[PLUG] What Is Sending Email?

[Peter Leftwich (Peter@ITWiz1.Com)]

Hi Michael - I hope all is going well with your NUC.

Great question about inheriting hardware, and to all an excellent reminder
/ caveat/ best practices opportunity for talking security, system
hardening, being mindful of resources, and general good Linux / Unix
housekeeping...

**If this were me**, I would typically take the following steps below - My
apologies on the exact commands if they are not 100% accurate, I have not
tested them on my raspberry pi 4 8gb. =^]

1. Before enabling Wi-Fi on inherited computers or servers, or plugging in
a lan cable, be sure that the device is basically sandboxed and offline.

2. I believe you can run `netstat -a` to see if any ports are LISTENING
state, (Windows has a great flag to this command, -bno, which tells you
which binary or program or app is the source of listening on certain ports!
I'm positive Linux has something similar...) ..but perhaps for a quick peek
you could plug a LAN cable in and run the above command > with its STDOUT
sent out into a file, to analyze after again putting the system offline.

3. As one responder on this list mentioned, it is good to check all the
cron jobs that are geared up to go; for the ones as root you could run
crontab -e, but I believe there is a directory as a repository for all the
perhaps installed packages' usernames that might have cron jobs, where you
can see them in one central place; pretty certain that's a thing! If they
exist, perhaps chmod them ..or better, mv them to a subdirectory called
/old/, or  /cron_jobs_off/.

4. Thank you for staying with me this far lol - These two (2) commands are
probably your very good friend, when poking around an unknown system and
doing a little reconnaissance:

4a1. $ sudo apt list --installed > packages_list.txt    ##OR
4a2. $ sudo dpkg-query -f '${binary:Package}\n' -W > packages_list.txt
##OR LASTLY,
4a3. $ sudo dpkg-query -l > packages_list.txt

5. See which services are active, enabled (run at startup), or especially
are currently running!

# systemctl list-units --type=service --state=active
OR
# systemctl --type=service --state=active

# systemctl list-units --type=service --state=running
OR
# systemctl --type=service --state=running

6. Lastly but maybe the quickest easiest fix = Great to install a simple
uncomplicated firewall and only over time incrementally open ports
gradually **as needed** and known and identified as necessary, etc. Maybe
this should be Step#1 above!
$ sudo apt install ufw gufw

Cheers, I hope this is helpful and I do happily welcome from the list any
corrections and or added measures!

Peter L in San Diego CA,
<Peter then adt-siymbull then ITWiz1.Com>
Active in kplug and sdbug, and recently nycbug!


==
Date: Thu, 18 Mar 2021 16:53:04 -0700
From: Michael Barnes <barnmichael at gmail.com>
To: "Portland Linux/Unix Group" <plug at pdxlinux.org>
Subject: [PLUG] What Is Sending Email?

As part of my new gig, I inherited an email server. It is an Intel NUC
running Linux. I have almost no information on it, other than its login
info. Looking at various logs, I find a folder /var/log/Exim4 with mail
logs in it. It has a series of log files titled mainlog with owner of
Debian-exim and group of adm.

In looking at the log, it has an entry every morning at 0625 that seems to
be sending an email to an unknown person. I have obscured the identity data.

2021-03-18 06:25:02 1lMse6-0001wL-1W <= root at mailx.mydomain.com U=root
P=local S=707
2021-03-18 06:25:06 1lMse6-0001wL-1W => someone at somewhere.org <
root at mailx.mydomain.com> R=dnslookup T=remote_smtp H=
in1-smtp.messagingengine.com [66.111.4.73]
X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes
DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com
"
K C="250 2.0.0 Queued as 89A962AC350"
2021-03-18 06:25:06 1lMse6-0001wL-1W Completed

Any ideas on exactly what is happening here? I certainly don't want this
thing sending someone emails every day that I do not know about.

Thanks,
Michael