Closing an Open Relay

[keysfunding]

I'm sure I'm just clicking something wrong but I have been fighting with AMS for almost a year to battle outgoing SPAM. This is not spam coming from legitimit users on my network and not incoming SPAM (although that sucks, too... but this is different).

Somehow, I have my AMS configured to allow those wonderful human beings who propigate SPAM to make it look like it's coming from my network. It's recorded in the logs as outgoing mail, sometimes I get bounce notifications, sometimes I actully get the spam myself. It usually shows as originating from a non-existing user on my domain. IE: ISJIKLDSJK@[mydomain].com.

I have SMTP enable and SMTP Authentication turned on but somehow, they are getting by the authentication. If I disable SMTP, of course, we no longer receive e-mail (it just bounces back to sender). If I disable outgoing mail, no one can send mail from the network.

Can anyone give me some idea of how to lock this traffic out? I have tweaked every setting I can think of and still it continues. The only things that have stopped it have also made the server unuseable to me.

[rob]

A common cause of this type of activity is a username and password pair being leaked and abused, and so allowing SPAM sources to sneak past SMTP authentication. What I would recommend doing is examining your smtp and outmail log's and identify some of the SPAM. The next trick is see how that IP, got the mail into hte system, and hopefully you will see a pattern forming. The solution is then block that username and password by disabling the user (it may be worth contacting them first because they may not know). I should also note that its possible for sources to abuse the system by using WebMail. In the meantime a quick fix can be to restrcit the number of mails each of your users can send, this way the damage can be greatly reduced.

[ausmonty]

I am seeing this on, my server as well, the issue may or may not be a valid users details being abused. I would see the simply solution to this is that if a server sends an email from a supposed user of my domain, then AMS should check to see if that user exists. At this time I see emails being from d@mydomain.com, there is no d user in my domain. I would think it should be a simply check of the user list to see if the user exists before allowing the message in.

[rob]

There is already a facility which can allow this called "User Sender Domain Check" which is part of the SPAM system. Basically by checking this, any incoming mail's SMTP can be checked to ensure that if a local domain is used, the user also exists.

[ausmonty]

Cool, that seems like its fixed my problem.. Thanks

[cearnshaw]

If an IP is white listed in either the spam or in the smtp safe IPs does this override the User Sender Domain Check?

Thanks,


Cameron

[rob]

That is indeed correct, the SPAM white list avoids all SPAM filters. The SMTP relaying safe IP's effectively gives a certain IP relaying access, which by default any connection which is permitted realying access avoids the SPAM filters (basically for outbound mail to pass through untouched).