Re: [IMail Forum] SMTP-Relay / Auth only FROM valid email Adresses

Tue, 28 Mar 2006 05:29:40 -0800 

Have you found the IP address of the host?

Should not it be easy to find it in one of the spam messages?

adamc

Matti Haack wrote:

We are a SERVICE Provider, so we want to provide a good service to
our customers. After the first issue from  them,  they  cleaned up
all Maschines, but the proplem reappered two wekks later. Maybe  it
is some mobile device which gets attached to their network.

So  Yes,  I  shut  down  their  service  weeks ago. They told me,
they corrected  the  problem, I reactivated the account and after two
weeks it   happend   again...  Unfortunatly  they  can't send from
their DUP Provider,  as  they  force  them  to use the providers free
eMail Adress.

The  main  Problem  is that this spammings normaly happens during
night time. So I  am  looking  for  a method to prevent them (and
other customers) to start this again.  When we detect it (kiwi-Syslog
sends alarm), it is normally to late and our queue is filled with
bounces which has to be removed manually. To mitigate this problem, I
made a small script wich monitors the queue size  and send alarm
messages, if the queue grows unusual.

As the from adress  is faked to, we got masses of bounces. - And the
sender has no idea what he did...

So  do  you  have  any  Idea  how  to force users to a special
"from:" domain?  Technical,  not idiological...

With best regards Matti Haack


I have some problem with the way IMAL (8.x) handles SMTP-Auth
email. A customer  from  us  seems to have a compromised host,
which sends Spam evry two weeks or so trough their local gateway
tell them that you will not relay outbound mail that has been submitted to their system without SMTP AUTH.
Since they are spamming you from a trusted IP, you show them your logs and shut them off until they fix their system. In the 
meantime, their own gateway can send directly to Internet and shift
the problem onto them.



- which is relayed over our IMAIL Server.

Their  Mail  server requires no authentification for their local
hosts to send mail
I'd be surprised if a mail-bot/trojan in a compromised machine is doing SMTP AUTH to submit spam to their mail server. Their mail server is more likely doing relay for addresses. 


Len


- Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036
Passau +49 851 50477-22 Fax: +49 851 50477-29 http://www.haack-it.de


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Reply via email to