Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Discussion regarding the Standard version.
Post Reply
smksa
Posts: 1
Joined: Wed Sep 29, 2010 5:56 am

Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by smksa »

Hi,

I have situation where there are spammer in my Shared Hosting Server using Plesk Horde Webmails to sent SPAM , but i'm not able to detect which email account that sending the email.

I have checked manually in the SMTP Activity LOGS and also in C:\Program Files\Parallels\Plesk\Mail Servers\Mail Enable\Queues\SMTP\Outgoing and "Outgoing\messages" folder , but there are no hints which email account has been used.

The messages was something like this :

Received: from WINDOWS8 ([127.0.0.1]) by win8.myhostingdomain.com with MailEnable ESMTP; Tue, 28 Sep 2010 23:53:40 +0800
Date: Tue, 28 Sep 2010 15:53:40 +0000
Subject: COMPLIMENT YOUR BANK DRAFT IS READY
To: car2sky@yahoo.com
From: John Obi <quadriwale@sify.com>
Reply-To: quadriwale@sify.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

<body here>


I have tried to untick "Allow relay from priviledged IP ranges" , but it seems the webmail was not able to sent out email as it need 127.0.0.1 IP to be there .

I'm willing to pay if require to purchase third party software for this.

Appreciates if anybody can help on how i can detect who are sending those spam emails so i can block it.


Thank you.

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by MailEnable-Ben »

Check for this:

http://www.mailenable.com/kb/Content/Ar ... D=me020280

The usual things to search for are:

ME-I0108: Relay Granted: Sender has authenticated.

ME-I0107: Relay Granted: Sender IP (IPAddress) is within an authorized IP range.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

varidzok
Posts: 1
Joined: Tue Nov 02, 2010 9:47 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by varidzok »

Hi,

I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?

thanx

polarisie
Posts: 696
Joined: Mon Mar 27, 2006 2:58 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by polarisie »

varidzok wrote:Hi,

I have the same problem. The mail is probably sent through an account on the server, but i cant track it down. Nothing in logs, except the message above - relay granted to local host. The problem will definitely be resolved if I deny 127.0.0.1 from relay list, but Horde will not work properly. Is there any way to change the horde authorization (windows/username-password) or change the IP address in Horde configuration to send from other IP, public address maybe?

thanx

We are seeing the same trend, however these are coming from MeWebmail...

Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com

Jimboberlin
Posts: 2
Joined: Thu Sep 04, 2014 3:07 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Post by Jimboberlin »

I know this is a very old thread but I couldn't find anything more up to date on this topic.


My MailEnable Logs show a few SPAM mails daily that are being sent from my internal address:

Today it was 4 mails, all with the same FROM an TO addresses and all with at least 2-3 hours between them:

Code: Select all

09/03/14 01:27:52	SMTP-IN	9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI	728	127.0.0.1			220 mail.mydomain.de ESMTP MailEnable Service, Version: 6.0-- ready at 09/03/14 01:27:52	0	0	
09/03/14 01:27:52	SMTP-IN	9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI	728	127.0.0.1	EHLO	EHLO [46.163.69.xxx]	250-mydomain.de [127.0.0.1], this server offers 4 extensions	120	21	
09/03/14 01:27:52	SMTP-IN	9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI	728	127.0.0.1	MAIL	MAIL FROM:<service@paypal.de>	250 Requested mail action okay, completed	43	31	
09/03/14 01:27:52	SMTP-IN	9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI	728	127.0.0.1	RCPT	RCPT TO:<marcel.22578@gmx.de>	250 Requested mail action okay, completed	43	31	
09/03/14 01:27:52	SMTP-IN	9BB1C07DF1FA4578B343EE60B8FDFAAE.MAI	728	127.0.0.1	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	46	6	
09/03/14 01:27:52	SMTP-IN	52CB1931AB504B59B2E2E7D65F684B81.MAI	728	127.0.0.1	QUIT	QUIT	221 Service closing transmission channel	42	6	
09/03/14 01:28:27	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	CONN		220 gmx.net (mxgmx008) Nemesis ESMTP Service ready	0	52	
09/03/14 01:28:27	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	EHLO	EHLO mail.mydomain.de	250-gmx.net Hello mail.mydomain.de [46.163.106.xxx]	20	84	
09/03/14 01:28:28	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	MAIL	MAIL FROM:<service@paypal.de> SIZE=728	250 Requested mail action okay, completed	40	43	
09/03/14 01:28:28	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	RCPT	RCPT TO:<marcel.22578@gmx.de>	250 OK	31	8	
09/03/14 01:28:28	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	DATA	DATA	354 Start mail input; end with <CRLF>.<CRLF>	6	46	
09/03/14 01:28:28	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	DATE		250 Requested mail action okay, completed: id=0M8qFQ-1XYuCF3xM4-00CEOj	739	72	
09/03/14 01:28:28	SMTP-OU	CD22078CE60A4D43A3DEF5E695B7115A.MAI	832	213.165.67.99	QUIT	QUIT	221 gmx.net Service closing transmission channel	6	50	

I have absolutely noo Idea where these mails are coming from. The debug log only logs Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range

Any ideas?

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Post by MailEnable-Ian »

Hi,

It sounds like you have a script or webpage (most likely infected) under IIS that is using 127.0.0.1 to send from. You most likely have the SMTP relay option for allowing privileged IP's to relay where 127.0.0.1 is being granted relay rights. In order to stop this remove 127.0.0.1 from the SMTP privileged IP's relay list and then configure all your web forms that require sending via the MailEnable SMTP service to authenticate. Scan the server for infections as well.
Regards,

Ian Margarone
MailEnable Support

Jimboberlin
Posts: 2
Joined: Thu Sep 04, 2014 3:07 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP

Post by Jimboberlin »

Thanks for the response.

Yes, I'm allowing a relay for local adresses (127.0.0.1) so I can receive status updates and infos sent from plesk on a virtual server. I wouldn't know how to configure plesk to authenticate so I guess disbling the local relay is not an option.

There are only a couple testing websites hosted on the server so I don't see how any of them could be used to send mails - but I'll double check to make sure there is no contact form that could be used to send spam.

Is there any way to find the source (i.E. Script / Application) that has initiated the local mail send?

So far there haven't been any more spam mails but since I didn't change the settings yet I guess it could happen again any given day.

servohost
Posts: 1
Joined: Mon May 22, 2017 2:20 pm

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by servohost »

Dear All,

I do not have much knowledge about the Mail Setup. Since Mail Enable is integrated with Plesk. it's been use to send email.

MTA (Mail Transfer Agent) has some security loop wholes. May be, I am not right but for me. it's difficult to say, mail enable MTA is safe because spammer are able to generate malicious emails using my server resources. And I have received multiple complaint for unsolicited email from respective organization to prevent it.

Per the log, emails are generated using the 127.0.0.1 ip. Not sure, How it's skipping user authentication and originating spam email.
Is there a way to prevent such spammer and ask them to authenticate before sending emails? Please see below couple of line from log.

2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 MAIL MAIL+FROM:<alegra_gallo@sainathfacilityservices.com> 250+Requested+mail+action+okay,+completed PLESK-WEB 43 54
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 RCPT RCPT+TO:<adhurim@alice.it> 503+This+mail+server+requires+authentication+when+attempting+to+send+to+a+non-local+e-mail+address.+Please+check+your+mail+client+settings+or+contact+your+administrator+to+verify+that+the+domain+or+address+is+defined+for+this+server. PLESK-WEB 235 28
2017-03-19 01:01:03 127.0.0.1 SMTP-IN 127.0.0.1 1636 QUIT QUIT 221+Service+closing+transmission+channel PLESK-WEB 42 6
2017-03-19 01:01:04 127.0.0.1 SMTP-IN 127.0.0.1 872 HELO HELO+PLESK-WEB.SERVOHOST.IN 250+Requested+mail+action+okay,+completed PLESK-WEB 43 29

Log from Smtp server

03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 MAIL MAIL FROM:<fausta_ricci@sainathfacilityservices.com> 250 Requested mail action okay, completed 43 54
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 RCPT RCPT TO:<vin71@live.it> 503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server. 235 25
03/20/17 00:03:04 SMTP-IN 336ECFA1B03047ADB90DAC5FEF14C9A3.MAI 1644 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 220 PLESK-WEB.home ESMTP MailEnable Service, Version: 8.50-- ready at 03/20/17 00:03:04 0 0
03/20/17 00:03:04 SMTP-IN 869305A1C4D5431F94CD64D0BA9CC8B5.MAI 200 127.0.0.1 HELO HELO PLESK-WEB.SERVOHOST.IN 250 Requested mail action okay, completed 43 29


Please help me out to get out of this problem. If someone has standard procedure or guide to do security set using Mail Enable would be great.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Outgoing SPAM using Webmail connect through 127.0.0.1 IP ?

Post by MailEnable-Ian »

Hi Servohost,

The log files you provided do not show any evidence of spam being relayed by your server. The logs report "503 This mail server requires authentication" which means the relay to send out is not being granted to 127.0.0.1. You need to provide log files of an outbound send (I.e: SMTP-OU) where the message has been dispatched to the remote mail server.
Regards,

Ian Margarone
MailEnable Support

Post Reply