Can anyone tell me how to test out Imail whether it accept authentication. I know this is a very silly question but I really not aware that user can authenticate to use my SMTP even though the Ip is not in the "Relay for address".
Is there any software or command line that I can type to check out my server. Do you mean that if the spammer knows a username and password for one of the domain mailbox then they can access my mail server from any host IP address? Jeff's problem is exactly the same as mine and it comes from the same class IP as well. Regards Bo Wee -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Lesperance Sent: Tuesday, 21 January 2003 1:31 AM To: [EMAIL PROTECTED] Subject: [IMail Forum] Spam relayed through server aka HELP - Imail Problem/Dictionary Attack Hi, I just wanted to check-in with the list - I've been in digest mode for a while - I noticed postings from a couple folks last week and over the weekend regarding spam getting relayed through thier server, where they were configured to be protected against relaying. This happened to me on Friday as well. Here are the details * Windows 2000 Server sp3 +hotfixes * Imail 7.07 HF2 configured to relay for addresses On Friday morning, I found that my logfile for that day was already 30mb, where I would normally see that size for a whole day of SMTP action. I looked in the logfile and saw hundreds, maybe thousands of logged messages originating from 210.0.137.240. Most of the messages were from a Yahoo address, and to a Yahoo or AOL address, but there were some more diverse To: addresses. Immediately I checked the spool and found several hundred messages in there from this source. I stopped SMTP and copied all messages out of the spool, and set SMTP security to 'No Mail Relay' - I started SMTP back up and perused the messages that I copied out. There were a handful that were legit, that I copied back in, but most of the rest were Spam, to and from address that I don't host. I went back and checked the addresses that I had set to be allowed to relay, they were for a range of IP addresses that I host (with a proper subnet mask), a range of IP addresses on my office network, and a single IP for a client for whom I provide secondary mail services. My hosted range starts with 63 - not close to 210.0.137.240, and my office range starts with 204 - closer to 210, but with a subnet mask of 255.255.255.240, and the single IP starts with 209 - once again, close to 210, but it is just a single IP, so none of these should have allowed the relay. I proceeded to test relaying from an outside server that I have control over, and could not. I then turned relay back on for the 2 IP ranges and single IP, and didn't see any more spam come through...for a couple of hours, when I got bombed again, from the same IP, 210.0.137.240 - I then set that entire IP range to be blocked via the SMTP access control list, and cleared out my spool again. I then went and viewed the smtpd32.loc file with a binary/hex viewer, and confirmed that the addresses that I allow to relay are listed properly, with the correct subnet mask. I'm concerned that I'm not the only person that got bombed - I was just about to write more about being concerned that there might be a 'new' exploit that Ipswitch doesn't know about - I was sifting through my logfiles to find a snippet that I could paste in here to show evidence that someone relayed through without authenticating....and got stopped short - I found that this spammer was authenticating! Authentication logs with a different session ID than SMTP or SMTPD - during heavy volume, it's easy to miss the 'Authenticated...session treated as local' -especially if the authenticated account is a normal, commonly used mailbox. Here's a snippet of the log (cleaned of other sessions): 20030117 122335 127.0.0.1 SMTPD (2DB90130) [63.251.80.230] connect 210.0.137.240 port 7433 20030117 122335 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] EHLO Richmond 20030117 122339 127.0.0.1 SMTPD (0000013C) Authenticated xyzabc(modifed)@pop.matrixgroup.net, session treated as local. 20030117 122339 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] MAIL FROM:<[EMAIL PROTECTED]> 20030117 122339 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] RCPT TO:<[EMAIL PROTECTED]> 20030117 122343 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] D:\IMAIL\spool\D3c1b2db90130e0db.SMD 6918 20030117 122344 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] MAIL FROM:<[EMAIL PROTECTED]> 20030117 122344 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] RCPT TO:<[EMAIL PROTECTED]> 20030117 122348 127.0.0.1 SMTPD (2DB90130) [210.0.137.240] D:\IMAIL\spool\D3c202db90130f30b.SMD 6857 The SMTPD line showing authentication has a different session ID (or PID not sure what to call it) than the rest of the session, and it was mixed among other entries, so I missed it. In this one session there were many (I haven't counted yet) pieces of mail sent out, followed by several more authenticated sessions with this account - so if I had missed that first connection, it would have just looked like a ton of unauthenticated messages getting relayed through. Ultimately, the culprit - a forgotten mailbox, that had been set to forward elsewhere, that had a default password of 'password' Initially I wanted to post this to speak-up - to see if there was a new exploit, now I see that it was my bad, for a lack of password auditing and some spammer exploiting that - I'm not saying that this is the same exact problem that you other folks had - but I'm suggesting that you take a closer look at your log for Authentication, and maybe use a tool like extractusers if you're using the Imail db, to audit your passwords, there's clearly at least one spammer out there exploiting 'password' passwords. Jeff Lesperance Matrix Group International, Inc. To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
