Announcement

Collapse
No announcement yet.

Questions about exploited SMTP relay

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Questions about exploited SMTP relay

    Hello,

    I'm using SmarterMail on Windows Server 2008.

    I changed the SMTP relay from "Nobody" to "Only local users" and in last 2 days I had a large number of outgoing spam messages sent from my server (close to 6.000).

    This has happened in the past, and setting SMTP relay back to "Nobody" has fixed the issue.

    However, this means that I have to use SMTP authentication for every single website from which I want to send emails.

    I have the following questions:

    1. If relay is set to "Only local users", how is it possible to send emails from domains which are not on my server?
    2. If I use "Nobody" for SMTP relay, it safe to lower the number of seconds for SMTP authentication? The default is 120 seconds, which is way too long.
    3. Any ideas on how these emails are sent? The SMTP relay was still "only local users" and emails were sent from other domains as well (e.g. @refund.co.uk which is a spam domain I think).
    4. Can you please point me to some decent source where I can learn more about this?

    Thank you!

  • #2
    Re: Questions about exploited SMTP relay

    1. It's possible as this determines who internally can use this as a relay, so assuming you have configured it to also relay externally, this means internal and external relaying is permitted but for internal users.

    2. I don't know the product but you would generally restrict via IPs that are permitted to relay through this as well.

    3. Are you allowing incoming mail? the fact that it stops when setting it to nobody and assuming you still receive eternal Mail suggests that it could then be an internal Server that has been compromised that is sending mail out.

    4. There are various attacks it could be. Lookup keywords such as SPF, Domain key, MX, use MXToolbox.com, SMTP tests using this, NDR attack; https://testconnectivity.microsoft.com/

    You could also look at setting the Mail relay to Only local users and temporarily blocking incoming mail to see if the Spam appears, so also helps pinpoint the issue. You could go further and see if there are logs you can enable on the SMTP connector to see if there is a common IP address that is relaying mail, use Wireshark and/or NETSTAT using CMD prompt.

    Comment


    • #3
      Re: Questions about exploited SMTP relay

      Thanks for the message and resources.

      Question regarding #1: basically I should also prevent emails from external domains to be sent, correct?

      Comment


      • #4
        Re: Questions about exploited SMTP relay

        Originally posted by batric View Post
        Thanks for the message and resources.

        Question regarding #1: basically I should also prevent emails from external domains to be sent, correct?
        Absolutely, you should never allow your server to send emails for domains you don't own.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: Questions about exploited SMTP relay

          Originally posted by tehcamel View Post
          Absolutely, you should never allow your server to send emails for domains you don't own.
          Thanks!

          On another note - after inspecting the logs, I found the way they were connecting - one of the email addresses had a "[email protected]" with password of "123456".

          Spammers were randomly trying to check common email names on every domain on the server: info, contact, admin, test, support, etc.

          They succeeded on 2 email addresses, and this enabled them to send email.

          I configured "DDOS" protection (this is how the feature is called in SmarterMail) for SMTP, POP and IMAP, and changed the passwords in question of course.

          These days there were as many as 17k blocked connections on POP and IMAP.

          This seems to be working now - will keep this thread posted if I discover something more.

          Comment


          • #6
            Re: Questions about exploited SMTP relay

            Does the mail server include an 'allow/deny' list for SMTP conections? If no one should be sending mail from outside your organisation you should deny all IP addresses then set up an allow range just for your local network and another for the public IP address(es) of any other locations you do business from.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment

            Working...
            X