Topic: Hacker relaying spam through my e-smith server

[John]

Someone is relaying spam through my e-smith 5.12 server. This is the second time it has happened -= the last time I reloaded the server and put all the latest patches in place.

How are they doing this and how can I stop them? Is there a know bug the patches do not cover?

I found out by getting the emails that bounced from my server to unknown email addresses.

Anyone have any suggestions? I am using default server with ssh open. But this happened after the ssh exploit was patched. I do not use telnet.

I am now on some spam lists and ppl dont get my email now.

Thanks for help in advance.

[Paul Nesbit]

John, please do not cross-post to multiple forums.

Everyone, please report security-related concerns to "smesecurity@mitel.com".

See http://www.e-smith.org/bboard//read.php?f=1&i=21174&t=21173 for follow up to John's post on the general discussion board.

Thanks,

 Paul

[James Douglas]

justgot one of those today..

The original message was received at Sat, 16 Nov 2002 10:44:36 -0500 (EST) from logs-wg.proxy.aol.com [205.188.196.5]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could not be delivered.  The next line contains a second error message which is a general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail administrator.

--AOL Postmaster



   ----- The following addresses had permanent fatal errors -----

   ----- Transcript of session follows -----
... while talking to starmail02.winstar.idt.net.:
>>> RCPT To:
<<< 550 ... User unknown
550 ... User unknown

attached details.txt file:

Reporting-MTA: dns; rly-ip03.mx.aol.com
Arrival-Date: Sat, 16 Nov 2002 10:44:36 -0500 (EST)

Final-Recipient: RFC822; djmorris@winstar.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; starmail02.winstar.idt.net
Diagnostic-Code: SMTP; 550 ... User unknown
Last-Attempt-Date: Sat, 16 Nov 2002 10:45:21 -0500 (EST)

[Dan Brown]

Keep in mind, spammers forge return addresses, and might just pick yours.  If the only problem is bounces from spams you never sent, it's quite possible (and, I'd think, likely) that there's no security problem on your server.

[Nate]

What Dan said is probably the case.  By default you can't relay mail through e-smith from an external location--even if someone steals your password and logs in via pop or imap it isn't allowed.  Probably a forged return address from a spammer or a virus (Klez likes to forge the return address)  This happened to me recently.  A virus(Bugbear I think) was floating around and our RAV antivirus was working great taking care of it.  But, I kept getting returned messages saying noexistant@mydomain.com has a virus.  The return address didn't exist and the email didn't come from my server, but the bounce message made it look like it did.

[bud]

What about people who are using software that isn't supported anymore by Mitel.  How the heck are we suppose to know about these problems, since we have to fix our own?

Spam now... I don't believe it!