Email compromised?

[memel.parduin]

Hi all,

My FreeNAS box (FreeNAS-8.3.0-RELEASE-x64 (r12701M) ) runs smoothly, sending me my daily security run output through mail.

However, I received a failure notice from my hosting provider's mailer-daemon stating

Code:

Hi. This is the qmail-send program at server.hostingprovider.xx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

Followed by a couple of e-mail addresses I don't recognize and I certainly know never to have entered into my NAS box.

I'm beginning to fear that perhaps my box might have been compromised? How can I troubleshoot this, learn more about the FreeNAS mail system and configuration, and most importantly stop this and prevent this from ever happening again?

Any help would be thoroughly appreciated!

Thanks already,
Memel

PS: has anyone ever encountered the same issue? How did you solve this?

 

[Milhouse]

I get loads of spam emails on my Google Apps mail account impersonating my account domain (for example, d82328xyz@mydomain.com i.e. something random at my domain), that are sent to random individuals that don't exist and so fail to be delivered, meaning I get all the bounces. There is no solution, other than spam filters.

In your case, was the email that could not be delivered actually sent from your FreeNAS box? Is your FreeNAS box accessible from the internet (if not, it's less likely to be compromised)?

The best way to troubleshoot it is to look at the headers on the email you received and see where it originated from (should be your box, but most likely the random IP address of a compromised host).

 

[memel.parduin]

The mail that bounces is the daily security run e-mail that my FreeNAS box sends me (which is attached to the failure notice I receive). I compared the headers of the bounced message with the e-mail I received correctly; those are identical.

My FreeNAS box is reachable from the internet through the GUI and SSH (setup to use key-authentication only).

 

[jgreco]

Your FreeNAS box attempts to send the daily mails to the e-mail address associated with the root user. Check there, first.

 

[memel.parduin]

Checked that already (with the GUI), just the one address I specified. Perhaps I should look in some configuration file? Don't know which one though.

 

[Milhouse]

Maybe posting additional info might help ring some bells - such as the headers (without any information personal to you), and the additional email addresses you don't recognise.

 

[memel.parduin]

The e-mail address associated with my root account is name@mydomain.xx. The security run, however, gets sent to root@myprovider.xx (which is a bug I've already read about. Test e-mails get sent to the correct account).

I hope this still makes some sense:

Code:

Return-path: <myserver@mydomain.xx>
Delivered-to: 117-name@mydomain.xx
Received: (qmail 12351 invoked from network); 5 Nov 2012 03:01:07 +0100
Received: from smtp-vbr11.myprovider.xx (aaa.bbb.ccc.ddd) by server.hostingprovider.xx with SMTP; 5 Nov 2012 03:01:07 +0100
Received: from localhost.my.domain (somecode.adsl.myprovider.xx [eee.fff.ggg.hhh]) (authenticated bits=0) by smtp-vbr11.myprovider.xx (iii.jjj.kkk/iii.jjj.kkk) with ESMTP id qA5212WS018679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <name@mydomain.xx>; Mon, 5 Nov 2012 03:01:07 +0100 (CET) (envelope-from myserver@mydomain.xx)
Message-id: <201211050201.qA5212WS018679@smtp-vbr11.myprovider.xx>
Content-type: text/plain; charset="utf-8"
Mime-version: 1.0
Content-transfer-encoding: 7bit
Subject: myserver.local security run output
From: myserver@mydomain.xx
To: root@myprovider.xx
Date: Mon, 05 Nov 2012 02:01:01 -0000 (05-11-12 03:01:01)
X-virus-scanned: by myprovider Virus Scanner
X-spam-checker-version: SpamAssassin 2.63 (2004-01-11) on  server.hostingprovider.xx
X-spam-level: 
X-spam-status: No, hits=0.3 required=7.0 tests=NO_REAL_NAME autolearn=no  version=2.63
X-evolution-pop3-uid: UID529-1334675225
X-evolution-source: 1334672609.3895.5@anotherbox
X-evolution-source: local

The addresses I've never seen before:

Code:

<dampierquarterhorses@telenet.be>:
195.130.132.49 does not like recipient.
Remote host said: 550 5.1.1 Recipient address rejected: User Unknown
Giving up on 195.130.132.49.

<info@mmhorsetraining.nl>:
91.213.69.175 does not like recipient.
Remote host said: 550 "Unknown User"
Giving up on 91.213.69.175.

 

[jgreco]

The important bit is

Received: from localhost.my.domain (somecode.adsl.myprovider.xx [eee.fff.ggg.hhh]) (authenticated bits=0) by smtp-vbr11.myprovider.xx (iii.jjj.kkk/iii.jjj.kkk) with ESMTP id qA5212WS018679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <name@mydomain.xx>; Mon, 5 Nov 2012 03:01:07 +0100 (CET) (envelope-from myserver@mydomain.xx)

which implies that the quoted message is correct up to the point it is received by myprovider.xx. This doesn't look like a FreeNAS issue.

You're not showing us why you feel the bounce you're describing is related to the quoted message, though, so perhaps you can explain the bounce message in more detail.

 

[cyberjock]

Saeed A Siddiki has 7 posts today, and 6 from yesterday, all asking the same question. Please, forum moderators, do something. This is just out of control. I thought I made it clear yesterday when I posted to all of his threads to stop, but he's back today.

He needs to be banned, prevented from posting, or something, until he understands that posting to multiple threads won't give you more answers. Not to mention that his question doesn't have much to do with the threads he's posting in.

 

[memel.parduin]

I'm sorry I haven't been clear enough. The daily security run from my FreeNAS box should get sent to name@mydomain.xx (which I specified in the GUI as root e-mail), but gets sent to root@myprovider.xx instead (not the biggest problem).

However, the failure notice I received from my hosting provider (which hosts mydomain.xx), consists of the message stated in my first post, followed by the two e-mail addresses and a copy of the message, which happens to be my daily security run. Somehow this message -originating from my FreeNAS box- is being sent (unsuccessfully) to two unknown recipients. Although I'm a noob when it comes to e-mail servers etc., I'd like to find out the possible cause of this 'phenomenon'. You'll have to agree with me that the idea of being 'hacked' somewhere isn't very appealing :(

The SMTP-server my FreeNAS box is using is the one from myprovider.xx, since myhostingprovider.xx doesn't provide one. Could one of my accounts possibly be compromised?

 

[jgreco]

Ah. I'm guessing that your hosting provider is forwarding the messages on to those addresses, and it is failing. It's not originating from your FreeNAS box, because your FreeNAS box does not have a functional MTA. The security report is being generated by FreeNAS, submitted to your hosting provider's mail server for <root@myprovider.xx>, which myprovider is expanding to the addresses in question. You can test this easily enough. Set your root user to send e-mail to <root@myprovider.xx> *too*. See if you then get a bounce of your daily run output that looks like the bounce you're getting for security run output.

 

[memel.parduin]

Thanks! I will give it a try and let you know.

 

[memel.parduin]

@jgreco

Well, I tried to add an extra e-mail address to my root user using the GUI, but I didn't succeed ("invalid e-mail address"), so I just changed the address. Obviously I received nothing at all, not even my daily security run.

Is there a configuration file I can edit so my root user will have two e-mail addresses?

 

[Stephens]

Exactly what's in the field for the root user's e-mail address? Did you separate the two email addresses by space, comma, or semicolon?

 

[memel.parduin]

just "root@myprovider.xx".

I've tried space, comma and (semi)colon, even enclosed the addresses in brackets (<abc@def.gh>), but none of it is being accepted.

 

[jgreco]

No, I didn't want *you* to add a second address. I wanted you to *change* it to <root@myprovider.xx> and see what happens. Your box is pretty obviously sending on to "myprovider.xx"'s mail server, which seems to be expanding "root@myprovider.xx" to multiple addresses.

 

[memel.parduin]

@jgreco

I did change it to <root@myprovider> first, but then I didn't receive anything at all. When I changed it back to the former address, I received all of the queued messages.