Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

smksa
Posts: 1
Joined: Wed Sep 29, 2010 5:56 am

Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby smksa » Wed Sep 29, 2010 6:20 am

Hi,

I have situation where there are spammer in my Shared Hosting Server using Plesk Horde Webmails to sent SPAM , but i'm not able to detect which email account that sending the email.

I have checked manually in the SMTP Activity LOGS and also in C:\Program Files\Parallels\Plesk\Mail Servers\Mail Enable\Queues\SMTP\Outgoing and "Outgoing\messages" folder , but there are no hints which email account has been used.

The messages was something like this :

Received: from WINDOWS8 ([127.0.0.1]) by win8.myhostingdomain.com with MailEnable ESMTP; Tue, 28 Sep 2010 23:53:40 +0800
Date: Tue, 28 Sep 2010 15:53:40 +0000
Subject: COMPLIMENT YOUR BANK DRAFT IS READY
To: car2sky@yahoo.com
From: John Obi <quadriwale@sify.com>
Reply-To: quadriwale@sify.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

<body here>


I have tried to untick "Allow relay from priviledged IP ranges" , but it seems the webmail was not able to sent out email as it need 127.0.0.1 IP to be there .

I'm willing to pay if require to purchase third party software for this.

Appreciates if anybody can help on how i can detect who are sending those spam emails so i can block it.


Thank you.

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne
Contact:

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby MailEnable-Ben » Thu Sep 30, 2010 1:58 am

Check for this:

http://www.mailenable.com/kb/Content/Ar ... D=me020280

The usual things to search for are:

ME-I0108: Relay Granted: Sender has authenticated.

ME-I0107: Relay Granted: Sender IP (IPAddress) is within an authorized IP range.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

varidzok
Posts: 1
Joined: Tue Nov 02, 2010 9:47 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby varidzok » Tue Nov 02, 2010 9:54 pm

Hi,

I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?

thanx

polarisie
Posts: 696
Joined: Mon Mar 27, 2006 2:58 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby polarisie » Sun Nov 07, 2010 12:54 pm

varidzok wrote:Hi,

I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?

thanx



We are seeing the same trend, however these are coming from MeWebmail...

Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com

Jimboberlin
Posts: 2
Joined: Thu Sep 04, 2014 3:07 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Postby Jimboberlin » Thu Sep 04, 2014 3:14 pm

I know this is a very old thread but I couldn't find anything more up to date on this topic.


My MailEnable Logs show a few SPAM mails daily that are being sent from my internal address:

Today it was 4 mails, all with the same FROM an TO addresses and all with at least 2-3 hours between them:

Code: Select all

09/03/14 01:27:52   SMTP-IN   9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI   728   127.0.0.1         220 mail.mydomain.de ESMTP MailEnable Service, Version: 6.0-- ready at 09/03/14 01:27:52   0   0   
09/03/14 01:27:52   SMTP-IN   9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI   728   127.0.0.1   EHLO   EHLO [46.163.69.xxx]   250-mydomain.de [127.0.0.1], this server offers 4 extensions   120   21   
09/03/14 01:27:52   SMTP-IN   9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI   728   127.0.0.1   MAIL   MAIL FROM:<service@paypal.de>   250 Requested mail action okay, completed   43   31   
09/03/14 01:27:52   SMTP-IN   9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI   728   127.0.0.1   RCPT   RCPT TO:<marcel.22578@gmx.de>   250 Requested mail action okay, completed   43   31   
09/03/14 01:27:52   SMTP-IN   9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI   728   127.0.0.1   DATA   DATA   354 Start mail input; end with <CRLF>.<CRLF>   46   6   
09/03/14 01:27:52   SMTP-IN   52CB1931AB504B59B2E2E7D65F684B81.MAI   728   127.0.0.1   QUIT   QUIT   221 Service closing transmission channel   42   6   
09/03/14 01:28:27   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   CONN      220 gmx.net (mxgmx008) Nemesis ESMTP Service ready   0   52   
09/03/14 01:28:27   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   EHLO   EHLO mail.mydomain.de   250-gmx.net Hello mail.mydomain.de [46.163.106.xxx]   20   84   
09/03/14 01:28:28   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   MAIL   MAIL FROM:<service@paypal.de> SIZE=728   250 Requested mail action okay, completed   40   43   
09/03/14 01:28:28   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   RCPT   RCPT TO:<marcel.22578@gmx.de>   250 OK   31   8   
09/03/14 01:28:28   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   DATA   DATA   354 Start mail input; end with <CRLF>.<CRLF>   6   46   
09/03/14 01:28:28   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   DATE      250 Requested mail action okay, completed: id=0M8qFQ-1XYuCF3xM4-00CEOj   739   72   
09/03/14 01:28:28   SMTP-OU   CD22078CE60A4D43A3DEF5E695B7115A.MAI   832   213.165.67.99   QUIT   QUIT   221 gmx.net Service closing transmission channel   6   50   



I have absolutely noo Idea where these mails are coming from. The debug log only logs Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range

Any ideas?

MailEnable-Ian
Site Admin
Posts: 8439
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Postby MailEnable-Ian » Thu Sep 11, 2014 1:47 am

Hi,

It sounds like you have a script or webpage (most likely infected) under IIS that is using 127.0.0.1 to send from. You most likely have the SMTP relay option for allowing privileged IP's to relay where 127.0.0.1 is being granted relay rights. In order to stop this remove 127.0.0.1 from the SMTP privileged IP's relay list and then configure all your web forms that require sending via the MailEnable SMTP service to authenticate. Scan the server for infections as well.
Regards,

Ian Margarone
MailEnable Support

Jimboberlin
Posts: 2
Joined: Thu Sep 04, 2014 3:07 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Postby Jimboberlin » Fri Sep 12, 2014 4:47 pm

Thanks for the response.

Yes, I'm allowing a relay for local adresses (127.0.0.1) so I can receive status updates and infos sent from plesk on a virtual server. I wouldn't know how to configure plesk to authenticate so I guess disbling the local relay is not an option.

There are only a couple testing websites hosted on the server so I don't see how any of them could be used to send mails - but I'll double check to make sure there is no contact form that could be used to send spam.

Is there any way to find the source (i.E. Script / Application) that has initiated the local mail send?

So far there haven't been any more spam mails but since I didn't change the settings yet I guess it could happen again any given day.

servohost
Posts: 1
Joined: Mon May 22, 2017 2:20 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby servohost » Mon May 22, 2017 2:50 pm

Dear All,

I do not have much knowledge about the Mail Setup. Since Mail Enable is integrated with Plesk. it's been use to send email.

MTA (Mail Transfer Agent) has some security loop wholes. May be, I am not right but for me. it's difficult to say, mail enable MTA is safe because spammer are able to generate malicious emails using my server resources. And I have received multiple complaint for unsolicited email from respective organization to prevent it.

Per the log, emails are generated using the 127.0.0.1 ip. Not sure, How it's skipping user authentication and originating spam email.
Is there a way to prevent such spammer and ask them to authenticate before sending emails? Please see below couple of line from log.

2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 MAIL MAIL+FROM:<alegra_gallo@sainathfacilityservices.com> 250+Requested+mail+action+okay,+completed PLESK-WEB 43 54
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 RCPT RCPT+TO:<adhurim@alice.it> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. PLESK-WEB 235 28
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 QUIT QUIT 221+Service+closing+transmission+channel PLESK-WEB 42 6
2017-03-19 01:01:04 127.0.0.1 SMTP-IN 127.0.0.1 872 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29

Log from Smtp server

03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 MAIL MAIL FROM:<fausta_ricci@sainathfacilityservices.com> 250 Requested mail action okay, completed 43 54
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 RCPT RCPT TO:<vin71@live.it> 503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server. 235 25
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29


Please help me out to get out of this problem. If someone has standard procedure or guide to do security set using Mail Enable would be great.

MailEnable-Ian
Site Admin
Posts: 8439
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Postby MailEnable-Ian » Wed May 24, 2017 11:01 pm

Hi Servohost,

The log files you provided do not show any evidence of spam being relayed by your server. The logs report "503 This mail server requires authentication" which means the relay to send out is not being granted to 127.0.0.1. You need to provide log files of an outbound send (I.e: SMTP-OU) where the message has been dispatched to the remote mail server.
Regards,

Ian Margarone
MailEnable Support

Who is online

Users browsing this forum: No registered users and 3 guests