On 7th of May, 2:07 CEST, OVH anti-spam filters detected a number of
outgoing mails from mail.ignore.pl from info@ignore.pl.
Content is irrelevant since it was plain old lies. There was no
intention of mine involved in them. Under no circumstances believe the
e-mails sent from info@ignore.pl. I do not plan to use this address
for anything. Luckily, this domain name is somewhat of a joke.
At least 110,837 e-mails were queued for sending starting on May 5 at
19:42:50 CEST. After a bit over one day, on May 7, 2:07, OVH detected
outgoing spam and correctly blocked egress from port 25. Some test
e-mails with arbitrary addresses were sent first and only afterwards
e-mails were adjusted to have "info@ignore.pl" as sender. I purged
the mail queue on the 7th with a total amount of e-mails around 97,792.
The overall amount of delivered e-mails is hard to estimate since their
scores are incredibly high at average.
As expected, server landed on few (I expected more) spam lists,
including Google's and Spamhaus. This is likely the only meaningful
outcome of the entire gig.
Now, how did it happen?
My e-mail server configuration uses Dovecot and Postfix (plus
some additions). Dovecot hosts a SASL service that Postfix uses to
auth senders. Dovecot uses PAM for its part of authentication, which
here is pam_unix.so. On Debian, by default, Dovecot package installs
a PAM configuration with following content:
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
Where, in turn, we see common-* configuration provided by Debian,
an exerpt from common-auth:
auth [success=1 default=ignore] pam_unix.so nullok
Nullok allows for user to be authenticated with an empty (or deleted
password). This is not normally a problem since, for example, OpenSSH
comes with PermitEmptyPasswords option pre-configured to "no."
Of course, SSH defaults do not apply to Dovecot and it so happened
that one of the generic users on this server had a deleted
password allowing attacker to authenticate.
From here, I:
- disabled the nullok from pam_unix,
- added a couple of bonus reinforcements,
- enabled self-spam check which was disabled in amavis,
- plan to monitor the server activity better.
I'm still waiting for someone to kick rudone instance in the ass.
See you next time!