Concerned about a server compromise

[Marc]

Sat, 20 Feb 2010 08:35:17 -> Failed: Action=[SMTP Transfer], Details=[Domain=hotmail.com, Host=mx1.hotmail.com:25, IP=65.55.92.184: Transaction rejected with: 550 SC-002 Mail rejected by Windows Live Hotmail for policy reasons. The mail server IP connecting to Windows Live Hotmail has exhibited namespace mining behavior. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support]

I have got loads of these on our outmail logs. I have just upped the logging to debug so I hope I can trap the cause soon.

I have SMTP Authentication enabled.

Any other suggestions of things to try? I am hoping the outmail log will perhaps highlight if its one of accounts.

Thanks Marc

[Marc]

Sat, 20 Feb 2010 19:04:27 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=209.85.220.42: QUIT]
Sat, 20 Feb 2010 19:04:27 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=209.85.220.42: 221 2.0.0 closing connection 2si3210686fxm.9]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=moyakvartira.ru: Found 1 records]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[Process Mail], Details=[3 KB: Start transfer.]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=hotmail.com: Found 4 records]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[SMTP Transfer], Details=[Domain=moyakvartira.ru, Host=mail.moyakvartira.ru:25, IP=89.108.74.47: Connection accepted.]
Sat, 20 Feb 2010 19:07:25 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 220 prospect2010.ru ESMTP Postfix]
Sat, 20 Feb 2010 19:07:25 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=89.108.74.47: EHLO tingleweb.co.uk]
Sat, 20 Feb 2010 19:07:25 -> Success: Action=[Process Mail], Details=[1 KB: Start transfer.]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-prospect2010.ru]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-PIPELINING]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-SIZE 10240000]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-VRFY]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-ETRN]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-STARTTLS]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-ENHANCEDSTATUSCODES]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250-8BITMIME]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250 DSN]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=89.108.74.47: MAIL FROM:<>]
Sat, 20 Feb 2010 19:07:26 -> Success: Action=[Detect DNS's], Details=[Found 2 entries.]
Sat, 20 Feb 2010 19:07:26 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=aol.com: Found 4 records]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 250 2.1.0 Ok]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=89.108.74.47: RCPT TO:<arithmeticalb28@moyakvartira.ru>]
Sat, 20 Feb 2010 19:07:26 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=89.108.74.47: 550 5.1.1 <arithmeticalb28@moyakvartira.ru>: Recipient address rejected: User unknown in virtual mailbox table]

[rob]

If you are getting that response from the hotmail/live servers then its possible a wave of SPAM from your mail server has attacked those servers. I would recommend checking that your SMTP is locked down with SMTP authentication relay permission enabled. Also, to reduce the impact of any leaked username/passwords of some of yoru users, it is wise to enable the daily sending limits in both the groups and SMTP service settings.

The next step is then to investigate the SMTP logs to find out where these potential SPAM's may be coming from and how they are getting into your system. One common cause is that POP Before SMTP can create a tunnel in which SPAM can slip through, and so if its not required, I would recommend disabling that option. Also, WebMail is possible to be abused by bots should a username/password be leaked (group sending limits will cap any damage from this too).

[Marc]

Hi Rob,

Thanks for the info.

SMTP authenticaton is already setup. However I found a user that has their email forwarded, that had not password set. I have resolved that.
POP before SMTP is not ticket. So that could have been a possible webmail leak.

Also another user gets loads of SPAM and he has his email forwarded to his hotmail account, so that may not have helped. I have stopped that also.

I have been told also to update the HELO to a FQDN. I have an FQDN to use, do I put that in the General - Primary Domain setting?

Thanks Marc

[rob]

Sounds like you clamping down on the cause with what you say as those few problems could indeed be a geniune cause. The primary domain is indeed the place to change the HELO/EHLO domain. Good luck and hopefully your problem has been resolved.