1 Topic by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Topic: Can not determine how spammer is using an account

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.1.3 (MySQL)

I have two accounts that are sending thousands of spam emails a day.

I have throttled them to 100/day for now.

When I look in the dovecot.log file, there is no record of them logging in when the spam is sent.

I checked the user's .Sent folder, and the email is not there.

Any thoughts where to look?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Can not determine how spammer is using an account

SteveInAkron wrote:

When I look in the dovecot.log file, there is no record of them logging in when the spam is sent.

Sending email via SMTP protocol doesn't require IMAP access.

SteveInAkron wrote:

I checked the user's .Sent folder, and the email is not there.

Copying sent email to '.Sent' folder is what your MUA (IMAP client) usually do, but not part of SMTP protocol.

According to your description, seems this spammer is sending email via SMTP protocol directly (e.g. a python script). Please check Postfix log file, search 'sasl_username=<email>' to check whether this sender performs sasl authentication to send email. If yes, reset its password should fix this issue.

We have a small shell script 'find_top_sasl_usernames.sh' can help a little. It gets all sasl usernames from Postfix log file, then sort them. You can find it here:
https://bitbucket.org/zhb/iredmail/src/ … ail/tools/

3 Reply by SteveInAkron

  • SteveInAkron
  • Member
  • Offline
  • Registered: 2016-01-07
  • Posts: 47

Re: Can not determine how spammer is using an account

There are a lot of different IP addresses using sasl_username=<email> authentication. I think this is the same guy that attacked my server a few weeks ago. He must have gotten in a few addresses. I've contacted the user to change their passwords.

cat mail.log | grep "sasl_username=<email> | grep -o -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq | wc -l

gives me 163 IP addresses being used on one of the accounts. Going to feed them to fail2ban now.