8.52 disabled user able to authenticate and relay; exploit

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
wireme
Posts: 11
Joined: Thu Aug 07, 2008 9:08 pm

8.52 disabled user able to authenticate and relay; exploit

Post by wireme » Fri Sep 26, 2014 7:42 pm

I have one particular mailbox that continually and intermittently is able to send spam. As of today, I am seeing a second mailbox from a completely different domain and postoffice with the same relay abilities. The originating spam server as of this week are mainly coming from Moscow. Previously the relay sources were from nurnberg, hess, and munich germany. I have been using our firewall to block these ip ranges. The mailboxes have been disabled, user authentication disabled, and password changed several times. I was on 7.55 (which had worse relaying issues), but recently upgraded to the latest version of 8. I am still having issues with this mailbox spam relaying. How is this possible? I am IT admin with over 18 years experience and have triple checked the Windows server several times for any viruses or malware, been paying customer with Mailenable since 2007. OS is server 2003 r2, fully patched. The only thing that stops the relay is disabling the entire postoffice. I am also seeing the ability of this user being able to access the IMAP and POP accounts. I have thousands of log entries in SMTP and IMAP that prove this claim. This has consumed countless hours of my time since late July. I have also scanned through the "Auth.tab"s and removed injected IP addresses for allowed relay. Any help or direction would be greatly appreciated.

MailEnable-Ian
Site Admin
Posts: 9220
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: 8.52 disabled user able to authenticate and relay; explo

Post by MailEnable-Ian » Mon Sep 29, 2014 1:02 am

Hi,

Firstly you will need to determine how the spammer is able to relay. Have you inspected the SMTP log files and located how the spammer is able to relay? If successfully authenticating and you know which mailbox, have you inspected the "AUTH.tab" file and searched for the mailbox credentials? It sounds like this is the issue as disabling the post office resolves the problem which would stop the mailbox from being able to authenticate. In older versions there was an issue where if you removed a mailbox it would not remove some of the entries in the config files where this could be your case. This has been fixed in later versions of the MailEnable version series.

The AUTH.tab file does not contain IP addresses so not sure what you mean by: "I have also scanned through the "Auth.tab"s and removed injected IP addresses for allowed relay". The SMTP-DENY.tab and SMTP-ALLOW.tab contain IP addresses for the SMTP "Access control" list.
Regards,

Ian Margarone
MailEnable Support

wireme
Posts: 11
Joined: Thu Aug 07, 2008 9:08 pm

Re: 8.52 disabled user able to authenticate and relay; explo

Post by wireme » Mon Sep 29, 2014 10:03 pm

in the auth.tab, i see the useraname, a "1", the password, domain, and user privilege.

1. if i change the "1" value to "0" what does this accomplish?
2. if the entire mailbox entry is removed, does this still allow mail to be delivered? (for example, i setup a new mailbox for the user and am currently forwarding new mail to it.
3. when i changed the password for one of the relaying accounts in the management console, i am not seeing the password change in the auth.tab file. we have been using mailenable on this server since version 2.

MailEnable-Ian
Site Admin
Posts: 9220
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: 8.52 disabled user able to authenticate and relay; explo

Post by MailEnable-Ian » Tue Sep 30, 2014 4:40 am

Hi,

If you change to 0 then I believe this would indicate the user cannot authenticate (not sure though, best option is to remove the entry from the file). Are you sure this is the user being used to authenticate to relay spam? If you are changing the password for the mailbox which does not change it in the AUTH.tab file then are you sure you are the MailEnable configuration as tab delimited files not within database?
Regards,

Ian Margarone
MailEnable Support

wireme
Posts: 11
Joined: Thu Aug 07, 2008 9:08 pm

Re: 8.52 disabled user able to authenticate and relay; explo

Post by wireme » Thu Oct 02, 2014 9:10 pm

its definitely tab delimited and it was definitely this exact user. why would this auth.tab file not update when i change the password and\or prevent from authenticating? if i manually modify these fields in the file, it works as intended.

i found also, that if the user is completely removed from the auth.tab file, the user can no longer authenticate. so changing the 1 to 0, or removing the user will accomplish the same result.

MailEnable-Ian
Site Admin
Posts: 9220
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: 8.52 disabled user able to authenticate and relay; explo

Post by MailEnable-Ian » Fri Oct 03, 2014 4:15 am

Hi,

So your saying the mailbox still exists in the post office and you can access the properties window for the mailbox? And when you try and set the option to "Prevent User from authenticating" it does not change the value from 1 to 0? I tried this on my side and it makes the changes in the AUTH file and therefore not sure hat is happening on your side. Perhaps check the Windows event log for any errors at he time or run "Process monitor" (http://www.sysinternals.com) and filter on "path" and specify AUTH.tab to see if there any problems when the mmc.exe edits the file.
Regards,

Ian Margarone
MailEnable Support

Post Reply