[Dshield] New Relay Exploit?

Rick Klinge rick at jaray.net
Tue Jan 6 22:40:30 GMT 2004


I'd suspect that one of your email users name and password was probably
compromised.  Have you looked at any smtp logs to see the auth used?


> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Sue Young
> Sent: Tuesday, January 06, 2004 4:27 PM
> To: list at dshield.org
> Subject: [Dshield] New Relay Exploit?
> In the past few days, someone has been able to relay through 
> my site, even though whenever I test it from the abuse.net 
> website, relaying seems to be blocked correctly.  Luckily, it 
> hasn't been a lot of messages but it has been enough to get 
> us blacklisted by spamcop.
> I've reset our exchange server to not allow relaying.  I did 
> have it set to only relay for authenticated hosts, then I 
> realized  there would be no reason for anyone to relay so I 
> set it to only relay from a list of IP addresses and left the 
> list blank. After I did that, it looked like the following 
> message came through anyway. I blocked their class C and it 
> seemed to stop it.  Before I made this change, I tested for a 
> relay on abuse.net and it was ok.  The only thing my server 
> will relay is mail to an internal domain.
> Can anyone tell me what they're exploiting?  The headers on 
> the messages look normal - it's getting the message from a 
> dsl connection in Mexico and relaying all over the world.  
> This should not be possible.
> Thanks,
> Sue Young

Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

More information about the list mailing list