[Dshield] New Relay Exploit?

Troy Billington DoShelp at DoShelp.com
Tue Jan 6 22:39:00 GMT 2004

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Sue Young
Sent: Tuesday, January 06, 2004 5:27 PM
To: list at dshield.org
Subject: [Dshield] New Relay Exploit?

In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying
seems to be blocked correctly.  Luckily, it hasn't been a lot of messages
but it has been enough to get us blacklisted
by spamcop.

I've reset our exchange server to not allow relaying.  I did have it set to
only relay for authenticated hosts, then I realized
 there would be no reason for anyone to relay so I set it to only relay from
a list of IP addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to
stop it.  Before I made this change, I tested for a relay on abuse.net and
it was ok.  The only thing my server will relay is mail
to an internal domain.

Can anyone tell me what they're exploiting?  The headers on the messages
look normal - it's getting the message from a
dsl connection in Mexico and relaying all over the world.  This should not
be possible.


Sue Young

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

HI Sue,

Can you tell me what version of Exchange you're using and also what
servicepacks/hotixes you have applied?
You can mail me: doshelp at doshelp.com if you would like to continue this off
the list.

More information about the list mailing list