>We have the option "relay for local users only" set. We also have the
>option "Auto-deny possible hack attacks". All other options under SMTP
>Security is turned off. I wonder if you can suggest what might have
>happened and what we can do to prevent it in the future.
Most likely, a spammer sent out mail using a local user account, which you
have given them permission to do. "Relay for Addresses" or "No mail relay"
are the only two options if you do not want spammers using your services
for free.
>Return-Path: <[EMAIL PROTECTED]>
>Received: (qmail 10647 invoked from network); 30 Dec 2001 17:45:01 -0000
>Received: from arodal-wa.com (HELO gtmo.net) (206.159.55.2) <<<This is
>our server!!!
> by mx00.comstar.net with SMTP; 30 Dec 2001 17:45:01 -0000
Hmmm... that's not an IMail server! Either that, or the person submitting
the spam made major alterations to the headers. That's a very poor header
anyways, as it doesn't clearly identify who or what connected to where. At
the *very* least, a Received: header should have the IP address that
connected to it (it should be in the form "[192.168.100.1]", with the
brackets around it).
So this Received: header comes from an untrusted source, and is 100%
unreliable. We can't assume that 206.159.55.2 is really the IP address
that sent the E-mail.
>From: Nicole Kinmand <[EMAIL PROTECTED]>
Note that there are no more Received: headers. This spam didn't come from
an IMail server, or is missing headers.
>=================================== From the Log:
>
>12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] connect 127.0.0.1 port 1210
>12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] HELO 2222.com
>12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] MAIL FROM:<[EMAIL PROTECTED]>
>12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] RCPT TO:<[EMAIL PROTECTED]>
>12:30 08:25 SMTPD(0B5100D6) [127.0.0.1] C:\IMAIL\spool\D3fe90d6.SMD 4260
Let me guess, you run two mail servers on the same machine?
If so, the IMail logs will be useless; you'll need to check the logs of the
other mail server, which received the E-mail.
You'll also need to set up the other mail server to be secure; if you set
up IMail anti-relay settings, but have IMail accept mail from the other
(unsecured) server, it will send out more spam for you.
>12:30 08:25 SMTPD(0B5200D6) [206.159.55.2] connect 206.159.55.2 port 1388
... and note that the same thing is happening here, but with a local IP
rather than the loopback IP. I'm a bit worried that two different IPs
would be used, but that isn't your primary concern now.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
