How to track (catch) mail server traffic abusers
with tcpdump
If you're an administrator of a shared hosting server running mail
server on localhost, you've definitely come across to issues with
your mail server ip entering into public blacklists like
spamhaus's CBL,XBL, PBL etc.
The usual procedure after one's ip gets listed in blacklists is to
delist it manually following spamhaus or any other blacklist
website's web interface, however often even after delisting
yourself from blacklists you get back into them in a couple of
hours, since your mail server continues to send a mass amounts of
spam.
To track issues like as a system administrator I always use the
good old network swiss army of knife tool
tcpdump
tcpdump is really precious in tracking all kind of traffic
oddities or mail server traffic.
To check if there are oddities with traffic flowing from a mail
server on localhost after I login to a mail server with issues I
use
tcpdump command with following options:
tcpdump -nNxXi eth0 -s 0 proto TCP and host and port
25
The usual output of it should look something like:
root@hosting:/home/hipo/public_html:# tcpdump -nNxXi eth0 -s
0 proto TCP and port 25 tcpdump: verbose output suppressed, use -v
or -vv for full protocol decode listening on eth0, link-type EN10MB
(Ethernet), capture size 65535 bytes 11:37:51.692685 IP
xxx.xxx.xxx.xxx.smtp > 212.235.67.205.53745: P
2645817175:2645817203(28) ack 31168958 win 7632
0x0000: 4500 0044 92b4 4000 4006 9ae8 5511 9f4d
E..D..@.@...U..M
0x0010: d4eb 43cd 0019 d1f1 9db3 f757 01db 99be
..C........W....
0x0020: 5018 1dd0 0d4e 0000 3235 3020 4f4b 2069
P....N..250.OK.i
0x0030: 643d 3151 656c 3150 2d30 3033 7666 412d
d=1Qel1P-003vfA-
0x0040: 4730 0d0a G0..
11:37:52.175038 IP 212.235.67.205.53745 > xxx.xxx.xxx.xxx.smtp:
. ack 28 win 65064
0x0000: 4500 0028 1bb4 4000 7706 db04 d4eb 43cd
E..(..@.w.....C.
0x0010: 5511 9f4d d1f1 0019 01db 99be 9db3 f773
U..M...........s
0x0020: 5010 fe28 a1c8 0000 0000 0000 0000
P..(..........
In this example the
xxx.xxx.xxx.xxx is the IP address of the
hosting server (my mail server) and the other IP is the interaction
of my mail server's
smtp port 25 with tther machine
212.235.67.205.
If after issuing this command there are tons of repeating address
IPs the mail server interacts with this is possible sign of
spammers who sent traffic via the mail server.
Of course this is not always the case as sometimes, some clients
use to send large newsletters or just some planned advertisements,
however in most cases as I said it's a spammer.
To futher get the abuser I check Apache logs and the mail server
logs. Also in many cases a spammer can be catched via observing the
mail server logs (/var/log/maillog, /var/log/qmail/current or
wherever the mail server logs it's interactions).
In the above tcpdump output you can even read some of the
information flowing in between mail servers in a very raw form for
example in above tcpdump output notice the
250.OK . This is
obviously an interaction between the two mail servers where the
server running on my hosting server with ip (xxx.xxx.xxx.xxx) sends
to the remote mail server the command
250 OK
Hope this article is helpful to somebody ;)