Compromised Account
I had a user account that was compromised yesterday. Fortunately, all they used it for was to send out a ton of spam for 11 hours or so. The person whose account was compromised came in today to find over 50,000 bounced messages in her account. So I had a pretty good idea of which account was causing the problem. After stopping her mailer and then starting and stopping sendmail, I saw that the messages were still going out. I changed her password and that appeared to stop things. I kept an eye on things and will continue to do so for the rest of the day, to see if anything else goes wrong.
In looking at the logs, I’ve found lots of messages like:
Jul 6 11:09:21 srv sendmail[23556]: STARTTLS=server, relay=46-23-137-130.static.podluzi.net [46.23.137.130], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:09:23 srv sendmail[23556]: v66G9Ac7023556: 46-23-137-130.static.podluzi.net [46.23.137.130] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:10:06 srv sendmail[23952]: STARTTLS=server, relay=95-107-2-69.dsl.orel.ru [95.107.2.69], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:10:08 srv sendmail[23952]: v66G9xXg023952: 95-107-2-69.dsl.orel.ru [95.107.2.69] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:10:48 srv sendmail[24162]: STARTTLS=server, relay=[78.90.224.29], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:10:50 srv sendmail[24162]: v66GAfoO024162: [78.90.224.29] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA ... Jul 6 11:12:25 srv sendmail[24858]: STARTTLS=server, relay=host53-static.74.169.95.hellotel.net [95.169.74.53] (may be forged), version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:12:26 srv sendmail[24858]: v66GCHIq024858: host53-static.74.169.95.hellotel.net [95.169.74.53] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:12:29 srv sendmail[24869]: STARTTLS=server, relay=static-digital2-info93.espacodigitalinfo.com.br [177.73.122.92] (may be forged), version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:12:31 srv sendmail[24869]: v66GCMQ5024869: static-digital2-info93.espacodigitalinfo.com.br [177.73.122.92] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:13:49 srv sendmail[25528]: STARTTLS=server, relay=130-193-72-23.mynetwaydsl.net [130.193.72.23] (may be forged), version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:13:51 srv sendmail[25528]: v66GDhMg025528: 130-193-72-23.mynetwaydsl.net [130.193.72.23] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:14:13 srv sendmail[25679]: STARTTLS=server, relay=static-espacodigital.200-3-20-234.espacodigitalinfo.com.br [200.3.20.233] (may be forged), version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:14:15 srv sendmail[25679]: v66GE68G025679: static-espacodigital.200-3-20-234.espacodigitalinfo.com.br [200.3.20.233] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA Jul 6 11:15:08 srv sendmail[25991]: STARTTLS=server, relay=[37.236.158.29], version=TLSv1/SSLv3, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256 Jul 6 11:15:11 srv sendmail[25991]: v66GEt5t025991: [37.236.158.29] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
All of those did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA messages are people trying to send mail through our server with the incorrect password. Part of me would like to collect all of those ip addresses and block all packets from them, since they’re compromised. However, that would be a lot of work. And they could be just like me, someone who had a compromised account that they’re cleaning up. And also like me, they’d like to have their email delivered again once things are back to normal.