[Dshield] New Relay Exploit?
smy at gcmlp.com
Tue Jan 6 22:27:07 GMT 2004
In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying
seems to be blocked correctly. Luckily, it hasn't been a lot of messages
but it has been enough to get us blacklisted
I've reset our exchange server to not allow relaying. I did have it set to
only relay for authenticated hosts, then I realized
there would be no reason for anyone to relay so I set it to only relay from
a list of IP addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to
stop it. Before I made this change, I tested for a relay on abuse.net and
it was ok. The only thing my server will relay is mail
to an internal domain.
Can anyone tell me what they're exploiting? The headers on the messages
look normal - it's getting the message from a
dsl connection in Mexico and relaying all over the world. This should not
More information about the list