Topic: secure mail / mailserver relay

[brownfox]

For a long time my server is beïng used as a mail relay server. In my logging's i see this:

2005-01-14 21:52:55.004327500 smtpfront-qmail[20171]: MAIL FROM: <fsdcsdc3cwcw@ms18.hinet.net>
2005-01-14 21:52:55.327099500 smtpfront-qmail[20171]: RCPT TO: <erc530@yahoo.com.tw>
2005-01-14 21:52:55.329111500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:55.652924500 smtpfront-qmail[20171]: RCPT TO: <ferrary.hotel@msa.hinet.net>
2005-01-14 21:52:55.652933500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:55.976801500 smtpfront-qmail[20171]: RCPT TO: <f5110486@yahoo.com.tw>
2005-01-14 21:52:55.976811500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:56.299779500 smtpfront-qmail[20171]: RCPT TO: <evan80811@yahoo.com.tw>
2005-01-14 21:52:56.299788500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:56.622600500 smtpfront-qmail[20171]: RCPT TO: <ctping@ms14.hinet.net>
2005-01-14 21:52:56.622609500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:56.945305500 smtpfront-qmail[20171]: RCPT TO: <aggyy@ms38.hinet.net>
2005-01-14 21:52:56.945314500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:57.269047500 smtpfront-qmail[20171]: RCPT TO: <c372176@yahoo.com.tw>
2005-01-14 21:52:57.269056500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:57.592084500 smtpfront-qmail[20171]: RCPT TO: <b0flove1970619@yahoo.com.tw>
2005-01-14 21:52:57.592093500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:57.913721500 smtpfront-qmail[20171]: RCPT TO: <angellin555@yahoo.com.tw>
2005-01-14 21:52:57.914775500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:58.236331500 smtpfront-qmail[20171]: RCPT TO: <fb1bluelqe@yahoo.com.tw>
2005-01-14 21:52:58.238039500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:58.558799500 smtpfront-qmail[20171]: RCPT TO: <chengcl80@hotmail.com>
2005-01-14 21:52:58.560833500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:58.882019500 smtpfront-qmail[20171]: RCPT TO: <catxt2654@pchome.com.tw>
2005-01-14 21:52:58.893440500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:59.239085500 smtpfront-qmail[20171]: RCPT TO: <crow9781214@hotmail.com>
2005-01-14 21:52:59.241334500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:59.562568500 smtpfront-qmail[20171]: RCPT TO: <fmchang12@hotmail.com>
2005-01-14 21:52:59.564528500 smtpfront-qmail[20171]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-14 21:52:59.886202500 smtpfront-qmail[20171]: bytes in: 557 bytes out: 970

for more than a 1000 time a day.
Now i want to prevent that someone externaly can access my MAIL server (accept for trusted ip's).

Who can help me? Who has a better plan to prevent this logging?

[Damian]

It seems that it isn't being used as a mail relay as the relay domains rule is rejecting the requests. It doesn't stop this particular joe from firing the mails at you though.

You could configure your firewall to block port 25 from the IP address that's sending the stuff.

Damian

[brownfox]

You could configure your firewall to block port 25 from the IP address that's sending the stuff.Damian

I can't find his ip adres.
Where is it listed?
How can i block post 25 for just his ip adres?

[Jon_Reynolds]

If you haven't found an answer to this you could watch your router and see when this takes place and catch the IP that way or you could turn up the verbosity on the log file that qmail spits out.

Let me know if you are still having this problem,

Jon

[brownfox]

Let me know if you are still having this problem

I found the (ever changing) ip adres in the range:
inetnum:      202.129.224.0 - 202.129.255.255
netname:      SEEDER
descr:        Seeder Computer Corporation LTD.
descr:        Internet Service and Content Provider
country:      TW

This range need to be totaly blocked in SME because my adsl is bridged and not routed.
Where / how can i block this range in SME that nothing is coming through.

[brownfox]

Strange thing is also that it's not detected by spamblocking. And that the blocking is done by 'e-mail blocking' by dongog what i had deactivated because of problemens with that program (it was blocking everything).

[brownfox]

also strange is when i set in the server manager

POP and IMAP server access=Allow access only from local networks

No one of my external users can recieve and send mail exept for the person i dont want him to send mail.

and
iptables -A INPUT -j DROP -i eth1 -s 202.129.224.0/19
is also not working.........

[brownfox]

2005-01-17 23:47:15.956340500 tcpserver: status: 1/40
2005-01-17 23:47:15.956601500 tcpserver: pid 16497 from 202.129.242.100
2005-01-17 23:47:16.727681500 tcpserver: ok 16497 0:82.197.207.137:25 tp242100.dynamic.seeder.net:202.129.242.100::4888
2005-01-17 23:47:19.802708500 smtpfront-qmail[16497]: MAIL FROM: <ssscssvbk.rgghh@aisai.com.cn>
2005-01-17 23:47:20.209930500 smtpfront-qmail[16497]: RCPT TO: <sunnychen@nhri.org.tw>
2005-01-17 23:47:20.212470500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:20.631023500 smtpfront-qmail[16497]: RCPT TO: <gavin_huang@oclaim.com.tw>
2005-01-17 23:47:20.633220500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:23.055682500 smtpfront-qmail[16497]: RCPT TO: <rd233391@ayhoo.com.tw>
2005-01-17 23:47:23.058515500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:23.470036500 smtpfront-qmail[16497]: RCPT TO: <d7697586889@mail.ab.net.tw>
2005-01-17 23:47:23.472202500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:23.906910500 smtpfront-qmail[16497]: RCPT TO: <judyabby@com.tw>
2005-01-17 23:47:23.909075500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:24.329221500 smtpfront-qmail[16497]: RCPT TO: <sales19d@mail.volition.com.tw>
2005-01-17 23:47:24.331405500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:24.777485500 smtpfront-qmail[16497]: RCPT TO: <owner-coven@iclubs.com.tw>
2005-01-17 23:47:24.779323500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:25.157299500 smtpfront-qmail[16497]: RCPT TO: <fong6902@npc.com.tw>
2005-01-17 23:47:25.159450500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:25.577156500 smtpfront-qmail[16497]: RCPT TO: <julian2612@mail.tisc.com.tw>
2005-01-17 23:47:25.579346500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:26.021362500 smtpfront-qmail[16497]: RCPT TO: <chen02@mail.orix.com.tw>
2005-01-17 23:47:26.023476500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:26.418066500 smtpfront-qmail[16497]: RCPT TO: <jean.k.2000@com.tw>
2005-01-17 23:47:26.420168500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:26.797005500 smtpfront-qmail[16497]: RCPT TO: <contact@www.dmusic.com.tw>
2005-01-17 23:47:26.799846500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:27.223969500 smtpfront-qmail[16497]: RCPT TO: <amje@see.net.tw>
2005-01-17 23:47:27.226535500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:27.672885500 smtpfront-qmail[16497]: RCPT TO: <lynn@evercorp.com.tw>
2005-01-17 23:47:27.675117500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:28.100615500 smtpfront-qmail[16497]: RCPT TO: <89a015@mail.kscg.gov.tw>
2005-01-17 23:47:28.102799500 smtpfront-qmail[16497]: Sorry, that domain isn't in my list of allowed rcpthosts.
2005-01-17 23:47:28.542618500 smtpfront-qmail[16497]: bytes in: 591 bytes out: 1033
2005-01-17 23:47:28.543409500 tcpserver: end 16497 status 0
2005-01-17 23:47:28.543416500 tcpserver: status: 0/40


info about the ip range/owner that i want to block can be found here:
http://www.senderbase.org/search?searchString=202.129.242.196

[brownfox]

When i block port 25 in the server manager, he is still comming through.

             

I'm totaly desperate...
Is it a security flaw in SME?

[guest22]

Why are you desperate? SME Server is doing what it supposed to do, deny relaying. Unblock port 25 and live with the fact that there are fools out there. As Damien said it is just a notice to the admin.

[brownfox]

Why are you desperate? SME Server is doing what it supposed to do, deny relaying. Unblock port 25 and live with the fact that there are fools out there. As Damien said it is just a notice to the admin.

I want to stop this bij the front door not at the second time.

So i want to block the total iprange 202.129.224.0/19

ps. when i don't install dungog-mailblocking than i can't block this person.

[brownfox]

Problem solved:

Security
 - Remote access
Secure shell access
 - Allow access only from local networks