Closing an Open Relay

Closing an Open Relay

Postby keysfunding » Fri Mar 07, 2008 9:57 pm

I'm sure I'm just clicking something wrong but I have been fighting with AMS for almost a year to battle outgoing SPAM. This is not spam coming from legitimit users on my network and not incoming SPAM (although that sucks, too... but this is different).

Somehow, I have my AMS configured to allow those wonderful human beings who propigate SPAM to make it look like it's coming from my network. It's recorded in the logs as outgoing mail, sometimes I get bounce notifications, sometimes I actully get the spam myself. It usually shows as originating from a non-existing user on my domain. IE: ISJIKLDSJK@[mydomain].com.

I have SMTP enable and SMTP Authentication turned on but somehow, they are getting by the authentication. If I disable SMTP, of course, we no longer receive e-mail (it just bounces back to sender). If I disable outgoing mail, no one can send mail from the network.

Can anyone give me some idea of how to lock this traffic out? I have tweaked every setting I can think of and still it continues. The only things that have stopped it have also made the server unuseable to me.
keysfunding
 
Posts: 3
Joined: Tue Oct 16, 2007 12:54 pm

Re: Closing an Open Relay

Postby rob » Mon Mar 10, 2008 10:32 am

A common cause of this type of activity is a username and password pair being leaked and abused, and so allowing SPAM sources to sneak past SMTP authentication. What I would recommend doing is examining your smtp and outmail log's and identify some of the SPAM. The next trick is see how that IP, got the mail into hte system, and hopefully you will see a pattern forming. The solution is then block that username and password by disabling the user (it may be worth contacting them first because they may not know). I should also note that its possible for sources to abuse the system by using WebMail. In the meantime a quick fix can be to restrcit the number of mails each of your users can send, this way the damage can be greatly reduced.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: Closing an Open Relay

Postby ausmonty » Thu Mar 20, 2008 10:57 pm

I am seeing this on, my server as well, the issue may or may not be a valid users details being abused. I would see the simply solution to this is that if a server sends an email from a supposed user of my domain, then AMS should check to see if that user exists. At this time I see emails being from d@mydomain.com, there is no d user in my domain. I would think it should be a simply check of the user list to see if the user exists before allowing the message in.
ausmonty
 
Posts: 3
Joined: Thu Mar 20, 2008 4:57 am

Re: Closing an Open Relay

Postby rob » Fri Mar 21, 2008 11:35 am

There is already a facility which can allow this called "User Sender Domain Check" which is part of the SPAM system. Basically by checking this, any incoming mail's SMTP can be checked to ensure that if a local domain is used, the user also exists.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: Closing an Open Relay

Postby ausmonty » Sat Mar 22, 2008 5:40 am

Cool, that seems like its fixed my problem.. :) Thanks
ausmonty
 
Posts: 3
Joined: Thu Mar 20, 2008 4:57 am

Re: Closing an Open Relay

Postby cearnshaw » Tue Jun 17, 2008 11:06 pm

If an IP is white listed in either the spam or in the smtp safe IPs does this override the User Sender Domain Check?

Thanks,


Cameron
cearnshaw
 
Posts: 41
Joined: Tue Jun 17, 2008 9:19 pm

Re: Closing an Open Relay

Postby rob » Wed Jun 18, 2008 11:38 am

That is indeed correct, the SPAM white list avoids all SPAM filters. The SMTP relaying safe IP's effectively gives a certain IP relaying access, which by default any connection which is permitted realying access avoids the SPAM filters (basically for outbound mail to pass through untouched).
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm


Return to General

Who is online

Users browsing this forum: No registered users and 24 guests

cron