Re: [IMail Forum] How does this "forge" work?

Fri, 20 Sep 2002 05:03:13 -0700 


>I've got relay set only for addresses I allow.  Spammers are still bouncing
>mail off my server.

If you use "Relay for Addresses" (which is one of the only two safe 
options; the other is "No Mail Relay", where everyone has to use SMTP 
AUTH), spammers should only be able to relay mail if they come from one of 
the "safe" IPs that you allow, or if they break into one of your accounts 
(which I have never seen happen, but is technically possible).

>Here's a line from the log that concerns me, I'm
>curious how it's done:
>
>20020920 044433 127.0.0.1       SMTP (1768) 250-ns1.skynet.ne.jp Hello
>[EMAIL PROTECTED] [200.42.210.151], pleased to meet you

You're not looking in the right place.  :)

The "SMTP" (or "SMTP-") lines are where your mailserver is sending mail to 
another.  In this case, you've sent a command (most likely "EHLO"), and 
they are responding to you.  They can send whatever they want in their 
response, and several mailservers will include your reverse DNS entry.

>This portion:  adsl-210-151.tricom.net [200.42.210.151] is the reverse
>lookup record of my MX record, mailtest.enelpunto.net.  My question is:  how
>is a spammer able to put that in the commands?

They aren't -- if one of the two mailservers is sending spam in this case, 
it's yours -- because you are sending mail to them.  You connected to their 
server.

>Or, is this a completely legitimate line and I just don't understand the
>SMTP process well enough yet???

:)

It takes a while to understand SMTP transactions and the IMail logs.

What you want to look for is only lines that have "SMTPD" in them (which 
indicates E-mail that IMail is receiving).  From those lines, you can then 
find the spammer, and post the log file entries here if you would like some 
help if figuring out how they did it.

Or, if you have a sample spam that was sent, you can post the headers from 
the spam, which will provide more information (but not as much as your log 
file will).

                                                    -Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for 
IMail.  http://www.declude.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]


To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/

Reply via email to