Server sending spam; via relay; how to prevent?

P

Pezmc

Verified User
Joined
Mar 1, 2011
Messages
17
I have LFD on my server that monitors emails sent by relay, I'm currently seeing 100's of rejection emails from other email services (such as gmail) saying the message could not be delivered "return to sender".

Is there anything I can do to prevent someone using my mail server for relay?

Currently I'm just using LFD to block the sender if more than 200 come from that address.

Code: 
Subject: lfd on tent.myotherdomain.com: RELAY Alert for 187.23.175.140 (BR/Brazil/bb17af8c.virtua.com.br)
To: [email protected]


Time:  Wed Dec  5 14:25:46 2012 +0000
Type:  RELAY, Remote IP - 187.23.175.140 (BR/Brazil/bb17af8c.virtua.com.br)
Count: 203 emails relayed
Blocked: Temporary Block

Sample of the first 10 emails:
2012-12-05 14:08:44 1TgFeV-0006I1-7b <= [email protected] H=(Smkt) [187.23.175.140] P=esmtp S=339 T="smtp.mydomain.com:25" from <[email protected]> for [email protected]
2012-12-05 14:08:44 1TgFeV-0006I2-Kn <= [email protected] H=(Smkt) [187.23.175.140] P=esmtp S=343 T="mail.mydomain.com:25" from <[email protected]> for [email protected]
2012-12-05 14:08:46 1TgFeX-0006I1-DR <= [email protected] H=(Smkt) [187.23.175.140] P=esmtp S=351 T="smtp.mydomain.com:25" from <[email protected]> for [email protected]
2012-12-05 14:08:46 1TgFeX-0006I2-Lo <= [email protected] H=(Smkt) [187.23.175.140] P=esmtp S=347 T="mail.mydomain.com:25" from <[email protected]> for [email protected]
etc...
 
You'll need to close your SMTP server relay...
Google how to do that for your system, you might need to add only localhost or authorized users to be able to use SMTP, as it should be.
 
Thanks for your help.

I've used mailradar.com/openrelay and it says that I do not have an open relay. "All tested completed! No relays accepted by remote host!"

(testing against 78.129.132.155)

My /etc/virtual/pophosts file is empty, so I don't think anyone has permission for relay.

When I run the below script I see no logins listed. Does that mean it must be a script on my server sending these?

Code: 
cd /var/log/exim
grep 'A=login:' mainlog* | less

Is there anywhere else I can dig for information?
 
Last edited:
It is indeed unauthenticated. Unless 187.23.175.140 is your server ip the mails are being sent from external (that ip). Biggest chance is still the pophosts thing since the relay checks came back negative. Remember that the entries in there are being removed after 30 minutes. So if you see the mails being sent you should look in pophosts within 30 minutes.

You could also disable the pophost feature, it's only there to allow relay for people who have just authenticated as a valid user. IMO users should just use the credentials for the outgoing mail: http://www.directadmin.com/forum/showthread.php?t=38808&p=231214#post231214

But if your customers are relying on this feature and you want to keep it up, I'd search for that IP in the dovecot logs (eg /var/log/mail.log or maillog), so you can see which user was authenticated.
 
You must log in or register to reply here.
Back
Top