Kayako being used as spam relay; how to stop?

[chirpy]

Hi --

I think my v3.00.32 installation of eSupport has some form of open hole (in Kayako, I presume) that has put my server into service a relay server in a spam relay network. (A bad thing, obviously.)

I was looking into why email had stopped (unrelated to Kayako) on my server, and found a message in the outbound mailqueue that appears as follows (note: I've modified the target email addresses to use "DestDomain" instead of @, and our host as "OurDomain", so the respective addresses don't get picked up by crawlers reading this forum.)

Quote:

(mail control stuff)
MDeferred: Connection timed out with mail.liocc.com.
Fwbs
$_plumcanary.com [127.0.0.1]
$rESMTP
$splumcanary.com
${daemon_flags}EE
${if_addr}127.0.0.1
S<support OurDomain plumcanary.com>
MDeferred: Connection timed out with mail.liocc.com.
rRFC822; sales DestDomain liocc.com
RPFD:<sales DestDomain liocc.com>
H?P?Return-Path: <?g>
H??Received: from plumcanary.com (plumcanary.com [127.0.0.1])
by plumcanary.com (8.12.11.20060308/8.12.11) with ESMTP id l5EClYf5017460
for <sales DestDomain liocc.com>; Thu, 14 Jun 2007 08:47:34 -0400
H??Received: (from mail@localhost)
by plumcanary.com (8.12.11.20060308/8.12.11/Submit) id l5EClY2N017459;
Thu, 14 Jun 2007 08:47:34 -0400
H??X-Authentication-Warning: plumcanary.com: mail set sender to support OurDomain plumcanary.com using -f
H??To: sales DestDomain liocc.com
H??Subject: Bigger size better life
H??X-Mailer: Kayako eSupport v3.00.32
H??X-Priority: 3
H??Date: Thu, 14 Jun 2007 08:47:33 -0400
H??From: "Plum Canary Technical Support" <support OurDomain plumcanary.com>
H??Reply-To: support OurDomain plumcanary.com
H??Content-Type: text/plain; charset="UTF-8"
H??Content-Transfer-Encoding: 8bit
H??Message-ID: <jjmm79.izdx3g@localhost>
H??Received-SPF: pass (plumcanary.com: domain of support OurDomain plumcanary.com designates 127.0.0.1 as permitted sender) receiver=plumcanary.com; client-ip=127.0.0.1; helo=plumcanary.com; envelope-from=support OurDomain plumcanary.com; x-software=sp
fmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf2-1.0.0;

This looks like it is mail "from" our support email account, the sending mail agent is (X-Mailer) Kayako eSupport, sending to someone who is _not_ in our user list. Which means some botnet is fooling Kayako into sending spam from our servers. (Which now explains, by the way, why our server has shown on recently on some spam warning lists.)

Background notes:
- I have turned _off_ accepting inbound mail requests to create tickets, but have the autoresponder (in Kayako) sending back an advisory to that effect;
- I will work on updating Kayako to 3.10.02 shortly, but I have no knowledge that would indicate that this problem will be addressed by 3.10.02.

Anybody have any ideas what path that bad-botnets have found into my Kayako server that is permitting them to use Kayako as a relay host?

[Jamie Edwards]

Hi Chripy,

You are running a very outdated version of SupportSuite which is susceptible to cross-site scripting exploits. It is likely an attack has included code that is used to spam e-mails from your server, using the sendmail() functions.

I am sorry you have succumb to this. I strongly advise you keep your installation updated with the latest stable releases of SupportSuite.

[nibb]

I have 3.10.02

And my Kayako is used to spam as well. I just noticed that. Also when a user creates a ticket it get created every 1 minute or so again, not exactly the same time. The spammer seems to be simulating a bot robot someway and uses kayako to spam with my email.

[chirpy]

Jamie --

I performed the update, but it failed. I'm experiencing the same error reported in this forum post here: ERROR: Could not insert all templates

I have opened a support ticket since my system is functionally "down."

Note: I'm using ionCube.