[Dshield] New Relay Exploit?
rick at jaray.net
Tue Jan 6 22:40:30 GMT 2004
I'd suspect that one of your email users name and password was probably
compromised. Have you looked at any smtp logs to see the auth used?
> -----Original Message-----
> From: list-bounces at dshield.org
> [mailto:list-bounces at dshield.org] On Behalf Of Sue Young
> Sent: Tuesday, January 06, 2004 4:27 PM
> To: list at dshield.org
> Subject: [Dshield] New Relay Exploit?
> In the past few days, someone has been able to relay through
> my site, even though whenever I test it from the abuse.net
> website, relaying seems to be blocked correctly. Luckily, it
> hasn't been a lot of messages but it has been enough to get
> us blacklisted by spamcop.
> I've reset our exchange server to not allow relaying. I did
> have it set to only relay for authenticated hosts, then I
> realized there would be no reason for anyone to relay so I
> set it to only relay from a list of IP addresses and left the
> list blank. After I did that, it looked like the following
> message came through anyway. I blocked their class C and it
> seemed to stop it. Before I made this change, I tested for a
> relay on abuse.net and it was ok. The only thing my server
> will relay is mail to an internal domain.
> Can anyone tell me what they're exploiting? The headers on
> the messages look normal - it's getting the message from a
> dsl connection in Mexico and relaying all over the world.
> This should not be possible.
> Sue Young
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
More information about the list