Archive for March, 2010

Weak password spammers via Plesk.

Monday, March 1st, 2010

Allowing users to change their own passwords makes life easy for the support staff but a nightmare for the system administrators.

Users will change their passwords to very weak passwords, like: password, qwerty, 12345, 123456, etc.

With such weak passwords one often run into a situation where a spammer probes an email account and guesses the correct password, there by allowing them to send out masses of spam via the account.

Sometimes the spammer makes use of CRAM-MD5 SMTP AUTHENTICATION to send out the email. In these cases, it is quite difficult to determine which email address was compromised.

It is however possible to figure it out with some detective work.

First, we will look at the qmail queue, usually the remote one, since spammer tend to send the spam out on the internet. We will then identify some of the spam emails and then proceed to evaluate each of them.

You will need to view the content of the email. I like to use qmqtool on Plesk qmail-based servers. qmqtool is a powerful and simple companion tool for qmail.

Make a note of the IP addresses from where the spammer is connecting to your server. In all likelihood, this will be from a botnet or compromise ISP network. We will call all these IPs the origin IPs. There could be a lot of them, and they could be from all over or from a few subnets. The principal for detection says the same, you may just need to repeat it a few more times.

With the origin IPs, start logging the spammer’s traffic as follows:

tcpdump -s 0 -w spam-packets.log port 25 \
and host <origin IP>


tcpdump -s 0 -w spam-packets.log port 25 \
and net <origin IP> mask

The above command will dump all the traffic between your server’s port 25 and the origin IP or network to a file called, spam-packets.log. The -s 0 switch tells tcpdump to dump the full packet to the file.

Once you have captured sufficient packets, firewall all the origin IPs and/or networks.

Now the hard work starts.

We now need to analyse the captured packets.

The easiest way is to use the following command:

tcpdump -r spam-packets.log -vvv -XX -A | less

The command will playback all the captured packets in a human readable format, well sort of readable.

Now, try to isolate one of the flows. I found it the easiest to select the flow by the remote source port.

tcpdump -r attack-packets.log -vvv -XX -A \
port <remote_source_port> | less

We now need to find a challenge and response pair in the protocol code.

The easiest is to search for “334 ” in the output, “334 ” is followed by a random 56 byte string. This 56 byte string is the challenge. See the example below:

334 PDIyNTk3LjEyNjczNzUxODdAaGF5ZXMuaG9zdDRhZnJpY2EuY29tPg==

The next packet should be another 56 byte random string, the response, being sent back from the remote to the server, as in the example below:


Now using the challenge an response that you have located above in the data stream, you will be able to locate the email address causing the problem.