Topic: Is my server being used as a spam relay?

[Bozely]

Hi guys,

What's the best way to make sure your server isn't sending spam?

I received the following copy of an email header from receiver.com's administrator and a note saying "someonnes sending spam via your server!".

Code: [Select]

Return-Path: <banneringbf1@my-server.com>

Delivered-To: adam@receiver.com

X-Envelope-To: adam@receiver.com

Received: (qmail 4301 invoked by uid 399); 29 Jun 2010 12:16:57 -0400

X-Virus-Scan: Scanned by ClamAV 0.95.2 (no viruses);

  Tue, 29 Jun 2010 12:16:57 -0400

Received: from exprod5mx200.postini.com (HELO psmtp.com) (64.18.0.46)

  by mail05.secureserverdot.com with ESMTP; 29 Jun 2010 12:16:57 -0400

X-Originating-IP: 64.18.0.46

Received: from source ([77.29.19.90]) by exprod5mx200.postini.com ([64.18.4.10]) with SMTP;

            Tue, 29 Jun 2010 12:16:56 EDT

Received: from 77.29.19.90 (port=0110 helo=[pc1])

            by mail.my-server.com with asmtp

            id 896714-000632-66

            for adam@receiver.com; Tue, 29 Jun 2010 18:16:47 +0100

Message-ID: <22532745.8147930@my-server.com>

Date: Tue, 29 Jun 2010 18:16:47 +0100

From: "receiver.com" <support@receiver.com>

MIME-Version: 1.0

To: adam@receiver.com

Subject: Reset your receiver.com password

Content-Disposition: inline

Content-Transfer-Encoding: binary

Content-Type: text/html; charset=iso-8859-1

X-Spam: Not detected

X-Mras: OK

X-pstn-levels:     (S: 7.25506/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )

X-AntiVirus: checked (incoming) by AntiVir MailGuard (Version: 10.0.1.27; AVE: 8.2.4.2; VDF: 7.10.8.216)

I keep a mail log of all outgoing emails and don't see this email being sent, also the IP's don't relate to my server so my conclusion is that maybe my domain is being spoofed and there isn't much I can do but I also don't want to brush it off.

Any ideas?

Cheers.

[axessit]

If they're not your IP addresses, then it's not you. You can test your mail server here

http://www.abuse.net/relay.html

Just fill in the form and it checks whether your server can relay.

[Bozely]

Thanks,

Yeah I just ran a similar test on MXToolbox which returned

Code: [Select]

Not an open relay.
 0 seconds - Good on Connection time
 0.686 seconds - Good on Transaction time
 OK - 213.208.xxx.xxx resolves to mail.my-server.com
 OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 mail.my-server.com Hi recover.mxtoolbox.com [64.20.227.133]; I am so happy to meet you. [140 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>, sender OK - how exciting to get mail from you! [203 ms]
RCPT TO: <test@example.com>
550 relaying denied test@example.com [187 ms]
QUIT
221 mail.my-server.com closing connection. Have a wonderful day. [156 ms]

Looks ok to me and like I previously mentioned I don't see any link to me other than the domain used in the email header.

What's the best log to view outgoing email?

[axessit]

qpsmtpd/current  will show all attempts to send email through your server - rejected and good

or

qmail/current will show accepted mail to your domain (which may or maynot be to a legit user)

If you want to keep a copy of all emails sent, there's a contrib to do that, but it fills up your HDD pretty quick if you have a lot of mail.

[Bozely]

Hmmm, looking through the qpsmtp log

Code: [Select]

2010-06-30 15:01:03.187755500 16007 Accepted connection 5/40 from 85.211.171.27 / Unknown
2010-06-30 15:01:03.187758500 16007 Connection from Unknown [85.211.171.27]
2010-06-30 15:01:04.215271500 16007 check_earlytalker plugin: remote host said nothing spontaneous, proceeding
2010-06-30 15:01:04.228605500 16007 220 myserv01.mail.my-server.com ESMTP
2010-06-30 15:01:04.294207500 16007 dispatching HELO ohagan-34348a02
2010-06-30 15:01:04.294210500 16007 250 mail.my-server.com Hi Unknown [85.211.171.27]; I am so happy to meet you.
2010-06-30 15:01:04.356674500 16007 dispatching MAIL FROM: <avowcreekside@my-server.com>
2010-06-30 15:01:04.356677500 16007 full from_parameter: FROM: <avowcreekside@my-server.com>
2010-06-30 15:01:04.361666500 16007 from email address : [<avowcreekside@my-server.com>]
2010-06-30 15:01:04.439830500 16007 getting mail from <avowcreekside@my-server.com>
2010-06-30 15:01:04.440183500 16007 250 <avowcreekside@my-server.com>, sender OK - how exciting to get mail from you!
2010-06-30 15:01:04.499657500 16007 dispatching RCPT TO: <avowcreekside@my-server.com>
2010-06-30 15:01:04.504654500 16007 to email address : [<avowcreekside@my-server.com>]
2010-06-30 15:01:04.517519500 16007 logging::logterse plugin: ` 85.211.171.27   Unknown ohagan-34348a02 <avowcreekside@my-server.com>            dnsbl   903     http://www.spamhaus.org/query/bl?ip=85.211.171.27       msg denied before queued
2010-06-30 15:01:04.518369500 16007 delivery denied (http://www.spamhaus.org/query/bl?ip=85.211.171.27)
2010-06-30 15:01:04.518734500 16007 550 http://www.spamhaus.org/query/bl?ip=85.211.171.27
2010-06-30 15:01:04.519114500 16007 click, disconnecting

To me this looks like an external server is trying to send via my smtp relay and the only thing that's stopping the email is the fact the external server is listed on an RBL.

Am I right or wrong?

[CharlieBrady]

To me this looks like an external server is trying to send via my smtp relay and the only thing that's stopping the email is the fact the external server is listed on an RBL.

Am I right or wrong?

You are slightly wrong. An external server is trying to send *to* your mail server (not *via* your smtp relay) - I am assuming that you have doctored the logs and "my-server.com" is a stand-in for your domain name.

This appears to have nothing to do with the issue you originally reported.

[axessit]

There are heaps of scanners out there and they try to hook up, but you will see "delivery denied", meaning the server is denying the sending of this email.

As I said, the qsmtp log shows all attempts, successful or, as in this case, not.

No cause for alarm, perfectly normal.

[Bozely]

axessit, cheers i'm relatively happy that my servers on the level and i'll put it down to my domain being spoofed.

Charlie,

This appears to have nothing to do with the issue you originally reported.

Strictly speaking no but kind of does seeing as i'm looking through my logs to see how it's handling smtp requests to then determine whether it's sending spurious email or not.

But thanks for the correction regarding the to/via, quite right.

[dem]

qmail by default is working as open relay or not?

[CharlieBrady]

qmail by default is working as open relay or not?

SME server by default is not an open relay. (relaying is controlled by qpsmtpd, not by qmail).

[mmccarn]

You may want to read the qpsmtpd section of the Email FAQ: http://wiki.contribs.org/Email#qpsmtpd

All incoming email to the sme server - that is, all email connections on port 25 (smtp) or 465 (smtps) - are processed by qpsmtpd.  Only after qpsmtpd agrees to accept a message is it handed off to qmail.

[axessit]

if ISP's are starting to block email to port 25, should I do the same on my SME server, leaving smtps open on port 465 ? Or will this block too much email ?

[cactus]

if ISP's are starting to block email to port 25, should I do the same on my SME server, leaving smtps open on port 465 ? Or will this block too much email ?

IMHO, most ISPs are doing the wrong thing motivated by laziness. Blocking incoming traffic on port 25 is just a matter of suppressing the symptoms. Instead they should IMHO be concentrating on finding the host that is sending traffic on port 25 and when not allowed block outgoing traffic for that host, have the responsible person (the customer) clean that machine and open up the port again.
To save them work they just prevent all traffic on port 25 for all users, so they do not need to investigate, but the customer might still have a infected system. For your local network the same analogy might apply in you being in the role of ISP and the clients performing the role of the customers.

I would not advice you to do so, instead invest in a proper AV suite and regularly update virus definitions and scan all systems. I think your network benefits more from keeping systems clean than suppressing the symptoms of compromised systems.

IIRC SME Server (at least future versions as of SME Server will not allow sending mail to external addresses when the user does not authenticate to the server, this will limit the amount of outgoing messages (when a system is compromised) by a mailbot as they normally do not authenticate, but use the public service.

[CharlieBrady]

if ISP's are starting to block email to port 25, should I do the same on my SME server, leaving smtps open on port 465 ? Or will this block too much email ?

Yes, blocking inbound port 25 will block all incoming mail.

[Please do not hijack an old thread for a new question.]

[mmccarn]

My ISP is Verizon.

Verizon blocks all outbound traffic on port 25 that is not sent through their servers.

They relay all *outbound* email through a 3rd party spam filter service.

They refuse to tell me who the 3rd party contractor is.

[conspiracy theory]
My ISP is probably getting money in exchange for letting someone read all of my email.
[/conspiracy theory]