Hi,
I just wanted to check-in with the list - I've been in digest mode for a
while - I noticed postings from a couple folks last week and over the
weekend regarding spam getting relayed through thier server, where they
were configured to be protected against relaying. This happened to me on
Friday as well. Here are the details
* Windows 2000 Server sp3 +hotfixes
* Imail 7.07 HF2 configured to relay for addresses
On Friday morning, I found that my logfile for that day was already 30mb,
where I would normally see that size for a whole day of SMTP action. I
looked in the logfile and saw hundreds, maybe thousands of logged messages
originating from 210.0.137.240. Most of the messages were from a Yahoo
address, and to a Yahoo or AOL address, but there were some more diverse
To: addresses.
Immediately I checked the spool and found several hundred messages in there
from this source. I stopped SMTP and copied all messages out of the spool,
and set SMTP security to 'No Mail Relay' - I started SMTP back up and
perused the messages that I copied out. There were a handful that were
legit, that I copied back in, but most of the rest were Spam, to and from
address that I don't host.
I went back and checked the addresses that I had set to be allowed to
relay, they were for a range of IP addresses that I host (with a proper
subnet mask), a range of IP addresses on my office network, and a single IP
for a client for whom I provide secondary mail services. My hosted range
starts with 63 - not close to 210.0.137.240, and my office range starts
with 204 - closer to 210, but with a subnet mask of 255.255.255.240, and
the single IP starts with 209 - once again, close to 210, but it is just a
single IP, so none of these should have allowed the relay.
I proceeded to test relaying from an outside server that I have control
over, and could not. I then turned relay back on for the 2 IP ranges and
single IP, and didn't see any more spam come through...for a couple of
hours, when I got bombed again, from the same IP, 210.0.137.240 - I then
set that entire IP range to be blocked via the SMTP access control list,
and cleared out my spool again.
I then went and viewed the smtpd32.loc file with a binary/hex viewer, and
confirmed that the addresses that I allow to relay are listed properly,
with the correct subnet mask.
I'm concerned that I'm not the only person that got bombed - I was just
about to write more about being concerned that there might be a 'new'
exploit that Ipswitch doesn't know about - I was sifting through my
logfiles to find a snippet that I could paste in here to show evidence that
someone relayed through without authenticating....and got stopped short - I
found that this spammer was authenticating! Authentication logs with a
different session ID than SMTP or SMTPD - during heavy volume, it's easy to
miss the 'Authenticated...session treated as local' -especially if the
authenticated account is a normal, commonly used mailbox. Here's a snippet
of the log (cleaned of other sessions):
20030117 122335 127.0.0.1 SMTPD (2DB90130) [63.251.80.230] connect
210.0.137.240 port 7433
20030117 122335 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] EHLO Richmond
20030117 122339 127.0.0.1 SMTPD (0000013C) Authenticated
xyzabc(modifed)@pop.matrixgroup.net, session treated as local.
20030117 122339 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] MAIL
FROM:<[EMAIL PROTECTED]>
20030117 122339 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] RCPT
TO:<[EMAIL PROTECTED]>
20030117 122343 127.0.0.1 SMTPD (2DB90130) [210.0.137.240]
D:\IMAIL\spool\D3c1b2db90130e0db.SMD 6918
20030117 122344 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] MAIL
FROM:<[EMAIL PROTECTED]>
20030117 122344 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] RCPT
TO:<[EMAIL PROTECTED]>
20030117 122348 127.0.0.1 SMTPD (2DB90130) [210.0.137.240]
D:\IMAIL\spool\D3c202db90130f30b.SMD 6857
The SMTPD line showing authentication has a different session ID (or PID
not sure what to call it) than the rest of the session, and it was mixed
among other entries, so I missed it. In this one session there were many (I
haven't counted yet) pieces of mail sent out, followed by several more
authenticated sessions with this account - so if I had missed that first
connection, it would have just looked like a ton of unauthenticated
messages getting relayed through.
Ultimately, the culprit - a forgotten mailbox, that had been set to forward
elsewhere, that had a default password of 'password'
Initially I wanted to post this to speak-up - to see if there was a new
exploit, now I see that it was my bad, for a lack of password auditing and
some spammer exploiting that - I'm not saying that this is the same exact
problem that you other folks had - but I'm suggesting that you take a
closer look at your log for Authentication, and maybe use a tool like
extractusers if you're using the Imail db, to audit your passwords, there's
clearly at least one spammer out there exploiting 'password' passwords.
Jeff Lesperance
Matrix Group International, Inc.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
- RE: [IMail Forum] Spam relayed through server aka HELP - ... Jeff Lesperance
- RE: [IMail Forum] Spam relayed through server aka HE... John Tolmachoff
- RE: [IMail Forum] Spam relayed through server ak... Jeff Lesperance
- RE: [IMail Forum] Spam relayed through server aka HE... Keeper
- RE: [IMail Forum] Spam relayed through server ak... R. Scott Perry
- RE: [IMail Forum] Spam relayed through serve... Keeper
- Re[2]: [IMail Forum] Spam relayed throug... Sanford Whiteman
- RE: [IMail Forum] Spam relayed through s... Len Conrad
