Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: help with email spamming.

  1. #1
    Join Date
    Aug 2010
    Beans
    40

    help with email spamming.

    I know I have a pc on my network that is spamming emails as evidence by a few black list sites. Also yahoo keeps rate limiting me. Though I do not see any evidence on the PC's I have running. I have a few PC's and a few android devices. It is rather hard to turn one off at a time and the end results is not easy to detect. Thus its hard to troubleshoot that way. So I want to intercept and use linux to hunt it down. Every thing goes out of my ubuntu server, all traffic. but I'm not a security guru by any means.

    I thought maybe I could use iptables like

    iptables -A INPUT -p tcp -s 192.168.0.0/25 --dport 25 -j LOG --log-level debug

    and tail -f /var/log/kern.log

    and there I see a few messages once a second but it looks like my FW is blocking it.

    Code:
    Nov 24 14:38:48 ubuntuspawn kernel: [6630908.886197] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=38447 DF PROTO=TCP SPT=41304 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:38:54 ubuntuspawn kernel: [6630915.201554] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=46.232.211.193 DST=[myIP] LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=24534 DF PROTO=TCP SPT=37905 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0
    Nov 24 14:39:11 ubuntuspawn kernel: [6630931.733367] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=38801 DF PROTO=TCP SPT=48692 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:39:15 ubuntuspawn kernel: [6630935.532012] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=172.98.68.19 DST=[myIP] LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=55084 DF PROTO=TCP SPT=55145 DPT=40945 WINDOW=64860 RES=0x00 SYN URGP=0
    Nov 24 14:39:33 ubuntuspawn kernel: [6630953.568650] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=61.177.173.11 DST=[myIP] LEN=67 TOS=0x00 PREC=0x00 TTL=47 ID=1181 DF PROTO=TCP SPT=12671 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
    Nov 24 14:39:35 ubuntuspawn kernel: [6630956.301506] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=187.189.88.168 DST=[myIP] LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=17182 PROTO=UDP SPT=10700 DPT=40945 LEN=28
    Nov 24 14:39:49 ubuntuspawn kernel: [6630969.761855] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.219.52.172 DST=[myIP] LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=39389 DF PROTO=TCP SPT=7954 DPT=5927 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:39:54 ubuntuspawn kernel: [6630975.263547] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=37.146.57.182 DST=[myIP] LEN=132 TOS=0x00 PREC=0x00 TTL=108 ID=52386 PROTO=UDP SPT=22879 DPT=40945 LEN=112
    Nov 24 14:40:15 ubuntuspawn kernel: [6630996.279388] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=185.159.156.3 DST=[myIP] LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=61920 DF PROTO=TCP SPT=48280 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0
    Nov 24 14:40:32 ubuntuspawn kernel: [6631012.854881] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=31.13.65.36 DST=[myIP] LEN=40 TOS=0x0C PREC=0x60 TTL=87 ID=0 DF PROTO=TCP SPT=443 DPT=62644 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:40:32 ubuntuspawn kernel: [6631012.854945] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=31.13.65.36 DST=[myIP] LEN=40 TOS=0x0C PREC=0x60 TTL=87 ID=0 DF PROTO=TCP SPT=443 DPT=62644 WINDOW=0 RES=0x00 RST URGP=0
    Nov 24 14:40:38 ubuntuspawn kernel: [6631018.779255] [UFW BLOCK] IN=enp2s0 OUT= MAC=00:26:18:92:60:c7:4c:12:65:64:39:50:08:00 SRC=95.192.81.202 DST=[myIP] LEN=52 TOS=0x00 PREC=0x00 TTL=238 ID=23544 DF PROTO=TCP SPT=61805 DPT=40945 WINDOW=64240 RES=0x00 SYN URGP=0
    other then that I only see this

    Nov 24 14:30:47 ubuntuspawn kernel: [6630427.637180] CIFS VFS: Free previous auth_key.response = 0000000048575e17


    Is there a better way to go about this?
    Last edited by ulao3; November 24th, 2021 at 05:29 PM.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: help with email spamming.

    Block all outbound 25/tcp and 465/tcp and 587/tcp from the LAN. Then check which devices are trying to access those ports one at a time and add them to a white list.

    I'm lazy and only allow 1 MTA to email outbound. All LAN clients must use my LAN email gateway to send anything. Typical home users should just know exactly which IP addresses are tied to each device on the LAN, then trace the offender. This means that either static IPs need to be setup or DHCP reservations for all devices, then you can have a "guest" IP range for unknown stuff. When people visit, their wifi stuff gets put on that guest range outside my normal LAN. If there is any abuse, blocking everything for that range is easy.

    If your router is also your DHCP server handing out IPs, then it probably can also provide DHCP reservations - which is a MAC to IP allocation method. Based on the MAC address, when a known client makes a DHCP request, the IP in that table would be provided every time. https://blog.jdpfu.com/2011/07/18/us...ice-management tries to explain - but don't worry. The old way as that article outlines is mostly gone. Current routers have a table with separate fields. The only trick is to reserve IPs for devices you know in a different IP range than for devices you don't know.
    For example, I handle IPs from .90 - .99 for devices I know on my LAN, but guest devices get .240-.250 IPs <--- that's the normal DHCP IP range. For LAN static IPs, I use .1 - .89.
    On IPv4 LANs, use the 'arp' command get get all the current MACs. Run that command from a system they all use. ip neigh is another command that shows MAC-to-IP relations.
    Last edited by TheFu; November 25th, 2021 at 04:31 AM.

  3. #3
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    I'm not sure you will catch what you are looking for via the INPUT chain. I would log it, and/or block it, via the FORWARD chain, and with unique log prefixes, for extracting and sorting later on.

    I would also, at least temporarily, monitor all packets using tcpdump (or wireshark, if you prefer). I have been logging every external and most internal packet to and from my main gateway router server for many many years, giving me the ability to back and look at event details after the fact. Here are example commands (modified for herein). External:

    Code:
    sudo tcpdump -i enp1s0 -w 'ext-%F-%H-%M-%S.bin' -G 601 -Z doug
    I do 10 minutes per raw file, with the extra second so that the files do not clobber themselves upon the switch between daylight saving time and standard time, although I do still get an interleaved mess.Internal:
    Code:
    sudo tcpdump -i enp3s0 not port 22 and not port 445 and not port 139 and not port 5001 -w 'int-%F-%H-%M-%S.bin' -G 601 -Z doug
    Where I do not want to capture packets related to high volume internal traffic to/from the server itself, so I exclude some ports.

    Use caution, as this can use a lot of disk space quickly. I have a 1TB HDD dedicated to this.

    EDIT: Oh, and as TheFu suggests, internally I use a DHCP server, but via MAC, so I know the LAN computer for all packets.
    Last edited by Doug S; November 25th, 2021 at 12:27 AM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  4. #4
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    I do use a DCHP on my linux server, and disable all DHCP on routers.

    I'm not very well versed with tcpdump, but that would be my goto... MY disk space is small so I'd need a way to log only the last X hours.

    can any one explain to me what this means?
    sudo tcpdump -i enp1s0 -w 'ext-%F-%H-%M-%S.bin' -G 601 -Z doug
    I'm not find anything helpful on the net for a z option. I'm guessing 'doug' is a file name? What is it doing with bin files? Do I listen on my out facing or inward facing nic?
    Last edited by ulao3; November 25th, 2021 at 05:15 PM.

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: help with email spamming.

    ALWAYS, ALWAYS, ALWAYS, check the manpages on your local system before running complex commands. The internet has whatever version it likes. Your system has the documentation delivered WITH the exact version of the tool.

    Code:
           -Z user
           --relinquish-privileges=user
                  If tcpdump is running as root, after opening the capture device or  input  savefile,
                  change the user ID to user and the group ID to the primary group of user.
    
                  This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.
    That's from the tcpdump manpage on my system. Yours could be different.

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    can any one explain to me what this means?
    sudo tcpdump -i enp1s0 -w 'ext-%F-%H-%M-%S.bin' -G 601 -Z doug
    Means to run tcpdump on my external network interface card, automatically naming each file with the date and time, 10 minutes and 1 second per file, and root won't own the binary files but doug will. Example:

    Code:
    doug@s15:/media/sdb1/tcpdump/019$ ls -l ext*.bin | tail -4
    -rw-r--r-- 1 doug doug  496623580 Nov 25 10:47 ext-2021-11-25-10-37-43.bin
    -rw-r--r-- 1 doug doug  395349090 Nov 25 10:57 ext-2021-11-25-10-47-47.bin
    -rw-r--r-- 1 doug doug    2369897 Nov 25 11:07 ext-2021-11-25-10-57-48.bin
    -rw-r--r-- 1 doug doug    1056768 Nov 25 11:15 ext-2021-11-25-11-07-51.bin
    It is sometimes more than 601 seconds between file names, because it'll only do the file rotation upon the next need to write after the time expires.
    Now, and based on other log files, say I wanted to investigate in detail something at some specific time. I don't have a specific good example, but say someone trying to access SSH, port 22, (which I picked because I know it is so common):

    Code:
    doug@s15:/media/sdb1/tcpdump/019$ tcpdump -n -tttt -r ext-2021-11-25-10-47-47.bin port 22
    reading from file ext-2021-11-25-10-47-47.bin, link-type EN10MB (Ethernet), snapshot length 262144
    2021-11-25 10:47:52.233181 IP 45.144.225.175.38729 > my ip.22: Flags [S], seq 1571753640, win 65535, length 0
    Quote Originally Posted by ulao3 View Post
    What is it doing with bin files?
    Creating them.

    Quote Originally Posted by ulao3 View Post
    Do I listen on my out facing or inward facing nic?
    I was suggesting both, but maybe internal would be good enough for your use case.
    Last edited by Doug S; November 25th, 2021 at 08:38 PM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #7
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    well my case "should" be rather obvious. I think its spamming quite a bit.

    I ran this for a few hours. Didnt understated the user thing so left it out.
    sudo tcpdump -i enp2s0 -w 'ext-%F-%H-%M-%S.bin' -G 601

    tcpdump: listening on enp3s5, link-type EN10MB (Ethernet), capture size 262144 bytes
    nothing ever displayed on the console.

    Creating them.
    so it logs to a bin file? That just seems strange if so, I see over 30 files logged in that time and as suggested they are binary file, how do I read that?

    thx for the help do far...

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Quote Originally Posted by ulao3 View Post
    well my case "should" be rather obvious. I think its spamming quite a bit.

    I ran this for a few hours. Didnt understated the user thing so left it out.
    sudo tcpdump -i enp2s0 -w 'ext-%F-%H-%M-%S.bin' -G 601

    tcpdump: listening on enp3s5, link-type EN10MB (Ethernet), capture size 262144 bytes
    nothing ever displayed on the console.

    so it logs to a bin file? That just seems strange if so, I see over 30 files logged in that time and as suggested they are binary file, how do I read that?

    thx for the help do far...
    O.K. without any other insight into where or what file to specifically look at in detail, let's just mindlessly process everything into a reduced information text file. We can always go back later and post process again if needed.

    Code:
    for f in ext*.bin; do tcpdump -n -tttt -r $f >>alle.txt
    for f in int*.bin; do tcpdump -n -tttt -r $f >>alli.txt
    Note: you might have to run it as root, because you left out the user thing.

    Now start looking at those text files for whatever, probably packets to/from specific ports. grep will be very handy at this point.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  9. #9
    Join Date
    Aug 2010
    Beans
    40

    Re: help with email spamming.

    I'm ssh'd in as root, and I only have ext files, no int's but when I run the first command I just a singe > prompt.


    root@ubuntuspawn:~# for f in ext*.bin; do tcpdump -n -tttt -r $f >>alle.txt;
    >

  10. #10
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,101
    Distro
    Ubuntu Development Release

    Re: help with email spamming.

    Sorry, poorly done on my part:

    Code:
    for f in ext*.bin; do tcpdump -n -tttt -r $f >>alle.txt; done
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •