Spam on local mail account from outside

Discussion in 'Installation/Configuration' started by themark, Feb 16, 2016.

  1. themark

    themark Member

    Dear,
    as per default configuration we have the mynetworks as follows:
    mynetworks = 127.0.0.0/8 [::1]/128 public.ip.of.the.server.

    In that way with a standard phpmailer library (https://github.com/PHPMailer/PHPMailer) is it possible to connect from outside, to the server of the domain and send mail to the local user of the server. That without any authention. In addiction of that, the email sent in that way doesn't go attraverso the antispam. I think that this is a pretty bad behaviour. Spammers know that trick, and use them to inoculate spam (it's pretty simple).

    How we can solve that problem (eg. could be a good idea empty the "mynetworks" variable? or it's there a way to force authentication also for local email?)
    Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    A php mailer can not send mail from outside to your server. To send mail to localhost, the software has to be installed on your server or more precise, in a website of your server, so it's a local software then that sends emails locally and not an external software. So the spammer has to be your client as he needs an ftp login or ssh login to this website, in such a case you would cancel him the account as your terms of service probably prohibit spam sending and the other option is that a website has been hacked, in such a case you clean the website and close the hole in the cms system which allowed the hack. Btw., when a website has been hacked, then the hacker can also send mail directly by using socket connections, he does not even has to use your postfix instance or a php mail library like the one you mentioned.

    To sum it up, there is no way that a PHP mail software can send spam from outside trough localhost on your server without being installed on your server.
     
  3. themark

    themark Member

    Probably i cannot descrive correctly the issue. Took for example one defaced website called DEFACEDWEBSITE.COM
    On that website one attacker upload a phpmailer script like that:

    """""""""
    include("class.phpmailer.php");

    $from_email = "fakefrom@fakedomain";
    $from_name = "fakename";
    $to = "[email protected]";
    $subject = "some subject";
    $body = "some body";
    $mail = new PHPMailer();
    $mail->isMail();
    $mail->CharSet = 'utf-8';
    $mail->SetFrom($from_email, $from_name);
    $mail->AddAddress($to);
    $mail->Subject = $subject;
    $mail->isHTML(false);
    $mail->Body = $body;
    if (!$mail->send()){
    $to_domain = explode("@", $to);
    $to_domain = $to_domain[1];
    $mail->IsSMTP();
    $mail->Host = mx_lookup($to_domain);
    $mail->Port = 25;
    $mail->SMTPAuth = false;
    if (!$mail->send()){
    return Array(0, $mail->ErrorInfo);
    }else{
    return Array(2, 0);
    }
    }
    """""""
    As you can see the attacker, connect directly to the victim domain on the 25 port.
    And the mail goes ahead because the mail destination is local on that domain obviously.

    Any clue?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you had a hacked website. This means that the sender is local and therefore, he can connect locally, he is not external. The solution is to clean the website and close the whole in the website that the attacker used to get in.

    Setting a SMTP password for locally installed software will not help you and it will make things even worse: you would have to give this SMTP password to your clients as their contact forms, shops etc. won't work without it, so if someone hacks the site then, he can simply read the SMTP password as this is stored in the config files of the website, he then can use this password to relay emails through your server directly without the need to use that website.
     
  5. themark

    themark Member

    This is the problem till. The hacked website IS NOT on the same server of the mail "[email protected]".
    The hacked website, from the malicious code can get the MX of the somedomain.com and then, from remote, connect him to the smtp server of the mx record [ $mail->Host = mx_lookup($to_domain); ]. And then inoculate the spammy email on the "somedomain.com" account. Without any authentication required, because at the eyes of the smtp server of the mx of the domain, the mail is local, so without relay mail.

    If you want (i don't know if you have time to try that) you can try yourself.
    Gest two vps with standard ispconfig installation. On one put the code above (with phpmailer class downloaded from github). On another create the mail.
     
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    It sounds like your MTA (postfix) is either misconfigured, allowing that to relay without authentication, or maybe it simply doesn't score high enough in spam scanning to be stopped/blocked. Back in your original post:

    Is "public.ip.of.the.server" the ip address of your web server? If so, that's likely your problem. I don't believe that's a default setting in ispconfig as you claimed, I checked the config on both an old 3.0.5.4p8 box and a 3.1 dev box, and both have 'mynetworks = 127.0.0.0/8 [::1]/128', which is hard-coded in the ispconfig installer (at least for debian/default - fedora, gentoo or opensuse may vary).
     
  7. themark

    themark Member

    Hi Jesse,

    thank you for your feedback. I have changed the postfix configuration removing the public.ip.of.the.server, and i have also tested on another server build from the scratch, that had not the public.ip.of.the.server on the mynetworks.
    So, the problem persist also with only "mynetworks = 127.0.0.0/8 [::1]/128" configuration.
    Additional stuff, are that the mail sent in that way doesn't go thought the antispam because they are seen as local email.

    I don't ask you to take my word for real, but to try by yourself. The above code is slightly wrong, here i paste the code that you can use if you wanna try:

    """""
    <?php

    include("class.phpmailer.php");
    include("class.smtp.php");

    $from_email = "fakefrom@fakedomain";
    $from_name = "fakename";
    $to = "[email protected]";
    $subject = "test email subject 3";
    $body = "body email text 3";

    $mail = new PHPMailer();
    $mail->CharSet = 'utf-8';
    $mail->SetFrom($from_email, $from_name);
    $mail->AddAddress($to);
    $mail->Subject = $subject;
    $mail->isHTML(false);
    $mail->Body = $body;

    $to_domain = explode("@", $to);
    $to_domain = $to_domain[1];
    $mail->IsSMTP();
    $mail->Host = mx_lookup($to_domain);
    $mail->Port = 25;
    $mail->SMTPAuth = false;
    if (!$mail->send()){
    return Array(0, $mail->ErrorInfo);
    }else{
    return Array(2, 0);
    }

    function mx_lookup($hostname)
    {
    @getmxrr($hostname, $mxhosts, $precedence);
    if(count($mxhosts) === 0) return '127.0.0.1';
    $position = array_keys($precedence, min($precedence));
    return $mxhosts[$position[0]];
    }
    """""

    Class needed are:
    https://github.com/PHPMailer/PHPMailer/blob/master/class.smtp.php
    https://github.com/PHPMailer/PHPMailer/blob/master/class.phpmailer.php

    Thank you
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You mix up local and remote delivery here.

    The above code is a normal email client (if a email client is writen in PHP, c++, Java, etc. does not matter), it does the exact same thing then e.g. outlook, thunderbird and each other mail client or server like Postfix, Exim or Sendmail. There is no local delivery involved at all, it's a normal remote delivery and the recipient server has to accept the delivery of course when the email is for a domain that he is responsible for.

    To stop email clients and servers to send email to a server you can:

    a) Stop postfix.
    b) Close port 25 and 587
    c) Add a password protection that denies receiving to this servers. You will then have to send e.g. a postcard with a password to anyone that likes to contact you in future and tell him the password. You can see that it makes no sense to add a smtp password here as nobody can send you an email then.

    So what you describe above is not a problem of a php library or whatever, it is just a normal email (does not matter if spam or not) that gets delivered to a mail server.
     
  9. themark

    themark Member

    Thank's to take the time to reply on my post. Yes i know how smtp works, but my opinion (IMHO) is that on one server setup for an hosting services, can't take for real mail sent locally without authentication from outside. The amount of spam sent in that way is like 90% of the total.

    By the way, with some adjustment of smtpd_recipient_restrictions we have mitigated that problem.
     
  10. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Maybe I misunderstood but:
    If I have something running on my server it can send mail using local MTA using any kind of FROM/TO I like.
    However, I could setup the MTA to check if FROM is actually a valid account, but then I use some valid FROM to send my spam.
    If you allow someone accessing a script which allows sending mail, or somone placed a script due to a security issue in wordpress for example, it's a nice invitation for everyone sending spam using the MTA.

    You might need to allow sasl authenticated sender only for sending mails, hence you need to remove
    permit_mynetworks, from your listings in main.cf
    Code:
    permit_mynetworks, permit_sasl_authenticated,
    
    
    this would check: is the sender on my host/localhost/myRemoteIP and if so, let him pass

    Beware, you may need to adjust other settings to let your cronjobs and other services send mail to you.
     
    Last edited: Mar 17, 2016

Share This Page