [22/Feb/2014:06:30:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:30:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:30:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:31:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:03 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:19 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:35 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:32:51 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:35:39 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:35:54 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:10 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:28 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:36:44 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:00 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:15 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
68.71.243.135 - - [22/Feb/2014:06:37:31 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-"
[..]

Jetzt sollten diese Dateien schnellstmöglich ausfindig gemacht und beseitigt werden, das Tool Malware Detect hilft dabei.

Ebenfalls sollte das CMS auf den neusten Stand gebracht, der Image/Upload Ordner gesichert und die Mail-Queue gesäubert werden.

Punkt 3: Spam wurde über einen Benutzer verschickt

Im folgenden Beispiel sieht man, dass ein Login stattgefunden hat sasl_username=kontakt@xxx.de. Das Passwort dieses Benutzers sollte so schnell wie möglich geändert werden.

# postcat -q 5942C8948326
*** ENVELOPE RECORDS active/5942C8948326 ***
message_size:             934            1432               8               0             917
message_arrival_time: Sun Jan 19 15:50:31 2014
create_time: Sun Jan 19 15:50:31 2014
named_attribute: rewrite_context=remote
named_attribute: sasl_method=LOGIN
named_attribute: sasl_username=kontakt@xxx.de
sender: gaf@xxx.de
named_attribute: log_client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: log_client_address=93.120.196.244
named_attribute: log_client_port=3555
named_attribute: log_message_origin=93-120-196-244.dynamic.mts-nn.ru[93.120.196.244]
named_attribute: log_helo_name=cisqyltfbn
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: reverse_client_name=93-120-196-244.dynamic.mts-nn.ru
named_attribute: client_address=93.120.196.244
named_attribute: client_port=3555
named_attribute: helo_name=cisqyltfbn
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;tomnagy91@gmail.com
original_recipient: tomnagy91@gmail.com
done_recipient: tomnagy91@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;hingkik@yahoo.com
original_recipient: hingkik@yahoo.com
recipient: hingkik@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;shaunmurray24@yahoo.com
original_recipient: shaunmurray24@yahoo.com
recipient: shaunmurray24@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;malcolmervin57@gmail.com
original_recipient: malcolmervin57@gmail.com
done_recipient: malcolmervin57@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;blondie@yahoo.com
original_recipient: blondie@yahoo.com
recipient: blondie@yahoo.com
named_attribute: dsn_orig_rcpt=rfc822;o.ne...112.23.3.44.5566@gmail.com
original_recipient: o.ne...112.23.3.44.5566@gmail.com
done_recipient: o.ne...112.23.3.44.5566@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;ramanadxn@gmail.com
original_recipient: ramanadxn@gmail.com
done_recipient: ramanadxn@gmail.com
named_attribute: dsn_orig_rcpt=rfc822;rich_miracle@rediffmail.com
original_recipient: rich_miracle@rediffmail.com
recipient: rich_miracle@rediffmail.com
*** MESSAGE CONTENTS active/5942C8948326 ***
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from cisqyltfbn (93-120-196-244.dynamic.mts-nn.ru [93.120.196.244])
        (Authenticated sender: kontakt@xxx.de)
        by xxx.xxx.de (Postfix) with ESMTPA id 5942C8948326;
        Sun, 19 Jan 2014 15:50:31 +0100 (CET)
Subject:
Date: Sun, 19 Jan 2014 15:36:27 -0700
From: "ny fyha" <gaf@xxx.de>
To: <tomnagy91@gmail.com>, <hingkik@yahoo.com>, <shaunmurray24@yahoo.com>, <malcolmervin57@gmail.com>, <blondie@yahoo.com>, <o.ne...112.23.3.44.5566@gmail.com>, <ramanadxn@gmail.com>, <rich_miracle@rediffmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-5
Dominion

Dominion

Linux Systemadministrator

Das könnte Dich auch interessieren …

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.