Author Topic: There is a CWP server vulnerability. Please help me.  (Read 2710 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
There is a CWP server vulnerability. Please help me.
« on: January 19, 2023, 10:53:52 AM »
Mail is being sent from my domain name against my request on my CWP server.HELP

Please help URGENTLY.
Log records as follows:
helo=87-207-170-128.dynamic.chello.pl, from=qdzftt632@xxx.com.tr, to=qdzftt632@xxx.com.tr,

The domain mentioned here is mine, but I do not have such mails. Spam is constantly being sent.

_dmarc   14400   IN   TXT   "v=DMARC1; p=reject"
@   14400   IN   TXT   "v=spf1 +a +mx +ip4:xxxxxxx ip4:xxxxxxx -all"

also it is not possible for them to steal any password from me.

Offline
*****
Re: There is a CWP server vulnerability. Please help me.
« Reply #1 on: January 21, 2023, 08:42:38 PM »
Well, yes there was a vulnerability. But if you have updated to 0.9.8.1148 or newer (we are 2 updates past the vulnerable version), you should be safe. But it sounds as if your Postfix installation is not sufficiently hardened, and perhaps CSF/LDF is not doing all it can do for you. Also, consider installing Mod_Security with the Comodo ruleset.
 

Offline
*
Re: There is a CWP server vulnerability. Please help me.
« Reply #2 on: August 03, 2023, 09:13:42 PM »
Please help me.

from=ferdinand@khe.com, to=ferdinand@khe.com,

They attacked my server again today. The domain khe.com exists, but the mails are not available. It keeps the server busy. What is your recommendation?

Mail Log:
Aug 3 21:32:42 ns85 cbpolicyd[3094]: module=Quotas, action=defer, host=185.208.23.255, helo=255.23.208.185.dynamic.electronicamartinez.es, from=ferdinand@khe.com, to=ferdinand@khe.com, reason=quota_match, policy=9, quota=6, limit=7, track=Sender:@khe.com, counter=MessageCount, quota=51.66/50 (103.3%)

VER: CWP version: 0.9.8.1164


Offline
*****
Re: There is a CWP server vulnerability. Please help me.
« Reply #3 on: August 04, 2023, 03:07:46 AM »
Have you hardened your Postfix installation, as I recommended before? Are you making use of postscreen?
https://www.awsmonster.com/how-to-secure-postfixdovecot-on-cwp

Are you making full use of CSF and LFD?

Add to Posfix main.cf:
Code: [Select]
##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30

Offline
*
Re: There is a CWP server vulnerability. Please help me.
« Reply #4 on: August 04, 2023, 10:44:46 AM »
Thank you for your useful suggestions.
I am using firewall. I also add manual thread but there are many different threads. impossible to reach.
I entered the lines you wrote aggressively to the Main conf settings.
But the bombardment continues.
The interesting thing is that he sends the mail inside, not outside.
How do I restrict the domain from sending mail to itself?

Offline
*
Re: There is a CWP server vulnerability. Please help me.
« Reply #5 on: August 07, 2023, 06:13:35 PM »
My mail server looks like a caravanserai. :-[

Aug 7 20:49:08 ns85 cbpolicyd[20875]: module=Quotas, mode=update, host=35.190.144.99, helo=ytvzrldycp, from=erkakxnzbd@yahoo.com, to=dsfhgsdfsds@outlook.com, reason=quota_update, policy=9, quota=6, limit=7, track=Sender:@yahoo.com, counter=MessageCount, quota=1.00/50 (2.0%)

Offline
*****
Re: There is a CWP server vulnerability. Please help me.
« Reply #6 on: August 07, 2023, 06:54:35 PM »
Maybe in the other thread you should just post your whole main.cf and master.cf so we can take a look and offer suggestions. Have you followed the AWS Monster guide to hardening Postfix with CWP? Are you running SpamAssassin?

Offline
*****
Re: There is a CWP server vulnerability. Please help me.
« Reply #7 on: August 08, 2023, 01:24:13 AM »

Offline
*****
Re: rogue script using php mail function
« Reply #8 on: August 08, 2023, 01:07:19 PM »
Head slap -- yes, I forget about to mention that one because I have php mailer functionality disabled on all my servers as a matter of course during setup. To me it's lazy coding and from a bygone era to rely on the convenience but total lack of accountability and compartmentalization with the php mail function. I require all clients to create a dedicated outbound SMTP user which they can then plug in those authentication details into whatever CMS or contact form requires outbound mail sending. So then you have accountability and proper logging, as well as proper postscreen controls and rate limits in place with Postfix.

Offline
*
Re: There is a CWP server vulnerability. Please help me.
« Reply #9 on: August 09, 2023, 06:13:12 AM »
Thank you Starburst and overseer. If the php mail function is left on, mail can be sent from non-existent mailboxes. very logical. I edited the php.ini file as follows.

PHP.INI

[mail function]
; For Win32 only.
SMTP = localhost
smtp_port = 25

When I delete them, sending mail via php will stop. Of course after reboot. In addition, PhpMailer script is necessary because it can send via smtp in website contact forms. I hope this method prevents mass spam output from accounts not on my server.
« Last Edit: August 09, 2023, 06:38:04 AM by umtu06 »