I am noticing a problem with SuiteCRM, There apparently is an undiscovered vulnerability that is causing us extreme issues.
If I enable an SMTP account in SuiteCRM, our server gets used as a Spam Relay rather quickly sending bulk emails originating from our domain.
So I have to change the mail account password and disconnect the SMTP account from SuiteCRM. Then everything is fine.
But the 3 sales people on our current system cannot send emails through the CRM anymore if I disable SMTP.
With the spamming, I figured it was a fluke from my windows WAMP Server, so I moved over to DigitalOcean on a CentOS 7 server in the cloud.
I enabled DKIM on our domain to try and eliminate problems, and I turned on SMTP again in the SuiteCRM system.
Boom spam relay started up again. I am running the latest build from GitHub.
Here is an example of the “Catch-All” bounce-back we get:
Begin forwarded message:
From: "Content-filter at hiero.abul.org" <postmaster@hiero.abul.org>
Subject: Considered UNSOLICITED BULK EMAIL, apparently from you
Date: March 23, 2017 at 7:19:20 AM EDT
To: <Koch0534@majordisplay.com>
A message from < Koch0534@majordisplay.com>
to: michel@gilantoli.com
to: christophe.catarina@gmail.com
to: jean.peyratout@gmail.com
to: kolter@openics.org
to: h.koutchouk@saint-loubes.fr
was considered unsolicited bulk e-mail (UBE).
Our internal reference code for your message is 27562-07/iHkLGB8iRfng
The message carried your return address, so it was either a genuine mail
from you, or a sender address was faked and your e-mail address abused
by third party, in which case we apologize for undesired notification.
We do try to minimize backscatter for more prominent cases of UBE and
for infected mail, but for less obvious cases some balance between
losing genuine mail and sending undesired backscatter is sought,
and there can be some collateral damage on either side.
First upstream SMTP client IP address: [147.210.68.129] osiris.abul.org
According to a 'Received:' trace, the message apparently originated at:
[160.120.51.136], osiris.abul.org osiris.abul.org [147.210.68.129] using
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Client CN
" osiris.abul.org", Issuer " osiris.abul.org" (not verified)
Return-Path: < Koch0534@majordisplay.com>
From: "Heather Koch" < Koch0534@majordisplay.com>
Message-ID: < 20170323111911.B5CB77C665E80A@majordisplay.com>
Subject: I've got strong reasons to believe that this stock is about to soar.
Delivery of the email was stopped!
Reporting-MTA: dns; hiero.abul.org
Received-From-MTA: dns; hiero.abul.org ([127.0.0.1])
Arrival-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Original-Recipient: rfc822; infos@abul.org
Final-Recipient: rfc822; michel@gilantoli.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=27562-07 - spam
Last-Attempt-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Final-Log-ID: 27562-07/iHkLGB8iRfng
Original-Recipient: rfc822; infos@abul.org
Final-Recipient: rfc822; christophe.catarina@gmail.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=27562-07 - spam
Last-Attempt-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Final-Log-ID: 27562-07/iHkLGB8iRfng
Original-Recipient: rfc822; infos@abul.org
Final-Recipient: rfc822; jean.peyratout@gmail.com
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=27562-07 - spam
Last-Attempt-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Final-Log-ID: 27562-07/iHkLGB8iRfng
Original-Recipient: rfc822; infos@abul.org
Final-Recipient: rfc822; kolter@openics.org
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=27562-07 - spam
Last-Attempt-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Final-Log-ID: 27562-07/iHkLGB8iRfng
Original-Recipient: rfc822; infos@abul.org
Final-Recipient: rfc822; h.koutchouk@saint-loubes.fr
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554 5.7.0 Bounce, id=27562-07 - spam
Last-Attempt-Date: Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Final-Log-ID: 27562-07/iHkLGB8iRfng
Return-Path: < Koch0534@majordisplay.com>
Received: from osiris.abul.org ( osiris.abul.org [147.210.68.129])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN " osiris.abul.org", Issuer " osiris.abul.org" (not verified))
by hiero.abul.org (Postfix) with ESMTPS id 6B3D3158D7B2
for < infos@abul.org>; Thu, 23 Mar 2017 12:19:20 +0100 (CET)
Received: from [160.120.51.136] (unknown [160.120.51.136])
by osiris.abul.org (Postfix) with ESMTP id 6A24223FA7
for < infos@abul.org>; Thu, 23 Mar 2017 11:58:14 +0100 (CET)
Received: (from apache@localhost)
by majordisplay.com (8.14.7/8.14.7/Submit) id B5CB77C665E80A;
Thu, 23 Mar 2017 11:19:11 -0000
Message-Id: < 20170323111911.B5CB77C665E80A@majordisplay.com>
To: infos@abul.org
Subject: I've got strong reasons to believe that this stock is about to soar.
X-PHP-Originating-Script: 1007:Sendmail.php
From: "Heather Koch" < Koch0534@majordisplay.com>
Date: Thu, 23 Mar 2017 11:19:11 -0000
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
PLEASE lets us know how to fix this! its a SuiteCRM exploit that has remained undetected up to this point.
In case you are wondering, the email: Koch0534@majordisplay.com is fake and does not exist in our records.
