Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions about exploited SMTP relay


  • Please log in to reply
4 replies to this topic

#1 batric

batric

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 07 February 2015 - 06:23 AM

Hello,
 
I'm using SmarterMail on Windows Server 2008.
 
I changed the SMTP relay from "Nobody" to "Only local users" and in last 2 days I had a large number of outgoing spam messages sent from my server (close to 6.000).
 
This has happened in the past, and setting SMTP relay back to "Nobody" has fixed the issue.
 
However, this means that I have to use SMTP authentication for every single website from which I want to send emails.
 
I have the following questions:
 
1. If relay is set to "Only local users", how is it possible to send emails from domains which are not on my server?
2. If I use "Nobody" for SMTP relay, it safe to lower the number of seconds for SMTP authentication? The default is 120 seconds, which is way too long.
3. Any ideas on how these emails are sent? The SMTP relay was still "only local users" and emails were sent from other domains as well (e.g. @refund.co.uk which is a spam domain I think).
4. Can you please point me to some decent source where I can learn more about this?
 
Thank you!
 


BC AdBot (Login to Remove)

 


#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 07 February 2015 - 08:18 PM

What settings are you using for your incoming gateway? Are any and all domains allowed? What sort of spam filtering are you using on incoming messages? Do you have the VRFY and EXPN commands enabled? These last two are considered security risks, as they allow others to verify whether your email addresses are valid, and to list all users associated with an alias or mailing list -- spammers lover this kind of info.

 

You may want to try using the only local domains setting instead, as this should limit access to only those domains on your mail server.

 

You should start at help.smartertools.com.



#3 batric

batric
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 10 February 2015 - 03:51 AM

Thank you for the message.

 

1. Settings for the incoming gateway - which settings you mean exactly?

 

2. Are any and all domains allowed - yes.

 

3. What sort of spam filtering are you using on incoming messages - just the regular SmarterMail spam filter and bayesian filter.

 

4. VRFY and EXPN - no.

 

After inspecting the logs, I found the way they were connecting - one of the email addresses had a "test@domain.com" with password of "123456".
 
Spammers were randomly trying to check common email names on every domain on the server: info, contact, admin, test, support, etc.
 
They succeeded on 2 email addresses, and this enabled them to send email.
 
I configured "DDOS" protection (this is how the feature is called in SmarterMail) for SMTP, POP and IMAP, and changed the passwords in question of course.
 
These days there were as many as 17k blocked connections on POP and IMAP.
 
This seems to be working now - will keep this thread posted if I discover something more.
 
Thanks again!


#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 10 February 2015 - 12:56 PM

Another example why ALL accounts need to have complex passwords. A simple dictionary attack exploited that address; make sure those passwords get changed.



#5 technonymous

technonymous

  • Members
  • 2,498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:27 AM

Posted 23 February 2015 - 04:53 PM

I would do a full virus scan on every system in the network. They could of dropped all kinds of nasties.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users