Comments on: Plesk – How to debug spam problems http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/ linux + ruby on rails = love Mon, 01 Feb 2010 23:36:48 +0200 http://wordpress.org/?v=2.8.4 hourly 1 By: me http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-222 me Wed, 26 Aug 2009 13:31:35 +0000 http://www.cherpec.com/?p=14#comment-222 This blog helped me a lot. Thank you all. My way: 1. use the open source 'iptraf' program to get spammer's ip. This only works if the spamming is still going on. 2. use 'tcpdump' to get a log file. This file can have binary code (like Daniel Valdes said). 3. use 'wireshark' to open the log file made by 'tcpdump'. 4. you can now study the logfile and see all packages and their details. 5. this will give you a hint about what's going on... (in my case it was an insecure php script). 6. delete the buggar (the php script, in my case) and use 'qmail-remove' or, even better, 'qmhandle' (which is a clever script that doesn't need install) to delete the qmail queue. 7. good luck 8. and always install all trusted software secury upgrades :-) This blog helped me a lot. Thank you all.
My way:
1. use the open source ‘iptraf’ program to get spammer’s ip. This only works if the spamming is still going on.
2. use ‘tcpdump’ to get a log file. This file can have binary code (like Daniel Valdes said).
3. use ‘wireshark’ to open the log file made by ‘tcpdump’.
4. you can now study the logfile and see all packages and their details.
5. this will give you a hint about what’s going on…
(in my case it was an insecure php script).
6. delete the buggar (the php script, in my case) and use ‘qmail-remove’ or, even better, ‘qmhandle’ (which is a clever script that doesn’t need install) to delete the qmail queue.
7. good luck
8. and always install all trusted software secury upgrades :-)

]]> By: Vitalie Cherpec http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-208 Vitalie Cherpec Tue, 21 Jul 2009 08:25:16 +0000 http://www.cherpec.com/?p=14#comment-208 You can use <a href="http://www.wireshark.org/" rel="nofollow">Wireshark</a> to inspect your tcpdump file. You can use Wireshark to inspect your tcpdump file.

]]> By: Daniel Valdes http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-207 Daniel Valdes Tue, 21 Jul 2009 01:32:43 +0000 http://www.cherpec.com/?p=14#comment-207 I didn't find any accounts because I can't see the binary information. How can I see the file in ASCII or save it in ASCII? I tried -A but it didn't work. Please, some guy is really giving me a hard time spamming with my server. I didn’t find any accounts because I can’t see the binary information.
How can I see the file in ASCII or save it in ASCII? I tried -A but it didn’t work.
Please, some guy is really giving me a hard time spamming with my server.

]]> By: Vitalie Cherpec http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-201 Vitalie Cherpec Mon, 13 Jul 2009 19:20:11 +0000 http://www.cherpec.com/?p=14#comment-201 If you found the mail accounts with problems then go ahead, change the passwords and see what happens. If you had weak passwords then the problem should be fixed. If you found the mail accounts with problems then go ahead, change the passwords and see what happens. If you had weak passwords then the problem should be fixed.

]]> By: Daniel Valdes http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-199 Daniel Valdes Thu, 09 Jul 2009 17:08:55 +0000 http://www.cherpec.com/?p=14#comment-199 I tried and I see the binary info too. The problem is that it's the user and password part: 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-AUTH LOGIN CRAM-MD5 PLAIN 250-STARTTLS 250-PIPELINING 250 8BITMIME ^^VJ"^K^@>^@^@^@>^@^@^@^@^@^L^G^B^@^V^W^@E^@^@$@^@@^FJPE@Nv^@^Y^Ne\CWIP^X^V^C7^@^@250 ok ^^VJ+^K^@V^@^@^@V^@^@^@^@^V^WC^@^Y^C^@E^@^@H?@^@m^FkvE@N^L^@^Y(g P^X^\s^B^@^@RCPT TO: ^^VJ]h^K^@<^@^@^@<^@^@^@^@^V^WC^@^Y^C^@E^@^@(?@^@m^FvE@N^N^\^@^Y]7ȴ?P^PF^@^@^@^@^@^@^@^@^^VJ{^K^@> ^@^@^@>^@^@^@^@^@^L^G^B^@^V^W^@E^@^@0Y@^@@^F^ZE@Nv^@^Y^Lg (P^X^V͒^@^@250 ok I tried and I see the binary info too.
The problem is that it’s the user and password part:

250-AUTH=LOGIN CRAM-MD5 PLAIN
250-AUTH LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
^^VJ”^K^@>^@^@^@>^@^@^@^@^@^L^G^B^@^V^W^@E^@^@$@^@@^FJPE@Nv^@^Y^Ne\CWIP^X^V^C7^@^@250 ok
^^VJ+^K^@V^@^@^@V^@^@^@^@^V^WC^@^Y^C^@E^@^@H?@^@m^FkvE@N^L^@^Y(g
P^X^\s^B^@^@RCPT TO:
^^VJ]h^K^@<^@^@^@<^@^@^@^@^V^WC^@^Y^C^@E^@^@(?@^@m^FvE@N^N^\^@^Y]7ȴ?P^PF^@^@^@^@^@^@^@^@^^VJ{^K^@>
^@^@^@>^@^@^@^@^@^L^G^B^@^V^W^@E^@^@0Y@^@@^F^ZE@Nv^@^Y^Lg
(P^X^V͒^@^@250 ok

]]> By: Vitalie Cherpec http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-42 Vitalie Cherpec Mon, 19 Jan 2009 18:42:04 +0000 http://www.cherpec.com/?p=14#comment-42 Reading logs and sniffing traffic are both useful :), when the spam is sent by exploiting insecure php scripts (the most common case) you'll not see too much information in the log files. Regarding brute force attacks, password strength verification should be enabled in Plesk as users tends to use weak passwords (Server->Mail->Preferences->Check the passwords for mailboxes in the dictionary). Another recommendation is "Only use of full POP3/IMAP mail accounts names is allowed" as it will slow down brute force attacks because they should guess the domain too. Reading logs and sniffing traffic are both useful :) , when the spam is sent by exploiting insecure php scripts (the most common case) you’ll not see too much information in the log files.

Regarding brute force attacks, password strength verification should be enabled in Plesk as users tends to use weak passwords (Server->Mail->Preferences->Check the passwords for mailboxes in the dictionary).

Another recommendation is “Only use of full POP3/IMAP mail accounts names is allowed” as it will slow down brute force attacks because they should guess the domain too.

]]> By: MaoP http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-41 MaoP Mon, 19 Jan 2009 17:51:52 +0000 http://www.cherpec.com/?p=14#comment-41 I think is better to analize logs instead sniffing network traffic, what if the spammer has stopped sending mail? we (at work) parse our logs looking for smtp_auth's strings, so we got thouse used a lot of times in a short period, later we use this query: $ mysql -uadmin -pPASSWORD psa -e "select mail.mail_name, accounts.password from mail,accounts where mail.account_id=accounts.id and mail.dom_id=(select id from domains where name like 'DOMAIN_OF_SMTP_AUTH');" and 99% of the cases $DOMAIN_OF_SMTP_AUTH has weak passwords and are used for spamming. currently i'm working in identify smtp_auth's brute force attack, do you have some knowledge about it? great blog! =) kind regards. I think is better to analize logs instead sniffing network traffic, what if the spammer has stopped sending mail?

we (at work) parse our logs looking for smtp_auth’s strings, so we got thouse used a lot of times in a short period, later we use this query:

$ mysql -uadmin -pPASSWORD psa -e “select mail.mail_name, accounts.password from mail,accounts where mail.account_id=accounts.id and mail.dom_id=(select id from domains where name like ‘DOMAIN_OF_SMTP_AUTH’);”

and 99% of the cases $DOMAIN_OF_SMTP_AUTH has weak passwords and are used for spamming.

currently i’m working in identify smtp_auth’s brute force attack, do you have some knowledge about it?

great blog! =)

kind regards.

]]> By: L2Machine » Useful links: 12/2008 http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-33 L2Machine » Useful links: 12/2008 Wed, 24 Dec 2008 14:36:33 +0000 http://www.cherpec.com/?p=14#comment-33 [...] Debug Plesk Spam Problems? [...] [...] Debug Plesk Spam Problems? [...]

]]> By: admin http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-16 admin Wed, 17 Sep 2008 10:40:51 +0000 http://www.cherpec.com/?p=14#comment-16 You don't need the binary data, just look at the smtp conversation to find what's happening there. Regarding second problem, maybe you are missing MIME::Base64 module, install it with: perl -MCPAN -e 'install MIME::Base64' You don’t need the binary data, just look at the smtp conversation to find what’s happening there.

Regarding second problem, maybe you are missing MIME::Base64 module, install it with:

perl -MCPAN -e ‘install MIME::Base64′

]]> By: Ehab http://www.cherpec.com/2008/07/plesk-howto-debug-spam-problems/comment-page-1/#comment-15 Ehab Wed, 17 Sep 2008 00:16:59 +0000 http://www.cherpec.com/?p=14#comment-15 When i do the TCP dump the file contains a lot of binary data. less does not filter it, and wireshark is not compatible with it. also i tried to decode on two separate linuxes with the perl libraries installed and both do not give a result even to thee examples you gave. When i do the TCP dump the file contains a lot of binary data. less does not filter it, and wireshark is not compatible with it.

also i tried to decode on two separate linuxes with the perl libraries installed and both do not give a result even to thee examples you gave.

]]>