[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] spoofed spam slipping through pop before relay?

Hello,

Situation could be that as your Client having a DSL connection
with a static IP address, They:

Have an Exchange Server for email that relay ougoing email 
to the Internet through your SMTP service as thier domain is
 hosted on your server.

-What is happening-

Thier Mail Exchanger or whatever mail server have an Open 
Relay SMTP.  If that is the case, then a spammer will only need
 thier static IP and use it as SMTP gateway and therefore your 
server is acceping these messages as your Client Server I think 
is doing POP before SMTP (i.e checking email before sending any
outgoing message).

-Solution-

There is no solution for this from your side other than blocking 
your client or individual emails.  Your client has to apply 
Pop before SMTP or SMTP Access Limitation to his mail server.

In your message you masked the dsl IP of your client but 
anyway just to verify you can test thier IP address if
open relay using telnet or from this website 
http://www.abuse.net/relay.html .

Regards,
Al-Juhani
aljuhani@xxxxxxxxx'

==Original Message==

David Black cobalt-security@xxxxxxxxxxxxxxx 
Tue, 25 Feb 2003 18:38:38 -0600 

I think someone is relaying spam through our servers, by spoofing
their originating IP, so the spam appears to come from one of my
legitimate hosting customers' home IP addresses.

I've noticed a repeating pattern of short bursts, similar to the events
listed below... which seem to last from 2 - 5 minutes each. Since my
up-to-date RaQ4 includes pop-before-relay (with a 5 minute window),
I'm wondering if the spoofer is randomly catching my customer's
relay window, then exploiting it, by spoofing my customer's IP. (?)

I'd be very grateful if anyone with relevant expertise or experience
would share some information with me (and the rest of the list).
Thank you all very much, for your valuable time and knowledge.
I'd be lost without you :·)

Sincerely,
--
David Black
Houston, TX

suspicious maillog events follow...

Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 ('size=0' repeats 77 times between 14:03:11 and 14:04:09)


Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876:
from=<>, size=2649, class=0, nrcpts=1,
msgid=<200302251503.HTW7030@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879:
from=<>, size=2571, class=0, nrcpts=1,
msgid=<200302251503.XQZ4704@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882:
from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA,
relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883:
from=<>, size=2901, class=0, nrcpts=1,
msgid=<200302251503.VWE11193@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2
successful relays)


Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525:
from=<>, size=2842, class=0, nrcpts=1,
msgid=<200302251503.QRH781@xxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]


 (108 more successful relays - snipped - )


Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347:
from=<>, size=2790, class=0, nrcpts=1,
msgid=<200302251503.RVA7016@xxxxxxxxxxxx>,
proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx]

(this (above) was the last related event, for several hours)