Open Relay Exploit

[keysfunding]

I have been using Ability Mail Server v2.58 for about a year now and I am constantly batteling spammers.

If I enable the relay ability through the smtp tab, spammers bounce spam off of my server and put my domain in the return address. Unfortunately, I only notice it when I receive thousands of "bounced" mail notices from bad e-mail addresses in the spammer databases. When I shut down relay ability, I no longer can receive e-mail.

I even have smtp authentication activated and they still are able to relay off me without a password.

Recently, I have been having a further issue where I am receiving spam sent from registered account to a registered account (see header below):

------------------------%<-------------------------%<---------------------------------------------
Received: from noname-32121848 ([87.205.191.32]) by keysfunding.com
with SMTP (Code-Crafters Ability Mail Server 2.58)
for <paulc@keysfunding.com>;
Tue, 16 Oct 2007 07:25:00 -0400
Received: from Merle Barry (10.15.12.15) by noname-32121848 (PowerMTA(TM) v3.2r4) id hfp33o46d45j79 for <paulc@keysfunding.com>; Tue, 16 Oct 2007 01:24:58 +0100
Message-Id: <20071016022458.8752.qmail@noname-32121848>
To: <paulc@keysfunding.com>
Subject: <imposter> October 75% OFF
From: VIAGRA ® Official Site <paulc@keysfunding.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
------------------------%<-------------------------%<---------------------------------------------

Standard spam that we've all seen before but the incredible part is that every user on my mail server (even those that are never used or that I just use as internal e-mail accounts) receives the message! Are the spammers able to hack through and see my user list?

Anyone have any advise on how to stop all of this?

[Pugglewuggle]

You know, I've noticed the same thing in the past on out AMS server too.

What I did to stop it (the spammers using your domain) was add an SPF record to the DNS manager for all of my domains. This (for the most part) stopped the messages from my domain.

However, you are correct, AMS does allow spammers to bounce off the server even with open relay disabled and authentication required. This should be addressed by the programmers.

Another possibility is that your server may be compromised. I after I bought a new Cisco ASA firewall and a new server and locked the server down inside the DMZ, I've had NO spam what-so-ever bounced off my domains.

Good Luck!
JB

[rob]

Battling with SPAM is an unfortunate task we all have to handle at the moment. However, with the problem of messages bouncing off your server and then receiving failure notifications. This is often due to the fact that SPAM-ers are faking users on your server and so the failure notices are returing back to you. I would recommend following Pugglewuggle's suggestion and adding SPF records to your domain as this does help reduce the SPAM threat that involves your own domain.

As to mails still being passed through your system even though your SMTP is secure, these could potentially be coming from users who have had their details obtained (or even specificy 'made users' if you have auto-signups on WebMail enabled) and now their are being used to abuse your mail server. The only real way to combat this is to ensure that you have some dialy limits enabled in the group settinsg of users (to reduce potential impact from this), but also if you notice a large quantity of mail being sent out, using the logs to track down the source (and disable/delete the offending user).

I do not think your users have been hacked from you too as something like this would generally have been reported before. However, I have made a note and if we notice any other reports we will of course investigate this. In the meantime, potential reasons for this is that you have an LDAP database available, SPAM-ers have brute force discovered many of your users by sending huge numbers of email address attempts at the SMTP (they do try this), collected addresses through normal means have been combined and a single source is senidng you SPAM or more seriously, that a virus on your system has comprised security.

[Pugglewuggle]

Agreed on spam being an uphill battle for most.

On our mail server (before we added the DMZ and switched servers) we had no LDAP enabled and smtp authentication was enabled.

I don't believe that anyone got our users information because at that particular time, AMS was solely for internal use with webmail enabled so employees could check their mail from home. Auto signups was disabled. The bounce problem was insance. I remember seeing times when we'd have 2,000-4,000 mails sent by relay (EVEN THOUGH RELAD WAS DISABLED!!!). When other mail servers bounced these mails back, they'd be from something like "asdojkadj@ourdomain.com". That got really old REALLY fast.

We definitely didn't have a virus. We use ESET NOD32 business edition on our servers and it scans the system drive completely once a day and updates when updates come out (typically 3-4 times a day). All mail messages/etc. (which are stored on a seperate RAID array) are scanned when coming/going using AMS virus filtering setup to use NOD32.

A feature you might REALLY consider adding is an optional delay for users created with auto signups so that way an admin at least has some buffer time to react and delete the account if spammers do create accounts. I think this is a feature in Merak, although I still like AMS better.

[rob]

If you have suspect mails leaving your system the best approach is to examine the outmail logs / outmail folder and then examine the smtp logs. This will allow you to investigate what the mails are and how they are getting into your system. A common source of excess outbound mails can be failure notices generated within content filtering or by internal mechanisms. Depending on your settings (by default the mail server is setup to avoid this), SPAM can sometimes trigger these and create the illusion that mails are bypassing your SMTP security.

A delay for users would indeed be helpful and I made a note of this for the rest of the team. Of course another option would be to create the accounts in disabled mode, which should be possible with cloning (basically clone a disabled user). This way the admin could examine the new account, then if they approve, enable it.

[Pugglewuggle]

This is what we've been doing (cloning a disabled account -- btw, when's a fix coming for the missing information from auto signups when cloning?). The reason I mention the delay (or reduced number of allowed sends, for example) for a set period is that for every login less, we are losing possible advertising revenue (not that much, yet) that we would like to keep. So even if this means letting a spammer get in and send maybe 5 emails if that's the limit to a max number of 5 people (again, a temporary limit) then we still get the hits (3 per page load) on our ads and that counts toward paying for our server + more!

Thanks as always for responding so quickly.

[rob]

The lost sign-up information will be available in 2.61, which will be due within the next 2-4 weeks.

[keysfunding]

Battling with SPAM is an unfortunate task we all have to handle at the moment. However, with the problem of messages bouncing off your server and then receiving failure notifications. This is often due to the fact that SPAM-ers are faking users on your server and so the failure notices are returing back to you. I would recommend following Pugglewuggle's suggestion and adding SPF records to your domain as this does help reduce the SPAM threat that involves your own domain.

As to mails still being passed through your system even though your SMTP is secure, these could potentially be coming from users who have had their details obtained (or even specificy 'made users' if you have auto-signups on WebMail enabled) and now their are being used to abuse your mail server. The only real way to combat this is to ensure that you have some dialy limits enabled in the group settinsg of users (to reduce potential impact from this), but also if you notice a large quantity of mail being sent out, using the logs to track down the source (and disable/delete the offending user).

I do not think your users have been hacked from you too as something like this would generally have been reported before. However, I have made a note and if we notice any other reports we will of course investigate this. In the meantime, potential reasons for this is that you have an LDAP database available, SPAM-ers have brute force discovered many of your users by sending huge numbers of email address attempts at the SMTP (they do try this), collected addresses through normal means have been combined and a single source is senidng you SPAM or more seriously, that a virus on your system has comprised security.

In reference to SPF filtering... The problem with that is it's not perfect (not that anything is) but many of the e-mails I get are sent on behalf of the client (for example, information e-mails are sent to me for a bank by a service that processes these bullitens)... Anyway, I loose a lot of e-mail by enabling it (tried it in the past and it doesn't stop all of the outgoign spam either).

A lot of the spam that is coming from my server is from users that do not exist. IE: RaNdOmLeTtErS@keysfunding.com. We do NOT have autosign-ups enabled and we DO have SMTP authentication ENABLED so it really seems to be a hole in the program somewhere. As far as evaluating smtp and outmail logs... I am able to identify the e-mail in those logs but there are almost as many "originating" IPs as there are messages themselves. Going in and individually blacklisting those IPs isn't the answer.

RE: LDAP - We don't use it so that's out.
RE: Virus - This server is just a server, not a workstation, and is virus check regularly. I have found that viruses are caused by human error usually (ie: reading the wrong e-mail or surfing the wrong site). I can say with 100% certainty (especially since I just scanned the server before finishing this post ) That our mail server is 100% virus free. (Except, of course, for the Microsoft Windows XP virus but most of us have that one).

To me, (and I'm not a programmer) it should be as easy as this: If SMTP authentication is enabled and an incoming e-mail is NOT for a user on the server, it should be disgarded. Otherwise, if e-mail is outbound from the server it has to be from a user name listed on the "users" list and must be authenticated.

[rob]

I am not sure if you have seen my resposne from your previous thread, but I will copy and paste here...

A common cause of this type of activity is a username and password pair being leaked and abused, and so allowing SPAM sources to sneak past SMTP authentication. What I would recommend doing is examining your smtp and outmail log's and identify some of the SPAM. The next trick is see how that IP, got the mail into hte system, and hopefully you will see a pattern forming. The solution is then block that username and password by disabling the user (it may be worth contacting them first because they may not know). I should also note that its possible for sources to abuse the system by using WebMail. In the meantime a quick fix can be to restrcit the number of mails each of your users can send, this way the damage can be greatly reduced.

[rburwood]

Just because the email appears to be sent from your domain, it does not have to be sent from your server. The failure reports you are getting may just be caused by a spammer using your domain. To confirm this check the outmail log files... If this is the case there is no security issue in your setup of AMS as the emails are not being sent from your server. The only thing you can do is to configure an SPF record in your DNS (Not in AMS). This will then allow other email servers to validate emails sent from your domain are actually sent from your email server.