Topic: Blocking SPAM - Mailer-daemon

[Stewart Evans]

Help
We are using E-smith 4.1.2 and it appears that someone has found a SPAM-hole in the
SMTP rules

sniped mail log file  follows:

Dec 19 14:46:04 demo smtpd[9736]: SMTP HELO from pc-00003.adel.macclinic.com.au(192.168.1.3) as "[192.168.1.3]"

Dec 19 14:46:04 demo smtpd[9736]: smtp connection from UNKNOWN@pc-00003.adel.macclinic.com.au(192.168.1.3) MAIL FROM: RCPT TO: <3.1333.72-Cxtygrtm0E9-.1.b@newsletter.online.com>, allowed by line 23 of /etc/smtpd_check_rules

Dec 19 14:46:05 demo smtpd[9736]: Received 16784 bytes of message body from pc-00003.adel.macclinic.com.au(192.168.1.3)

Note that although 1.3 exists on our network the problem is that MD@1.20 is not rejected as spam.And 1.3 always  sends as *@macclinic.com.au

All assistance would be appreciated.

[Darrell May]

Try this Howto:

http://myezserver.com/docs/mitel/smtp-restrict-howto.html

Darrell

[Patrick]

Hello,

Why wasn't this SMTP session blocked?

I know Darrell has detailed instructions for locking down SMTP even more than the default; however, shouldn't the default "out of the box" SME V5 configuration take care of this?  After all simplicity and security is the SME mantra, right?

I'm interested in the official response from Mitel/March about this issue, and any other thoughts/opinions on this issue.

Regards,
Patrick

[Stewart Evans]

Patrick wrote:
>
> Hello,
>
> Why wasn't this SMTP session blocked?
>
> I know Darrell has detailed instructions for locking down
> SMTP even more than the default; however, shouldn't the
> default "out of the box" SME V5 configuration take care of
> this?  After all simplicity and security is the SME mantra,
> right?
Ahem - this server is a 4.1.2 not a V5 so that may be why
the session was not blocked.
The server is a production unit therefore can't easily be shut down
for upgrade

>
> I'm interested in the official response from Mitel/March
> about this issue, and any other thoughts/opinions on this
> issue.
I suspect that the upgrade will fix the problem therefore
"jumping up and down " probabily is not needed.
I do not consider this a critical error due to the fact of V5
upgrade .

>
> Regards,
> Patrick

Merry Christmas to all the team ( shrimps anyone )

[Shad]

The line that is allowing the mail through is similar to the following I bet:

# Allow relaying from the local network
allow:127.0.0.1:ALL:ALL
allow:192.168.1.0/24:ALL:ALL

The second allow line of the block above allows mail from any local machine regardless of where it is from or where it is destined to.  This is the default for SME 4.1.2, 5.0u3 and 5.1b3.  The problem that you have is someone behind the router is spamming out.

-Shad