Topic: Machine sending worm mail from my server, NOT an open relay

[GPete]

Maybe you missed the part about a spike in email messages. (More than a thousand messages that didn't come from inside my system. )

Turning off the backsplatter is like burying my head in the sand. I wouldn't know that my system was being used for a spam relay.

I'm really looking for a way to prevent the relay, not a way to hide from it.

I'm running SME 7, and  I'm hoping that my settings are incorrect and someone can tell me what to change.

E-mail settings
POP3 server access  Allow private
IMAP server access  Allow private
Webmail access  Allow HTTPS (secure)

 
Virus scanning  Enabled
Spam filtering  Enabled
Executable content blocking  Enabled
 
 
E-mail retrieval mode  Standard (SMTP)
SMTP authentication  Allow SSMTP (secure)

 
Forwarding address for administrative notices  “me”@yahoo.com
E-mail to unknown users  Send to “me”
Address of internal mail server    
Address of Internet provider's mail server

[christian]

I've noticed a spike in the last two days as well. But in my case, it definitely looks like back spatter.

The last time this happened, I enabled an SPF record in my DNS record (my ISP allows me to add this). I also dealt with the double bounce.

Back spatter went to almost 0 for about a year until about two days ago. I'm assuming a spike an activity somewhere plus the fact they got hold of my legitimate addresses.

BTW on SPF, I know there is some controversy about it being heavy weight but it is a start.

[raem]

GPete

> Maybe you missed the part about a spike in email messages.

No I didn't.

> I'm getting bounce traffic from all over the world and the mail log indicates a spike in messages.

You identified the mail as bounces, and clearly that is external traffic coming into your server, so of course you would see more activity in the mail log.

> I assume that confirms that my server has been used as a relay for spamming.

You provided no details about the messages. If you provided the message headers it would tell us something. If you quoted the exact message you received then that would also tell us something.
As you provided none of that detail then I made the most likely conclusion, and that was that your assumption was incorrect.

You have provided no evidence to support your assumption that your server is a relay. All the settings look satisfactory and would not normally allow "spam relaying" as you call it.

Read my previous post for the mechanics of how it works.

Turning on the option to "return undeliverable messages to sender" is not burying your head in the sand, it's simply an administrative decision.
Ultimately it's whether you consider there is any value in reading emails sent to unknown users etc. Personally I think there is no value in doing that.

Deleting doublebounce messages is a very effective way of dealing with that type of traffic, which is more often related to other servers using your return email address and sending spam and virus infected messages to (often) invalid users on other servers, thus generating bounces.

What you are most probably seeing is simply a busy spam server somewhere, which has harvested your domain addresses.

Absorb what I'm saying and you will see it makes sense.

There was a recent posting which detailed how to configure doublebounce deletion on sme7.