Zero day exploit?

Issue #463 closed
Alex created an issue

I recently set up a mail server that would eventually be a production system. It was a pretty typical configuration, nothing special. However, today I've got some kind of spammer that seems to be sending spam through my mail server.

Delivery logs show something like the following,

2018-10-16T01:39:18.033Z [A973F0AE-42F8-4C02-805B-E2EAF2441228.1] 127.0.0.1:43652%Unknown () <july-84@cryptpool.eu> -> <info@roofural.ru> - [1.9][<a28533606b406a62fefb4de104a08eaa040d6c@cryptpool.eu>] 250 Message Queued (A973F0AE-42F8-4C02-805B-E2EAF2441228.1)
2018-10-16T01:39:18.180Z [36D41AE9-05EE-432D-A9CD-8845883F115E.1] 127.0.0.1:43658%Unknown () <vflot@fux0r.eu> -> <ssp-vrn@1-ssp.com> - [1.9][<2277c19299b29891ddd86ec22783ad8ad34c98@fux0r.eu>] 250 Message Queued (36D41AE9-05EE-432D-A9CD-8845883F115E.1)
2018-10-16T01:39:18.194Z [E8327B09-FD45-4793-931F-8C5119A7479B.1] 127.0.0.1:43660%Unknown () <deka-nati@pbgolv.se> -> <info@bukh-consultant.ru> - [1.9][<86e2efc7cce732c1e21d1b484397ae2205dfc0cb11@pbgolv.se>] 250 Message Queued (E8327B09-FD45-4793-931F-8C5119A7479B.1)

Any ideas?

Comments (5)

  1. SH repo owner

    Connections are from "127.0.0.1" which is implicitly relayed - are you doing some form of DNAT or manipulation with IPs? Are you using stock poste image?

    Also please inspect container if there is some strange process running. I can do inspection for you if you send me login info to info@poste.io

  2. Alex reporter

    So, I made the following change to my docker-compose.yml,

        ports:
          - target: 25
            published: 25
            protocol: tcp
            mode: host
          - target: 110
            published: 110
            protocol: tcp
            mode: host
          - target: 143
            published: 143
            protocol: tcp
            mode: host
          - target: 465
            published: 465
            protocol: tcp
            mode: host
          - target: 587
            published: 587
            protocol: tcp
            mode: host
          - target: 993
            published: 993
            protocol: tcp
            mode: host
          - target: 995
            published: 995
            protocol: tcp
            mode: host
    

    As soon as I bring up the container, I start seeing statistics explode. Now with the port change, I seem to be seeing actual IPs in the logs. See attachment.

  3. SH repo owner

    Ok I am closing now.

    For cleaning queue you can stop container and delete all files at queue/smtp/*

  4. Log in to comment