Phishing reports, domain blocked

guibarros · May 24, 2018, 3:45pm

Hello!

I’ve been running mailinabox for years now with 0 problems. Today I woke up to find all services unavailable. My domain name capanema.me seemed to have simply vanished (no NS records at all).

After contacting my registrar (Gandi.net), they told me:

The following domains under your sponsorship have been suspended for reported abuse.

Details are below.
‘ZH-Phishing’

If you have any questions, please contact us at

Contact .ME

I’m the sole user of this instance and am very careful with my passwords. Looking at the mail.log, I found no suspicious outgoing messages. I did, however, find a ton of suspicious connection attempts:

May 21 10:31:18 box postfix/smtpd[12807]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:18 box postfix/smtpd[12807]: lost connection after CONNECT from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:18 box postfix/smtpd[12807]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:19 box postfix/smtpd[12807]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:19 box postfix/smtpd[12807]: NOQUEUE: reject: RCPT from ip100.ip-149-56-177.net[149.56.177.100]: 554 5.7.1 <test@gmail.com>: Relay access denied; from=<test@capanema.me> to=<test@gmail.com> proto=SMTP helo=<win-4k804v6advq.domain>
May 21 10:31:20 box postfix/smtpd[12810]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:21 box postfix/smtpd[12807]: lost connection after RCPT from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:21 box postfix/smtpd[12807]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:22 box postfix/smtpd[12807]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:22 box postfix/smtpd[12811]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:22 box postfix/smtpd[12812]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12807]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12810]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12807]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12810]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12810]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12807]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12811]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12811]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12812]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12812]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12810]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:23 box postfix/smtpd[12810]: disconnect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:24 box postfix/smtpd[12811]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:24 box postfix/smtpd[12810]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:24 box postfix/smtpd[12812]: connect from ip100.ip-149-56-177.net[149.56.177.100]
May 21 10:31:24 box postfix/smtpd[12807]: lost connection after EHLO from ip100.ip-149-56-177.net[149.56.177.100]

These go on for days, from different IPs (but the same one tries multiple times). How can I debug this further to find if there really are no sent phishing emails?

May 24 08:25:55 box postfix/anvil[19398]: statistics: max connection count 1 for (smtp:193.227.51.79) at May 24 08:22:34
May 24 08:25:55 box postfix/anvil[19398]: statistics: max cache size 1 at May 24 08:22:34
May 24 08:28:31 box postfix/smtpd[19822]: connect from 118-68-169-82.higio.net[118.68.169.82]
May 24 08:28:32 box postfix/smtpd[19822]: disconnect from 118-68-169-82.higio.net[118.68.169.82]
May 24 08:31:52 box postfix/anvil[19823]: statistics: max connection rate 1/60s for (smtp:118.68.169.82) at May 24 08:28:31
May 24 08:31:52 box postfix/anvil[19823]: statistics: max connection count 1 for (smtp:118.68.169.82) at May 24 08:28:31
May 24 08:31:52 box postfix/anvil[19823]: statistics: max cache size 1 at May 24 08:28:31
May 24 08:34:38 box postfix/smtpd[20251]: connect from 64-110-238-35.regn.static.sasknet.sk.ca[64.110.238.35]
May 24 08:34:39 box postfix/smtpd[20251]: disconnect from 64-110-238-35.regn.static.sasknet.sk.ca[64.110.238.35]
May 24 08:37:59 box postfix/anvil[20252]: statistics: max connection rate 1/60s for (smtp:64.110.238.35) at May 24 08:34:38
May 24 08:37:59 box postfix/anvil[20252]: statistics: max connection count 1 for (smtp:64.110.238.35) at May 24 08:34:38
May 24 08:37:59 box postfix/anvil[20252]: statistics: max cache size 1 at May 24 08:34:38
May 24 08:41:05 box postfix/smtpd[21152]: warning: hostname mail.tandinhpottery.com does not resolve to address 118.69.170.173
May 24 08:41:05 box postfix/smtpd[21152]: connect from unknown[118.69.170.173]
May 24 08:41:05 box postfix/smtpd[21152]: disconnect from unknown[118.69.170.173]
May 24 08:44:25 box postfix/anvil[21153]: statistics: max connection rate 1/60s for (smtp:118.69.170.173) at May 24 08:41:05
May 24 08:44:25 box postfix/anvil[21153]: statistics: max connection count 1 for (smtp:118.69.170.173) at May 24 08:41:05
May 24 08:44:25 box postfix/anvil[21153]: statistics: max cache size 1 at May 24 08:41:05
May 24 08:47:34 box postfix/smtpd[21579]: connect from unknown[210.245.34.242]
May 24 08:47:34 box postfix/smtpd[21579]: disconnect from unknown[210.245.34.242]
May 24 08:50:55 box postfix/anvil[21580]: statistics: max connection rate 1/60s for (smtp:210.245.34.242) at May 24 08:47:34
May 24 08:50:55 box postfix/anvil[21580]: statistics: max connection count 1 for (smtp:210.245.34.242) at May 24 08:47:34
May 24 08:50:55 box postfix/anvil[21580]: statistics: max cache size 1 at May 24 08:47:34
May 24 08:53:38 box postfix/smtpd[22004]: connect from unknown[184.71.152.86]
May 24 08:53:38 box postfix/smtpd[22004]: disconnect from unknown[184.71.152.86]
May 24 08:56:59 box postfix/anvil[22005]: statistics: max connection rate 1/60s for (smtp:184.71.152.86) at May 24 08:53:38
May 24 08:56:59 box postfix/anvil[22005]: statistics: max connection count 1 for (smtp:184.71.152.86) at May 24 08:53:38
May 24 08:56:59 box postfix/anvil[22005]: statistics: max cache size 1 at May 24 08:53:38
May 24 08:59:43 box postfix/smtpd[22425]: connect from D57E6102.static.ziggozakelijk.nl[213.126.97.2]
May 24 08:59:44 box postfix/smtpd[22425]: disconnect from D57E6102.static.ziggozakelijk.nl[213.126.97.2]
May 24 09:00:30 box postfix/tlsmgr[23386]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup
May 24 09:03:04 box postfix/anvil[22426]: statistics: max connection rate 1/60s for (smtp:213.126.97.2) at May 24 08:59:43
May 24 09:03:04 box postfix/anvil[22426]: statistics: max connection count 1 for (smtp:213.126.97.2) at May 24 08:59:43
May 24 09:03:04 box postfix/anvil[22426]: statistics: max cache size 1 at May 24 08:59:43
May 24 09:06:00 box postfix/smtpd[23266]: connect from dynamic-190-25-46-42.dynamic.etb.net.co[190.25.46.42]
May 24 09:06:00 box postfix/smtpd[23266]: disconnect from dynamic-190-25-46-42.dynamic.etb.net.co[190.25.46.42]

alento · May 24, 2018, 4:44pm

I think that your focus should be on contacting the registry to resolve the issue.

If you were using external DNS, did you have your DMARC and SPF records set properly?

As for the connection attempts - spammers and hackers are always trying to hack email servers so those are not too surprising.

murgero · May 24, 2018, 8:21pm

Make sure none of your users are compromised and sending spam.

guibarros · May 25, 2018, 10:44am

I’m the sole user, and took a long look at the logs and found nothing. I use MIAB as a DNS server, so DMARC and SPF were set up. I also set up DNSSEC. I’m thinking the phishing report was a scam and the registry took action upon it without checking.

Anyway, I kept looking at logs and found this at fail2ban.log

2018-05-20 17:30:56,982 fail2ban.actions: WARNING [ssh] Ban 51.15.221.246
2018-05-20 18:30:57,197 fail2ban.actions: WARNING [ssh] Unban 51.15.221.246
2018-05-20 18:39:34,803 fail2ban.actions: WARNING [ssh] Ban 51.15.221.246
2018-05-20 19:30:37,365 fail2ban.actions: WARNING [ssh] Ban 37.59.104.67
2018-05-20 19:39:34,999 fail2ban.actions: WARNING [ssh] Unban 51.15.221.246
2018-05-20 19:48:40,638 fail2ban.actions: WARNING [ssh] Ban 51.15.221.246
2018-05-20 20:30:37,576 fail2ban.actions: WARNING [ssh] Unban 37.59.104.67
2018-05-20 20:40:30,270 fail2ban.actions: WARNING [ssh] Ban 37.59.104.67
2018-05-20 20:48:40,850 fail2ban.actions: WARNING [ssh] Unban 51.15.221.246
2018-05-20 20:57:16,456 fail2ban.actions: WARNING [ssh] Ban 51.15.221.246
2018-05-20 21:40:30,509 fail2ban.actions: WARNING [ssh] Unban 37.59.104.67

Aren’t these hosts being unbanned too quickly?

From what I understand, only milliseconds after the original ban. Looking at fail2ban’s jail conf, I think the ban time is set to 600 seconds.

alento · May 25, 2018, 4:44pm

It looks to me like the ban is 1 hour. At least that is what the logs you have posted are showing.

alento · May 25, 2018, 4:46pm

Normally, one would get an email to the admin contact to resolve such issues. Certainly .me notified you at that address, no?

guibarros · May 25, 2018, 5:45pm

Nope, no notification whatsoever. I had to contact Gandi and wait over 13 hours to find out what was going on. And then wait another day or so until .me responded. Just got my domain back.

About the ban time, I was so focused on the minutes that I didn’t see the hours thanks!