2

I am getting "Undelivered Mail Returned to Sender" messages. The relevant mail messages are being forwarded using a valid user (mike@proactech.com) on my server (server1.nbicharts.com). I control that email address, so it is not me that's doing the forwarding. I have tested that my server is not an open relay so I need help on how to track the vulnerability that is allowing this to happen. I presume that although I am seeing only the undelivered messages, there must be more that are being delivered.

Any help will be greatly appreciated.

Here is a typical message:

        This is the mail system at host server1.nbicharts.com.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

                   The mail system

<hrrecruitmentcell@tvssons.com>: host b.as.safentrix.com[23.239.12.179] said:
    550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient address rejected: User
    unknown (in reply to RCPT TO command)



Reporting-MTA: dns; server1.nbicharts.com
X-Postfix-Queue-ID: D7340580C88
X-Postfix-Sender: rfc822; mike@proactech.com
Arrival-Date: Sat, 25 Jul 2015 06:35:04 -0400 (EDT)

Final-Recipient: rfc822; hrrecruitmentcell@tvssons.com
Original-Recipient: rfc822;hrrecruitmentcell@tvssons.com
Action: failed Status: 5.1.1
Remote-MTA: dns; b.as.safentrix.com
Diagnostic-Code: smtp; 550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient
    address rejected: User unknown


ForwardedMessage.eml
Subject: Reply: kavithamai
From: kavithamai <mike@proactech.com>
Date: 07/25/2015 01:35 AM
To: "hrrecruitmentcell" <hrrecruitmentcell@tvssons.com>

Begin forwarded message

>  
>>
>>> http://freefinancialstresstest.com/lazbqala.php?kavithamai
>
> From: Kavithamai -kavithamai@yahoo.co.in-
> Date: Fri, 25 Jul 2015 11:35:04 +0000
> To: Hrrecruitmentcell
> Subject: Re: Fwd
>
> 7/25/2015 11:35:04 AM

Sent from my iPad

Here the mail.log

Jul 25 06:35:06 server1 postfix/smtp[18650]: D7340580C88: to=<hrrecruitmentcell@tvssons.com>, relay=b.as.safentrix.com[23.239.12.179]:25, delay=1.8, delays=1.1/0/0.45/0.2, dsn=5.1.1, status=bounced (host b.as.safentrix.com[23.239.12.179] said: 550 5.1.1 <hrrecruitmentcell@tvssons.com>: Recipient address rejected: User unknown (in reply to RCPT TO command))
masegaloeh
  • 18,498
user1142052
  • 23

2 Answers2

3

You've done some digging, and found that the original outbound email was sent through your server. That means that, unusually in such cases, you weren't joe-jobbed.

Digging through the logs has shown that the user in question authenticated to send email from Orange Slovakia, which will most likely be a mobile connection. You should ask this user why he's authenticating to send mail from Slovakia.

If he intended to send this mail, you should evaluate his actions in light of your Acceptable Use Policy. If he didn't intend to send it, then his account, and probably his mobile computing equipment, has been compromised, he should engage in appropriate cleanup, and you should lock his accouunt until you're satisfied that he has done so satisfactorily, again depending on your AUP to justify your actions.

MadHatter
  • 81,580
1

More likely than a server vulnerability exploitation, this looks like spoofing source address. One of the methods to deal with this (but not entirely mitigate), is to use SPF records.

There are currently no SPF records for proactech.com domain. This means that the target mail servers can not verify whether an incoming message comes from your mail server (legitimate) or some other (not legitimate).

If you install SPF records, the target systems (that are sending you bounce messages) that check validity of SPF records (and there are many of them today) will reject any incoming messages from servers that are not allowed by these SPF records and they will not try to deliver such messages. This means no bounces to you.

You can also consider installing DKIM, which is another feature that can help you mitigate a part of the problem. I do think SPF is checked more widely than SPF, so the first thing to do is SPF, but if it is possible, also install DKIM, just to make sure you have done the best you could.

Wapac
  • 662
  • 1
  • 5
  • 16