Hey guys,
I recently received an abuse complaint, concerning a message sent from one of our iMail servers. This is very strange, because in our system, those iMail servers are not ever supposed to send mail; they are inbound only. That, and the fact that I have seen this spam message before in the wild leads me to beleive that we are realying, or have been exploited.
Those servers obviously have port 25 open to the world, but they are set to "Relay for addresses", which include only 10.10.30.*, 172.16.0.* and 127.0.0.1. The first two are internal IP ranges associated with the trusted and dmz zones of out network. I assume there is nothing there allowing open relaying.
Which leaves me with exploit as the only possibility. It looks like the spammer dictionaried a domain which is lexigraphically very early (atlasadvancement.com), and then did a lookup to see what their MX was. This, I assume, is why they attached the inbound servers and not the outbound servers, which there are no DNS records for.
The question is, did they use some iMail exploit I am unaware of, or could they possibly forge the first-hop IP address? I am not aware whether that is currently even possible, or if so if it's in use by spammers currently. Maybe as a tactic to make IP blacklisting unpractical?
I have studied out outgoing mail logs, and do not see this message in them at all. Also, a quick audit of our outgoing mail traffic from before and after this report shows no increase in throughput, which would be expected if we were owned. Also, I have not received a single other abuse complaint.
Where do I go from here? Thanks!
-Chase
Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440 x119 | www.bullhorn.com
