lfd on <serverurl>: LOCALRELAY Alert for <useraccount>

[doracreaper]

Hi guys,

I have two servers, one fully configured by ConfigServer and the other a small local one with configfirewall set up.

The small local one I have configfirewall set up on: Now over the weekend, this email has been sent to me over and over again for different accounts. I honestly don't know what to make of it, i've tried everything to stop them. A common denominator of the users is that they are all using Joomla. Although I can clearly see that it must be a security problem, I don't understand what the email keeps telling me.

Example:

Code: Select all

Time:  Mon Jun 24 10:05:40 2013 +0200
Type:  LOCALRELAY, Local Account - mun1918
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2013-06-24 10:00:31 1Ur1hP-0007zJ-8y <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:32 1Ur1hP-0007zP-Cg <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:32 1Ur1hP-0007zR-D7 <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:32 1Ur1hP-0007zL-9a <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:33 1Ur1hR-000806-Hn <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:56 1Ur1hn-00081R-FT <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:56 1Ur1hn-00081W-N2 <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:56 1Ur1hn-00081c-Ve <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:57 1Ur1ho-00081y-UR <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>
2013-06-24 10:00:59 1Ur1hr-00082F-Om <= useraccount@<serverurl> U=useraccount P=local S=497 T="New Account IN <userdomain>" for <hackersemailaddress>

I'm getting an email like this from different user accounts every hour or so. All relating to <hackersemailaddress> which is stomalber <at> gmail <dot> com. I tried searching for it on Google which only comes up with it is a forum spammer.

What I need is to understand what exactly this email is telling me, so that I can understand what he is doing and can counter him accordingly.

Thank you for your help. Greatly appreciated!

[Sergio]

The email states:

Time: Mon Jun 24 10:05:40 2013 +0200
Type: LOCALRELAY, Local Account - mun1918
Count: 101 emails relayed
Blocked: No

So, there is a LOCALRELAY on the account mun1918, it is sending more than 101 emails in an hour, the rest of the email is telling what the account is sending, not much you can do with the rest of the info. The real info is the one on the top, so you have to check how the account is compromised, check for scripts that could send emails from that account if you have MailScanner installed it could tell you more info about the emails sent.

Sergio

[doracreaper]

Hi Sergio,

Thank you so much for the quick response. Much appreciated.

I did find last night that the user registration was still enabled on all of the Joomla sites, so this bot was just registering accounts all the time continuously on multiple Joomla websites. Crazy stuff.

Thank you once again for your help. :-)

[eliudcr]

Is there any way to avoid this kind of alert if this is an acknowlege incident?

[Sergio]

Yes,
do the following:
- Enter into the webmail of the account where you are receiving the alert email.
- Create a filter to delete the email alert that you are receiving.
- Save the filter.
- Done.

From the moment that you save the filter you will not receive that alert anymore.