Topic: Open Relay Advice

[gbentley]

All of a sudden ISP's are refusing mail from our SME6 server. I checked the mail logs and followed links to test for blacklist inclusion. We (our IP) is indeed on several lists. From what I have read on here SME in its default form cannot be used as an open relay (OK I addedd Jespers AV)

My qustions are as follows ;

1) How did we get blacklisted ?

Could this be a spyware zombie on our winclients sending out crap all day ? We have updated BitDefender on the Wintops and of course Clam etc on SME

2) How do we get un-blacklisted ?

The setup is as this ;

We are on an ADSL line with BT (UK) and I have let SME talk to smtp servers itself. What is happening is that ISP's smtp are refusing to talk back because of the blacklisting!!

If I try and use our ISP smtp for forwarding it also wont talk to us because it wants smtp with auth (can this be done on SME ?) and assumes we are using Lookout Excuse !!!

Any advice greatfully appreciated !!

[CharlieBrady]

1) How did we get blacklisted ?

You'll have to ask the blacklists.

2) How do we get un-blacklisted ?

You'll have to ask the blacklists.

[raem]

gbentley

> by default sme cannot be used as an open relay..

You best run a test on your server just to be sure it is not an open relay, see
www.abuse.net/relay.html
or do
telnet relay-test.mail-abuse.org


> If I try and use our ISP smtp for forwarding...

That will get you out of immediate trouble as the ISP's IP will appear to be the source IP.


>... it also wont talk to us because it wants smtp with auth...

By default sme 6.0 or 6.0.1 does not do this but you can install newer rpms and get the functionality, search for forums posts particularly one by Gordon Rowell.
Also check the contribs.org FAQ's etc.


sme 6.5 has the functionality but you need to enable it.
sme 7beta8 has the functionality also.

I had trouble with one obscure RBL list and eventually I had to get my reverse dns lookup altered by my ISP to match my domain name before the RBL list maintainers would remove my static IP from their list. It took me about 5 months to get this done. I was lucky it was an obscure list that not many people used.

good luck !

...

[gbentley]

Charlie and Ray, thanks for your replies.

Charlie, I *did* ask and got replies from a couple of the list maintainers who's attitude seems to be "If we say it is like this, it is - go away and sort out your own problems"

Thats why I asked here as I have had great help in the past from people who seem to have more knowledge and experience than the people running large services / organisations etc.

I have deployed several SME's over the years starting somewhere round v4.x and I have never had to deal with this one - guess we are all learning still ...

I appreciate your help and will investigate further.

First test :-

[root@mailserver qmail]# telnet relay-test.mail-abuse.org
Trying 168.61.4.13...
Connected to relay-test.mail-abuse.org.
Escape character is '^]'.
/proj/maps/bin/in.relaytest: socket failed [Bad file descriptor]
Connecting to 86.130.145.xxx ...
Connection closed by foreign host.

Not sure what this means ... am now registering for their other testing services ...

[p-jones]

I wonder whether you have a static or dynamic IP address. From time to  time (and just this morning) I have had mail rejected because one of the spam lists rejects all mail from dynamic IP's. Below is the response:

x.x.x.x does not like recipient.
Remote host said: 554 Service unavailable; Client host [x.x.x.x] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?x.x.x.x
Giving up on x.x.x.x.

The only way to resolve this is for my SME to hand mail over to my ISP to deliver rather than deliver it directly. There is an option for this in the server-manager under email

Maybe this helps
Rgds
Peter

[gbentley]

Thanks for that Peter. After resetting the router several times and getting the same WAN IP I assume  it is static (left it for over 20 mins at one point)

Anyway, the awkward thing about BT in the UK is that they want you to do SMTPAUTH if you want to use another domain (other than theirs) in your relayed mail envelopes.

In some cases I have had to fax them so that they will include the clients domain on a list of 'accepted' addresses.

I wouldnt have chosen BT myself.

A registered test at abuse.net cant even find any open ports / relays / proxies etc

The NAT Router is stealthed with only port 22 opened occasionaly for some remote admin.

I am starting to suspect some Spam Zombie on one of the 10 machines and am getting them to install Adaware and Spybot right now.

Of course I could be barking up the wrong tree altogether as I am a domestic electrician really - LOL !

[CharlieBrady]

Charlie, I *did* ask and got replies from a couple of the list maintainers who's attitude seems to be "If we say it is like this, it is - go away and sort out your own problems"

If you know which list or lists you are on, then you have a start.

Each list is different. They each have different criteria for listing, and different rules for removal. You'll need to do specific research to find out.

Or deliver outbound mail via your ISP and avoid the issue. Since you need SMTPAUTH, you'll need to use a contrib and do some fiddling - unless you use 7.0beta. Search here for "smtp auth proxy" and you should find the details.

[CharlieBrady]

BTW, you should have called this thread "DNS blacklist advice", not "open relay advice". I don't see anything here which suggests you ever had an open relay.

[gbentley]

Out of interest DSBL reported that we had an Open SOCKS4 Proxy running on port 559

How would I go about checking if we have acually gotten rid of this beast ?

(We have removed a ton of Spyware and had words with Lunchtime surfers)

[CharlieBrady]

Out of interest DSBL reported that we had an Open SOCKS4 Proxy running on port 559

My guess is that some previous user of your IP address had an open SOCKS4 Proxy running. The only ways you could have had one running was if you installed it yourself or you had a root compromise of your system.

Get DSBL to retest your system and clear the report. If you are not on a static IP address, attempt to get one. If you can't get one, then use your ISP's SMTP server for outbound mail. If you need SMTPAUTH for that, you've got some fiddling to do. Start a new thread if you need help in getting SMTP AUTH working on 6.x.

[gbentley]

Thanks everyone for all the advice on this - just thought I would report back with the results.

The client had no clue or record (other than the monthly invoice / password) of his account details with the provider. BT would not give specific info without me being abel to answer the security questions.

Out of curiosity I switched off the router and left it off for over an hour. After re-boot I had a different WANIP. I checked for it on the black lists and it was not present.

So, easy solution I guess as we are all back up and sending mail (even to AOL accounts LOL !)

Of course I am still getting them to scan for Spyware and use Firefox instead of IE

Thanks again.

Seasons Greetings Everyone !