Federal Linux

I was attacked by Spam from Outer Space

Tracy R Reed  | 

So yesterday at around 3:30pm I got a strange email from LOLLERSKATES (system logfile analysis software which I wrote to warn of unusual activity). It said that Yahoo was blocking a whole ton of email from my server. Why would my server suddenly be sending thousands of emails to Yahoo? So I looked into it and the system was processing a massive amount of email. I instantly knew that my computer was being used to send spam.

How could this be? One of two things must have happened:

  1. A web app was compromised - Unlikely, but possible. I don’t run any PHP and I don’t use anything which isn’t very careful about avoiding shell/sql injection exploits etc. A lot of my stuff is protected by SE Linux which should prevent web apps from talking to the mail system but not everything.
  2. Someone compromised a users password - This is possible. People do dumb things with their passwords all the time.

So I fire up tcpdump and see a lot of traffic coming in via an authenticated SMTP session. I check the mail logs and notice that a particular user is authenticating from an IP address behind an Internet satellite link provider (“Spaaaam frooooom spaaaaaaaaace!” Thank you, Muppet Show) which is very unusual. So a quick iptables firewall rule to block off that IP address and a password change for that user and the spam stops. Then I whip up a quick shell script to clear the mail queue of all of the pending spam. Everything is back to normal.

I instant message the user in question and let him know what happened. The conversation went like this: 

(05:48:35 PM) Tracy: I had to lock your email account on my server
(05:48:43 PM) Tracy: Someone guessed or stole your password and was using my server to send spam
(05:49:46 PM) Tracy: If you use that password anywhere else you need to change it
(05:51:12 PM) User: Oh really. It was studball. Thanks
(05:51:23 PM) Tracy: hmm...I doubt they would have guessed that.
(05:51:34 PM) Tracy: So I bet your windows computer or somewhere else where you have typed
        that password in was compromised.
(05:51:38 PM) Tracy: You need to check that out.
(05:52:27 PM) User: Did it just start happening today or yesterday?
(05:52:41 PM) Tracy: Just today at 1:30pm my time which is 4:30pm your time
(05:59:41 PM) User: I checked my email about that time too.
(06:02:57 PM) Tracy: What computer did you check it on?
(06:03:11 PM) Tracy: Did you type in your password on that computer at that time?
(06:04:22 PM) User: windows. Yes I did. And I also choose save password.
    My computer was acting slow today also. So I think it may be a worm.
(06:06:54 PM) Tracy: Yep. I bet that's it.
(06:07:33 PM) Tracy: You need to unplug that thing from the network asap.
(06:07:38 PM) Tracy: Then wipe and reinstall the operating system.
(06:10:19 PM) User: I will have to do that tonight when I get home.

So once again Windows bites me and I don’t even use it myself. My server may be on email blacklists as a spam sender now. Hopefully not since I caught it quickly.

The funny thing about this is that from the user’s point of view I have not done him a favor. I have only caused him a problem. Everything worked fine and his world was happy until I contacted him. He was not really inconvenienced in any way that he noticed at the time. What does he care if his computer sent his password to someone else so that they can use it to send spam through someone else’s server? And now he has to change his password (I already changed it once for him) and reinstall his computer (although I seriously doubt that will happen and the infection will persist). I am reminded of “Typhoid Mary”. The cost of lax computer security is a complete externality for most people which usually costs the insecure person/system nothing noticeable. So goes computer security apathy.