Results 1 to 3 of 3
  1. #1
    New Lounger
    Join Date
    Feb 2015
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Questions about exploited SMTP relay

    Hello,

    I'm using SmarterMail on Windows Server 2008.

    I changed the SMTP relay from "Nobody" to "Only local users" and in last 2 days I had a large number of outgoing spam messages sent from my server (close to 6.000).

    This has happened in the past, and setting SMTP relay back to "Nobody" has fixed the issue.

    However, this means that I have to use SMTP authentication for every single website from which I want to send emails.

    I have the following questions:

    1. If relay is set to "Only local users", how is it possible to send emails from domains which are not on my server?
    2. If I use "Nobody" for SMTP relay, it safe to lower the number of seconds for SMTP authentication? The default is 120 seconds, which is way too long.
    3. Any ideas on how these emails are sent? The SMTP relay was still "only local users" and emails were sent from other domains as well (e.g. @refund.co.uk which is a spam domain I think).
    4. Can you please point me to some decent source where I can learn more about this?

    Thank you!

  2. #2
    New Lounger
    Join Date
    Feb 2015
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    After inspecting the logs, I found the way they were connecting - one of the email addresses had a "test@domain.com" with password of "123456".

    Spammers were randomly trying to check common email names on every domain on the server: info, contact, admin, test, support, etc.

    They succeeded on 2 email addresses, and this enabled them to send email.

    I configured "DDOS" protection (this is how the feature is called in SmarterMail) for SMTP, POP and IMAP, and changed the passwords in question of course.

    These days there were as many as 17k blocked connections on POP and IMAP.

    This seems to be working now - will keep this thread posted if I discover something more.

  3. #3
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    The real issue is you allow external connection to your email without proper authentication. This was compounded by turning on anonymous relay - something you should never do.

    All external connections to your server should be via a secure gateway, or require TLS with user identification via user certificates.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •