Applying "Does Not Exist Locally" to Outgoing only.

[Marc]

Hi,

I have had a couple of instances that I know off where a spammer is able to send mail from ability from a hotmail.com address to other external addresses. I can't figure out from the logs how they have done it. I can upload some logs later or in a separate thread.

Looking at the content filtering I notice the option "Does Not Exist Locally". Could I apply this to outgoing email only, so essentially only email will leave my server with from addresses matching users in Ability?
I found this thread viewtopic.php?f=6&t=2111&p=3334&hilit=+Does+Not+Exist+Locally+#p3334 , but I couldn't quite discern the bit I need.

Thanks Marc

[Code Crafters]

To specify outgoing mail you need to use the condition set to "All Recipients Do NOT Exist Locally" as with the preset content filter rule "Send Copy of All Outgoing Mail To". However, this more specifies that there are no local recipients and all are external and therefore the mail will need to be relayed to be delivered.

To specify that the sender exists locally, you can use "Sender Exists Locally" from the same condition. However, this merely shows that the mail appears to come from a local sender which can be spoofed.

The point is that content filtering isn't used to stop unauthorised relaying at all. SMTP Authentication being enabled (SMTP Relaying Access settings) will ensure that only users with a valid username / password can relay mail to external email addresses. This will obviously only include local accounts for locally hosted email addresses on your AMS.

I can assure you that if SMTP authentication is enabled and no relaying safe IPs are set up on the same page and no POP before SMTP then only local accounts can relay and no hotmail address will be allowed to send to external addresses unless they use a local account login details and spoof the sender which would be very unlikely.

[Marc]

Thanks Chris. It was more of a belt and braces styles approach. I am sure my security in AMS is correct. I think you may have even checked it. This would then point to someone mailbox being abused, however I can't figure out who.

Any thoughts?

pauloabrantes@netc.pt was the FROM address in this occasion.



Fri, 04 Feb 2011 13:35:11 -> Success: Action=[MX Lookup], Details=[DNS=Using automatically detected DNS's, Domain=hotmail.com: Found 4 records]
Fri, 04 Feb 2011 13:35:12 -> Success: Action=[SMTP Transfer], Details=[Domain=hotmail.com, Host=mx3.hotmail.com:25, IP=65.55.37.104: Connection accepted.]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 220 col0-mc3-f37.Col0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Fri, 4 Feb 2011 05:35:12 -0800 ]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=65.55.37.104: EHLO smtp.tingleweb.co.uk]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-col0-mc3-f37.Col0.hotmail.com (3.12.0.54) Hello [92.52.88.197]]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-SIZE 36909875]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-PIPELINING]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-8bitmime]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-BINARYMIME]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-CHUNKING]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-AUTH LOGIN]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250-AUTH=LOGIN]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250 OK]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=65.55.37.104: MAIL FROM:<pauloabrantes@netc.pt>]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 250 pauloabrantes@netc.pt....Sender OK]
Fri, 04 Feb 2011 13:35:12 -> ***DEBUG*** -> Success: Action=[Send Command], Details=[IP=65.55.37.104: RCPT TO:<010178@hotmail.com>]
Fri, 04 Feb 2011 13:35:13 -> ***DEBUG*** -> Success: Action=[Recv Response], Details=[IP=65.55.37.104: 550 Requested action not taken: mailbox unavailable]
Fri, 04 Feb 2011 13:35:13 -> Failed: Action=[SMTP Transfer], Details=[Domain=hotmail.com, Host=mx3.hotmail.com:25, IP=65.55.37.104: Recipient Rejected: 010178@hotmail.com (550 Requested action not taken: mailbox unavailable)]

[Code Crafters]

The general message at the start of the log warning not to SPAM is nothing to worry about. Hotmail don't like receiving mail from ISP assigned IPs and usually you have to create a static route in Outgoing Mail to relay via your ISP for hotmail and other big mail vendors.

In this case though the mail was rejected due to the user not existing it would seem. It is a bizzare email address 010178@hotmail.com so it could be a SPAM. If the FROM address is hosted on your mail server I'd start investigating there.

[Marc]

That's the problem. These addresses aren't hosted with us. I had this today:
If this is someone mailbox being used for this, I can't discern from the logs who it is.



This is an automated email abuse report from the folks at junkemailfilter.com for an email message received from IP address [92.52.88.197] on Wed, 16 Feb 2011 04:49:53 -0800.

The nature of this spam indicates possible fraud. Pay close attention to both the from address ]"WILLIAMS UBA."<officebb123@att.net>] and the reply-to address [].

We hope this information will help you in determining the source of the problem and shut it down. The original message is attached in MIME format with complete headers. For more information about this standardized abuse report format [ARF] please visit http://www.mipassoc.org/arf/ If you would prefer abuse reports in text format let us know.

If you have any questions or feedback about this abuse report or are interested in learning about our spam filtering technology feel free to contact us. If this is not spam please accept our apologies and let us know so we can fix the problem. Pay close attention to the REASON listed.
Marc Perkel - Fearless Leader
Junk Email Filter dot com
http://www.junkemailfilter.com
errors@junkemailfilter.com

* Date: Wed, 16 Feb 2011 04:49:53 -0800
* From: "WILLIAMS UBA."<officebb123@att.net>
* Subject: A business proposal your responds is needed.
* Host: smtp.tingleweb.co.uk [92.52.88.197]
* Reason: Reply-to address but no To or cc address - F="WILLIAMS UBA."<officebb123@att.net> R=<officee@inmail.sk> - X=pascal H=smtp.tingleweb.co.uk [92.52.88.197] HELO=[smtp.tingleweb.co.uk] F=[officebb123@att.net] T=[ejg@grant.org] S=[A business proposa

For more information about these abuse reports: http://wiki.junkemailfilter.com/index.php/Spam_abuse
To test or be removed from our blacklist: http://ipadmin.junkemailfilter.com/remo ... .52.88.197

======== Original Headers ========

Delivery-date: Wed, 16 Feb 2011 04:49:53 -0800
Received: from smtp.tingleweb.co.uk ([92.52.88.197])
by pascal.junkemailfilter.com with esmtp (Exim 4.74)
id 1PpgpK-0008PK-9K on interface=65.49.42.60
for ejg@grant.org; Wed, 16 Feb 2011 04:49:53 -0800
Received: from User ([41.189.10.16]) by smtp.tingleweb.co.uk
with SMTP (Code-Crafters Ability Mail Server 2.70);
Wed, 16 Feb 2011 12:48:22 -0000
Reply-To: <officee@inmail.sk>
From: "WILLIAMS UBA."<officebb123@att.net>
Subject: A business proposal your responds is needed.
Date: Wed, 16 Feb 2011 04:48:20 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Sender-Domain: tingleweb.co.uk
X-Freemail-Reply-to: inmail.sk
X-Spamfilter-host: pascal.junkemailfilter.com - http://www.junkemailfilter.com
X-Mail-from: officebb123@att.net
X-Spam-Class: SPAM-HIGH-VERY - Reply-to address but no To or cc address - F="WILLIAMS UBA."<officebb123@att.net> R=<officee@inmail.sk> - X=pascal H=smtp.tingleweb.co.uk [92.52.88.197] HELO=[smtp.tingleweb.co.uk] F=[officebb123@att.net] T=[ejg@grant.org] S=[A business proposal your responds is needed.]
X-Spamsave: Yes - Reply-to address but no To or cc address - F="WILLIAMS UBA."<officebb123@att.net> R=<officee@inmail.sk> - X=pascal H=smtp.tingleweb.co.uk [92.52.88.197] HELO=[smtp.tingleweb.co.uk] F=[officebb123@att.net] T=[ejg@grant.org] S=[A business proposal your responds is needed.]
X-Sender-Host-Address: 92.52.88.197
X-Sender-Host-Name: smtp.tingleweb.co.uk
X-Original-helo: smtp.tingleweb.co.uk

[Code Crafters]

If you have SMTP authentication enabled and no Relaying safe IPs on the same SMTP Relaying Access settings tab then you shouldn't be an open relay meaning that only users with valid user accounts can relay mail to external addresses.

1) Please send me your mail server domain to chris@code-crafters.com and I'll check for open relay.
2) Try to trace back from Outgoing Mails the subject, sender etc and match this to SMTP logs and account logs to try and trace the source of the emails. You can block accounts or IPs to help fight this.
3) In the group settings, limit the Max Mails per user sent per day (both options). You can sometimes do this per IP in SMTP too but not if your router makes all mail appear to come from it's IP of course.

[Marc]

By matching the IP in the outgoing mail logs with the same IP in the SMTP logs I found an admin mailbox being used with a weak password. Hopefully that's stopped this.

thanks for picking this up Chris, our fault, apologies.

[Code Crafters]

You're very welcome. Hopefully, you can stop the SPAM mails now you know how to track them a bit more.