For the last few days somehow somebody is using my scalix server as a relay. How is this possible? Am I missing something? Please help.
My SMTP.CONF File has the following line:
RELAY accept 127.0.0.1
RELAY accept XXX.XXX.XXX.XXX
RELAY Log_Reject ALL
One of the mssages has the following:
K1181088968
N9
P847381
I253/1/1921810
MDeferred: Connection refused by peach.k12.ga.us.
Fwds
$_localhost.localdomain [127.0.0.1]
$rESMTP
$smail.net
${daemon_flags}
${if_addr}127.0.0.1
S<service@paypal.com>
Z371.12521181055209.mail.XXX.XXX
MDeferred: Connection refused by peach.k12.ga.us.
rRFC822; spearson@peach.k12.ga.us
RPNFD:<spearson@peach.k12.ga.us>
H?P?Return-Path: <<81>g>
H??Received: from mail.XXX.XXX (localhost.localdomain [127.0.0.1])
by mail.mmc.net (8.13.1/8.13.1) with ESMTP id l55F5MXE024399
for <spearson@peach.k12.ga.us>; Tue, 5 Jun 2007 11:05:22 -0400
H??Received: from User (154-82.8-67.tampabay.res.rr.com [67.8.82.154])
by mail.XXX.XXX (Scalix SMTP Relay 11.0.4.10790)
via ESMTP; Tue, 05 Jun 2007 10:53:29 -0400 (EDT)
H??Date: Tue, 5 Jun 2007 10:58:51 -0400
H??From: "service@paypal.com"<service@paypal.com>
H??Reply-To: <do.not.reply@paypal.com>
H??Message-ID: <371.12521181055209.mail.mmc.net@MHS>
H??Subject: Your PayPal billing information records are out of date.
H??Priority: Urgent
H??X-MSMail-Priority: High
H??X-Priority: 1
H??x-scalix-Hops: 1
H??X-Mailer: Microsoft Outlook Express 6.00.2600.0000
H??X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
H??MIME-Version: 1.0
H??Content-Type: text/html;
charset="Windows-1251"
H??Content-Disposition: inline
Help: SMTP relay question -- I am getting spammed
Moderators: ScalixSupport, admin
-
audiotron2002
- Posts: 87
- Joined: Tue Nov 22, 2005 12:41 pm
Help: SMTP relay question -- I am getting spammed
Last edited by audiotron2002 on Fri Feb 01, 2008 11:13 pm, edited 1 time in total.
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
This doesn't look like open relay. This is just plain spam.
Two things about open relays:
1) you would not get the email itself (very unlikely)
2) your mail server would've been black-listed everywhere within 3 hours, not days. In another words, nobody would be able to send emails from your server anymore by now. They all would bounce.
You can check for open relays here:
http://spamlinks.net/prevent-secure-relay-test.htm#web
Do you have clamsv or spamassassin installed?
Jaime
Two things about open relays:
1) you would not get the email itself (very unlikely)
2) your mail server would've been black-listed everywhere within 3 hours, not days. In another words, nobody would be able to send emails from your server anymore by now. They all would bounce.
You can check for open relays here:
http://spamlinks.net/prevent-secure-relay-test.htm#web
Do you have clamsv or spamassassin installed?
Jaime
-
audiotron2002
- Posts: 87
- Joined: Tue Nov 22, 2005 12:41 pm
Right. I checked and abuse.net says no open relays (thankfully).
But why do I have 1000 messages in the queue appearing to come from service@paypal.com to random email addresses and when I looked at one of the headers (posted above), it appears that it is being sent via my mailserver?
I also looked at the contents of the message and it is a phishing email. So there are 1000 phishing emails sitting in my queue being sent via my scalix mailserver.
could a user be doing this (I only have 10 users).
Does omshowlog show the SMTPD connections?
This just started about 4 days ago.
But why do I have 1000 messages in the queue appearing to come from service@paypal.com to random email addresses and when I looked at one of the headers (posted above), it appears that it is being sent via my mailserver?
I also looked at the contents of the message and it is a phishing email. So there are 1000 phishing emails sitting in my queue being sent via my scalix mailserver.
could a user be doing this (I only have 10 users).
Does omshowlog show the SMTPD connections?
This just started about 4 days ago.
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
appearing to come from service@paypal.com to random email addresses ...
That's exactly what spam is. The emails are not so random. They are all to supposedly recipients at your domain. You just suffered typical a spam attach.
The emails on your queue are an attempt from your mail server to notify the "senders" that those users don't exist at your domain. This is a futile exercise, and should be avoided. I've seen a couple of blackhole techniques described on this forum. For now you may just delete them all by hand.
BTW: repeating my previous question: Do you have clamsv or spamassassin installed?
Jaime
-
audiotron2002
- Posts: 87
- Joined: Tue Nov 22, 2005 12:41 pm
I have sophos, clam , spamassassin and mailscanner installed on my inbound mailserver (different server). that server automatically forwards cleaned emails to scalix. This way my scalix server is clean and when i upgrade, i do not have to worry about any third party products. The mx record for my dns points only to my front end mailserver. Scalix does send outbound w/o any checks. I dont really care about outbound checks since i run a closed system
maybe i should make scalix only accept incoming mail from my frontend mailserver. I never set that up. would I do that through smtpd.conf or sendmail.mc? I get confused with scalix and relaying.
Could I set scalix to receive email only from one server?
Your comment makes sense. I just never saw this before.
Thanks!
maybe i should make scalix only accept incoming mail from my frontend mailserver. I never set that up. would I do that through smtpd.conf or sendmail.mc? I get confused with scalix and relaying.
Could I set scalix to receive email only from one server?
Your comment makes sense. I just never saw this before.
Thanks!
Who is online
Users browsing this forum: No registered users and 0 guests