Compromised account sending spam through GWIA

  • 7021410
  • 14-Sep-2017
  • 17-Oct-2019

Environment

GroupWise
SUSE Linux Enterprise Server

Situation

A user (or multiple) is being used to relay spam mail through the GroupWise Internet Agent (GWIA).
Thousands (lots) of messages are stuck in the send queue.
Thousands (lots) of messages are filling up the defer queue.
Potentially, thousands of messages are in the receive queue.
POA logs have an unusual amount of logins from one or a few users, indicative of a brute-force attack.
These issues may be causing user's to be unable to send outbound mail (or takes a long time to send mail/send mail delayed).
Outbound mail is slow, delayed or stuck.

Resolution

  1. Identify potentially compromised user accounts:
    • To identify users with an unusually high amount of login attemps (i.e. brute-force):
      • Navigate to the POA Console in a browser
      • View the POA log files
      • Search recent logs for "C/S Login"
      • Identify any users that are logging in too frequently to be humanly possible
    • To identify users with the most outbound emails (likely compromised):
      • From a terminal on the gwia server, navigate to the gwia directory:
        /domain_folder/wpgate/gwia
        Note: replace the above with the appropriate path.
      • Check both the defer and send directories with the following command:
        Note: please cd into the defer and send directories.
        grep -RPo "(?<=<EmailAddress>)[^<]*(?=</EmailAddress>)" ./ | cut -d ':' -f2- | sort | uniq -c | sort | less
      • Identify the users with an unusually high or suspicious amount of emails. It is likely that these may be compromised accounts.

  2. (conditional) If any accounts have been determined to be compromised, please follow the steps below to disable login:
    • From the GroupWise Administration Console, select the Users tab.
    • Repeat the following steps for each compromised account:
      • Check "Disable Logins" and click Save.
      • (conditional) If the user can't be disabled, simply change the user's password (please make it more complex).

  3. Please follow the steps below to help secure the system from future attacks:
    • (optional) Consider disabling SMTP Relay:
      • From the GroupWise Administration Console
      • Select the GWIA object > Access Control > SMTP Relay Settings
      • Verify Prevent message relaying has been selected and click Save.
    • Enable GWIA Security Settings:
      • From the GroupWise Administration Console
      • Select the GWIA object > SMTP/MIME > Security Settings
      • Select Reject if PTR record does not exist
        • Note: Do not enable this if using any Outlook clients.  Each Outlook user is considered their own smtp sender, and would need it's own PTR Record.
      • Select Enable mailbomb protection
        Note: These essentially protect against spam attackers, click the '?' at the top right of the GWIA window to read about what they do specifically.

  4. From a terminal on the GWIA server, clean out bad items in send and defer directories:
    • Follow the steps below to clean up the send directory:
      • Change working directory to send:
        cd /domain_folder/wpgate/gwia/send
      • Count how many items are there:
        ls | wc -l
      • Create a temp directory to move the spam emails into:
        mkdir /tmp/spam/
      • Move all items sent from each compromised user's email address to the spam directory:
        for file in `grep -rl "<EmailAddress>username@domain.com</EmailAddress>" *`; do mv -v $file ../tmp/spam/; done
        Note: This is a loop that moves each mail in the present working directory to the /tmp/spam directory, if the sender matches 'username@domain.com'. Replace the email address with the compromised address.
      • Alternatively, delete all items in the Present Working Directory (PWD) that were sent from the problem user's email address:
        grep -lrIZ <EmailAddress>username@domain.com</EmailAddress> . | xargs -0 rm -fv --
    • Change working directory to defer and repeat the above steps:
      cd ../defer
    • Change working directory to receive and repeat the above steps
      cd ../receive

Cause

A user (or multiple) has been compromised, and an attacker is authenticating to the GWIA and using it to spam messages to external users. This causes a build up of messages in the 'send' and 'defer' queues.

Additional Information

How to verify a user's login has been disabled:
  • In order to login, the authentication prompt expects the credentials to be base64 encoded. Please follow these steps first.
  • From a terminal window, determine the base64 encoded strings for both username and password:
    echo "userid" | base64
    echo "password" | base64

    Note: The above outputs will be needed during login below.
  • Establish a connection with the smtp server:
    openssl s_client -starttls smtp -crlf -connect <gwiaserver>:587
    Note: <gwiaserver> with the appropriate gwia dns or ip address.
  • When the connection is successful, please enter the following:
    Note: Replace with appropriate smtp hostname, username, password.
    ehlo <hostname.domain.com>
    AUTH LOGIN
    <Enter the base64 encrypted username from above>
    <Enter the base64 encrypted password from above>
  • If user login has been successfully disabled, then this response is displayed:
    501 Authentication failed
  • For example:
    250 STARTTLS
    ehlo smtpserver.com
    250-smtpserver.com
    250-AUTH LOGIN
    250-8BITMIME
    250-SIZE
    250 DSN
    AUTH LOGIN
    334 VXNlcm5hbWU6
    dXNlcjIK
    334 UGFzc3dvcmQ6
    dXNlcjIK
    501 Authentication failed