[Dshield] New Relay Exploit?

Sue Young smy at gcmlp.com
Tue Jan 6 22:27:07 GMT 2004

In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying
seems to be blocked correctly.  Luckily, it hasn't been a lot of messages
but it has been enough to get us blacklisted
by spamcop.

I've reset our exchange server to not allow relaying.  I did have it set to
only relay for authenticated hosts, then I realized
 there would be no reason for anyone to relay so I set it to only relay from
a list of IP addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to
stop it.  Before I made this change, I tested for a relay on abuse.net and
it was ok.  The only thing my server will relay is mail
to an internal domain.

Can anyone tell me what they're exploiting?  The headers on the messages
look normal - it's getting the message from a
dsl connection in Mexico and relaying all over the world.  This should not
be possible.


Sue Young

More information about the list mailing list