[Dshield] New Relay Exploit?
Coxe, John B.
JOHN.B.COXE at saic.com
Tue Jan 6 23:13:27 GMT 2004
As long as your clients are all MAPI (not POP or IMAP), turning off relay
completely should work for you. The problem arises when they use those open
protocols, as they need to define an SMTP server, generally the same as
their mail server in a LAN environment, and would then not be able to send
mail outside of their backbone.
SMTP open relay exploitation is more a thing of yesterday's spammers, though
still popular. Open proxies are more commonly exploited now. Are you
running any other services on that host? Specifically, do you have a web
server configured on it? If so, telnet to it on port 80 and send a "CONNECT
mx1.hotmail.com:25 HTTP/1.0" (followed by two carriage returns) command and
see if you get a 5xx or a 2xx code back. (Should return a 501 html page
saying it is not supported.)
Socks and other proxies, commonly on ports 1080 and 8080, are also often
exploited. I'd suggest running (at a command prompt on that server) netstat
-an | find "LISTEN". That will show you definitively what ports you have
services listening on.
Also, I have noted before spamcop misattributing the sources of problems
based on submissions. I thought all of that was fixed ages ago though. But
the experience I had was that a user in Exchange sent off spam they received
to spamcop. The architecture for that network involved three enterprise
MTAs for the receiving domain handling the mail before it went to Exchange.
Spamcop had determined inappropriately from the Received headers, presumably
automatically, that the first gateway server was a spam source, when it was
actually the server that received it from the real spam source and never
failed any relay tests.
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Sue Young
Sent: Tuesday, January 06, 2004 2:27 PM
To: list at dshield.org
Subject: [Dshield] New Relay Exploit?
In the past few days, someone has been able to relay through my site, even
though whenever I test it from the abuse.net website, relaying
seems to be blocked correctly. Luckily, it hasn't been a lot of messages
but it has been enough to get us blacklisted
I've reset our exchange server to not allow relaying. I did have it set to
only relay for authenticated hosts, then I realized
there would be no reason for anyone to relay so I set it to only relay from
a list of IP addresses and left the list blank.
After I did that, it looked like the following message came through anyway.
I blocked their class C and it seemed to
stop it. Before I made this change, I tested for a relay on abuse.net and
it was ok. The only thing my server will relay is mail
to an internal domain.
Can anyone tell me what they're exploiting? The headers on the messages
look normal - it's getting the message from a
dsl connection in Mexico and relaying all over the world. This should not
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list