virus laden message causes infinite loop, SMTP crashes ...

Discussions on webmail and the Professional version.
Post Reply
bozak
Posts: 50
Joined: Fri Jun 20, 2003 9:36 pm

virus laden message causes infinite loop, SMTP crashes ...

Post by bozak »

I have an issue whereby an outside computer sends an email containing a virus to a user. Dr. Web Anti-Virus is also installed on this server.

basically it looks like someone tries to relay a virus laden message, gets denied, and then MailEnable just keeps trying to resend it. from the administrator account.

every time I turn on the SMTP server, it's fine for a bit, then gets hit with one of these outside

it looks a little something like this:
30/05 01:40:13 SMTP-IN E46C6D28FC904CD3A314BB3E2D5ABE.MAI 324 83.229.142.103 220 0 0
11/30/05 01:40:16 SMTP-IN E46C6D28FC904CD3A314BB3E2D5ABE.MAI 324 83.229.142.103 HELO HELO host-103-142-229-83.rusmedia.ru 250 Requested mail action okay, completed 43 38
11/30/05 01:40:17 SMTP-IN E46C6D28FC904CD3A314BB3E2D5ABE.MAI 324 83.229.142.103 MAIL MAIL FROM: <ukqizu@yahoo.com> 250 Requested mail action okay, completed 43 31
11/30/05 01:40:19 SMTP-IN E46C6D28FC904CD3A314BB3E2D5ABE.MAI 324 83.229.142.103 RCPT RCPT TO: <steve@akettlecorn.com> 250 Requested mail action okay, completed 43 34
11/30/05 01:40:19 SMTP-IN E46C6D28FC904CD3A314BB3E2D5ABE.MAI 324 83.229.142.103 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
11/30/05 01:40:25 SMTP-IN 9F97F83BEA9846D9BB85342654B24.MAI 324 83.229.142.103 QUIT QUIT 221 Service closing transmission channel 42 6
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 CONN 220 mta140.mail.re2.yahoo.com ESMTP YSmtp service ready 0 57
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 EHLO EHLO websauce.net 250-mta140.mail.re2.yahoo.com 19 80
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 MAIL MAIL FROM:<admin@websauce.net> SIZE=540 250 sender <admin@websauce.net> ok 41 36
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 RCPT RCPT TO:<ukqizu@yahoo.com> 250 recipient <ukqizu@yahoo.com> ok 28 37
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 DATA DATA 354 go ahead 6 14
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 DATE 451 mta140.mail.re2.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.5]. 551 100
11/30/05 01:40:27 SMTP-OU D38C84A392754EA8B5714771C22DD.MAI 372 67.28.113.10 QUIT QUIT 221 mta140.mail.re2.yahoo.com 6 31
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 CONN 220 0 6
11/30/05 01:40:27 SMTP-IN B2A14165E1634B4DADA4D38A2CD6B0.MAI 312 127.0.0.1 220 0 0
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 19 123
11/30/05 01:40:27 SMTP-IN B2A14165E1634B4DADA4D38A2CD6B0.MAI 312 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 123 19
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 MAIL MAIL FROM:<POSTMASTER@websauce.net> SIZE=954 250 Requested mail action okay, completed 46 43
11/30/05 01:40:27 SMTP-IN B2A14165E1634B4DADA4D38A2CD6B0.MAI 312 127.0.0.1 MAIL MAIL FROM:<POSTMASTER@websauce.net> SIZE=954 250 Requested mail action okay, completed 43 46
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 RCPT RCPT TO:<admin@websauce.net> 250 Requested mail action okay, completed 30 43
11/30/05 01:40:27 SMTP-IN B2A14165E1634B4DADA4D38A2CD6B0.MAI 312 127.0.0.1 RCPT RCPT TO:<admin@websauce.net> 250 Requested mail action okay, completed 43 30
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
11/30/05 01:40:27 SMTP-IN B2A14165E1634B4DADA4D38A2CD6B0.MAI 312 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 DATE 250 Requested mail action okay, completed 965 43
11/30/05 01:40:27 SMTP-OU 2C8FC87A8544947BD74E849CBA79F.MAI 360 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
11/30/05 01:40:27 SMTP-IN 9A12D0651CEE457BA9EFAC2906F71.MAI 312 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 CONN 220 0 6
11/30/05 01:40:27 SMTP-IN 83BA5C1C7C8244B28E94B57B328F3.MAI 376 127.0.0.1 220 0 0
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 19 123
11/30/05 01:40:27 SMTP-IN 83BA5C1C7C8244B28E94B57B328F3.MAI 376 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 123 19
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=533 250 Requested mail action okay, completed 41 43
11/30/05 01:40:27 SMTP-IN 83BA5C1C7C8244B28E94B57B328F3.MAI 376 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=533 250 Requested mail action okay, completed 43 41
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 RCPT RCPT TO:<steve@akettlecorn.com> 250 Requested mail action okay, completed 33 43
11/30/05 01:40:27 SMTP-IN 83BA5C1C7C8244B28E94B57B328F3.MAI 376 127.0.0.1 RCPT RCPT TO:<steve@akettlecorn.com> 250 Requested mail action okay, completed 43 33
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
11/30/05 01:40:27 SMTP-IN 83BA5C1C7C8244B28E94B57B328F3.MAI 376 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 DATE 250 Requested mail action okay, completed 544 43
11/30/05 01:40:27 SMTP-OU 4E106485A2864FEBBBAC50824826ED.MAI 312 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
11/30/05 01:40:27 SMTP-IN 1DD3D65FE254B5181A7E949B515FD.MAI 376 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 CONN 220 0 6
11/30/05 01:40:27 SMTP-IN 94AD9ED962DA4876842D577569F2E.MAI 324 127.0.0.1 220 0 0
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 19 123
11/30/05 01:40:27 SMTP-IN 94AD9ED962DA4876842D577569F2E.MAI 324 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 123 19
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=566 250 Requested mail action okay, completed 41 43
11/30/05 01:40:27 SMTP-IN 94AD9ED962DA4876842D577569F2E.MAI 324 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=566 250 Requested mail action okay, completed 43 41
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 RCPT RCPT TO:<admin@websauce.net> 250 Requested mail action okay, completed 30 43
11/30/05 01:40:27 SMTP-IN 94AD9ED962DA4876842D577569F2E.MAI 324 127.0.0.1 RCPT RCPT TO:<admin@websauce.net> 250 Requested mail action okay, completed 43 30
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
11/30/05 01:40:27 SMTP-IN 94AD9ED962DA4876842D577569F2E.MAI 324 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 DATE 250 Requested mail action okay, completed 577 43
11/30/05 01:40:27 SMTP-OU 4FEEE2C67EF4113BDDF62690B058.MAI 376 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
11/30/05 01:40:27 SMTP-IN B82FB1F89A4A447888953D073CFF2.MAI 324 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 CONN 220 0 6
11/30/05 01:40:28 SMTP-IN A237834D67549658AF1C5F27BB9E1.MAI 392 127.0.0.1 220 0 0
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 19 123
11/30/05 01:40:28 SMTP-IN A237834D67549658AF1C5F27BB9E1.MAI 392 127.0.0.1 EHLO EHLO websauce.net 250-websauce.net [127.0.0.1], this server offers 4 extensions 123 19
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=535 250 Requested mail action okay, completed 41 43
11/30/05 01:40:28 SMTP-IN A237834D67549658AF1C5F27BB9E1.MAI 392 127.0.0.1 MAIL MAIL FROM:<admin@websauce.net> SIZE=535 250 Requested mail action okay, completed 43 41
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 RCPT RCPT TO:<steve@akettlecorn.com> 250 Requested mail action okay, completed 33 43
11/30/05 01:40:28 SMTP-IN A237834D67549658AF1C5F27BB9E1.MAI 392 127.0.0.1 RCPT RCPT TO:<steve@akettlecorn.com> 250 Requested mail action okay, completed 43 33
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 6 46
11/30/05 01:40:28 SMTP-IN A237834D67549658AF1C5F27BB9E1.MAI 392 127.0.0.1 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 DATE 250 Requested mail action okay, completed 546 43
11/30/05 01:40:28 SMTP-OU 42FD4E7AC0834405959D63BD34B831.MAI 324 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 6 42
11/30/05 01:40:28 SMTP-IN 156853481F8341CABDD8A124C11C4D.MAI 392 127.0.0.1 QUIT QUIT 221 Service closing transmission channel 42 6
11/30/05 01:40:28 SMTP-OU 26A3B84AA9948828F43CF246AE530.MAI 392 127.0.0.1 CONN 220 0 6
11/30/05 01:40:28 SMTP-IN C02AB3A7C29D4799B65EF51616E8D0.MAI 372 127.0.0.1 220 0 0

NOw .. I know it's not mailenable that is broken, but rather some combination of checkboxes between PLesk, Dr. Web AntiVirus, and MailEnable that is not right. I never had this issue in the past.



sometimes I rather shoot myself than deal with mail servers. They are by far, the most pain in the ass part of the internet.

:?
Top
paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Re: virus laden message causes infinite loop, SMTP crashes .

Post by paarlberg »

bozak wrote: sometimes I rather shoot myself than deal with mail servers. They are by far, the most pain in the ass part of the internet.

:?
You forgot about users :roll:

It appears that you may have a trojan running on the box. The entries from 127.0.0.1 caught my eye.. Triple check for that.. You can use filemon to see what is going on when you turn on the smtp service and compare it.. You might find something has infected the box.
Top
MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable »

Also... There are known looping problems caused by the plesk supplied Dr Web mailbox delivery agent. We recommend disabling all mailbox delivery events until you are able to source a fix from sw-soft/plesk.

Util. for disabling delivery events system wide is available from the MailEnable Hotfix page.
Regards, Andrew
Top
bozak
Posts: 50
Joined: Fri Jun 20, 2003 9:36 pm

mail server nightmare

Post by bozak »

Whatever is going on, the mail server is not getting hit with 10xs the spam, and somehow the sender uses a totally different range of ip every "attack", as well as somehow, having guessed all the domains AND mailboxes (mail is getting sent to specific non standard addresses on each account (ie twix7@websauce.net) how did they guess that email address?

where is this huge security hole that came as a "feature" with plesk/dr. web/ME install?

jeez ...

and I thought open relaying was a pain in the ass.


this far eclispses relaying as a troublesome issue.
Top
bozak
Posts: 50
Joined: Fri Jun 20, 2003 9:36 pm

isp suggested this fix

Post by bozak »

http://www.proserve.nl/~ivo/Plesk/drwebpatch.zip

ISP said:

The problem is related to an automatic update by Dr. Web Antivirus which
spawns million of emails. For the mailbox in question you can either
uncheck the delivery agent or apply the patch at this URL:


It's would have nice if they had applied that patch prior to releasing the server to me.

I'll let the ME forum know if this fixes the problem.
Top
bozak
Posts: 50
Joined: Fri Jun 20, 2003 9:36 pm

possible solution

Post by bozak »

my ISP sent this to me, I applied the patch, and it seems to work.

The problem is related to an automatic update by Dr. Web Antivirus which
spawns million of emails. For the mailbox in question you can either
uncheck the delivery agent or apply the patch at this URL:

http://www.proserve.nl/~ivo/Plesk/drwebpatch.zip

I downloaded the patch, and rebooted server ....


so far ... so good ....


I'll update this thread if it doesn't solve this problem.
hopefully this thread will help someone else affected by this Dr.Web update issue.
Top
bozak
Posts: 50
Joined: Fri Jun 20, 2003 9:36 pm

sweeeeeeeet.

Post by bozak »

Yes, the abusers .. I mean users.
Often the cause of the problem, are they.
Beat them down with a stick, yoda would.


I applied the patch that I put the link in for, and still going good.
No looping SMTP server.

Between SpamAssasin and ME, it's going well now.


wouldn't it be sweet if ME came with spam filtering?
(I'm such a noob, it very well may, and I just haven't turned it on yet)



Thanks for the tips of how to fix this. It was really bumming me out.
Top
Post Reply

Return to “MailEnable Professional Edition”