1. SH Avatar SH
  2. Untitled project
  3. MailServer
  4. Issues

Zero day exploit?

Issue #463 closed
Alex created an issue

I recently set up a mail server that would eventually be a production system. It was a pretty typical configuration, nothing special. However, today I've got some kind of spammer that seems to be sending spam through my mail server.

Delivery logs show something like the following,

2018-10-16T01:39:18.033Z [A973F0AE-42F8-4C02-805B-E2EAF2441228.1] 127.0.0.1:43652%Unknown () <july-84@cryptpool.eu> -> <info@roofural.ru> - [1.9][<a28533606b406a62fefb4de104a08eaa040d6c@cryptpool.eu>] 250 Message Queued (A973F0AE-42F8-4C02-805B-E2EAF2441228.1)
2018-10-16T01:39:18.180Z [36D41AE9-05EE-432D-A9CD-8845883F115E.1] 127.0.0.1:43658%Unknown () <vflot@fux0r.eu> -> <ssp-vrn@1-ssp.com> - [1.9][<2277c19299b29891ddd86ec22783ad8ad34c98@fux0r.eu>] 250 Message Queued (36D41AE9-05EE-432D-A9CD-8845883F115E.1)
2018-10-16T01:39:18.194Z [E8327B09-FD45-4793-931F-8C5119A7479B.1] 127.0.0.1:43660%Unknown () <deka-nati@pbgolv.se> -> <info@bukh-consultant.ru> - [1.9][<86e2efc7cce732c1e21d1b484397ae2205dfc0cb11@pbgolv.se>] 250 Message Queued (E8327B09-FD45-4793-931F-8C5119A7479B.1)

Any ideas?

Comments (5)

  1. SH repo owner

    Connections are from "127.0.0.1" which is implicitly relayed - are you doing some form of DNAT or manipulation with IPs? Are you using stock poste image?

    Also please inspect container if there is some strange process running. I can do inspection for you if you send me login info to info@poste.io

  2. Alex reporter

    So, I made the following change to my docker-compose.yml,

        ports:
      - target: 25
        published: 25
        protocol: tcp
        mode: host
      - target: 110
        published: 110
        protocol: tcp
        mode: host
      - target: 143
        published: 143
        protocol: tcp
        mode: host
      - target: 465
        published: 465
        protocol: tcp
        mode: host
      - target: 587
        published: 587
        protocol: tcp
        mode: host
      - target: 993
        published: 993
        protocol: tcp
        mode: host
      - target: 995
        published: 995
        protocol: tcp
        mode: host

    As soon as I bring up the container, I start seeing statistics explode. Now with the port change, I seem to be seeing actual IPs in the logs. See attachment.

  5. SH repo owner

    Ok I am closing now.

    For cleaning queue you can stop container and delete all files at queue/smtp/*

  6. Log in to comment
Assignee
Type
bug
Priority
blocker
Status
closed
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!