[Issue] Server accept email without SMTP Auth

tim874536

Verified User
Joined
Nov 24, 2006
Messages
73
Hi all,

These few months, lot of client report that there are a lot of scam email saying their email account has been hacked and looking for bitcoin payment.
Those email header said it sent by client email (e.g. [email protected]) and sent to client email as well.
It is strange that email server does not block these kind of fake sender email.

We also tested all of our servers by using the following command, the email get passed and sent to user account.

Is it any setting that we can fix this issue? (anyone from anywhere can send spam email to any customer email box)

Code:
telnet mail.company.com 25

   Trying mail.company.com...
   Connected to mail.company.com.
   Escape character is '^]'.
   220 mail.company.com ESMTP Exim 4.92 Tue, 23 Apr 2019 23:54:02 +0800

ehlo mail.company.com

   250-mail.company.com Hello
   250-SIZE 52428800
   250-8BITMIME
   250-PIPELINING
   250-AUTH PLAIN LOGIN
   250-STARTTLS
   250 HELP

mail from: <[email protected]>
   250 OK

rcpt to: <[email protected]>
   250 Accepted

DATA
   354 Enter message, ending with "." on a line by itself

From: <[email protected]>
To: <[email protected]>
Date: 23 Apr 2019 23:35:50 +0800
Subject: Security Alert. Your accounts was compromised. You need change password!
MIME-Version: 1.0
Content-Type: text/plain;
        charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3505.912
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3505.912

Hello!

I hacked your device, because I sent you this message from your account.
If you have already changed your password, my malware will be intercepts it every time.

You may not know me, and you are most likely wondering why you are receiving this email, right?
In fact, I posted a malicious program on adults (pornography) of some websites, and you know that you visited these websites to enjoy
(you know what I mean).

.

   250 OK id=1hIxkU-003su7-M2

quit

This is our server versions.
Code:
Installed version of DirectAdmin: 1.55.0
Installed version of dovecot: 2.3.3
Installed version of dovecot.conf: 0.3
Installed version of Exim: 4.92
Installed version of exim.conf: 4.5.12
Installed version of BlockCracking: 1.10
Installed version of Easy Spam Fighter: 1.24
Installed version of SpamAssassin: 3.4.2
Installed version of ClamAV: 0.100.2
Installed version of PHP 5.3: 5.3.29
Installed version of RoundCube webmail: 1.0.3

Thank you very much.
 
Server accept email without SMTP Auth

delete due to duplicated content
 
Last edited:
Hello,

I saw many of such emails too. The emails's sender and recipient address match, and it Directadmin allows such incoming emails. This behavior of exim+exim.conf has been discussed here many times.

Potentially strict rules for SPF (with hardfail -all) and ESF should help.

Example of another thread with the same reported issue: https://forum.directadmin.com/showthread.php?t=52044
 
Hello,

Would you please share about strict rules for SPF (with hardfail -all) and ESF?
We did installed latest exim_conf, SpamAssassin, ESF.

From my understanding, the SMTP server should prevent spam email which pretend someone (e.g. [email protected]) who actually a valid virtual user of the local server.
If email sending from [email protected], server should ask for SMTP Auth. I remember that this way was working fine before when I learnt telnet SMTP troubleshooting some years before.
 
In addition, these few months, the SPAM start to using hacked email server and domain name. The email come from valid SPF server IP such that increase the SPF_SOFTFAIL score of spamd in our server does not help.
And they use an image in the message body which bypass spamd text checking as well.

Image attached => 1.png
 
Last edited:
SPF: change ~all to -all for your domains: https://help.directadmin.com/item.php?id=592

SMTP server does not know anything on whether or not anyone pretends to be a legitimate user or is a real legitimate user. Port 25 is opened for any incoming emails, even without authorization. The only mechanism possible here is to check SPF.
 
I used the same method to test my @gmail.com account.
Gmail accept my telnet email. However, is this really normal that SMTP server ask for SMTP auth only for external email address while accept mail from and to the local virtual user email?

This is strange
 
SMTP is designed the way to accept incoming emails for local virtual users. And it does not really matter which email address they specified in "From", that can even be even Bill Gates' email address.

The same way they can specify any email/domain from your server, your company's email as well.

That's why SPF was introduced.
 
A lot of MTA's do not use and/or check SPF, so it's only a partly solution. At least your own customers can benefit from this. Even the biggest ISP in the Netherlands does not use it. Or at least I can spoof mails from [email protected] to others looking as if it was original. Or Microsoft does not use SPF, also possible. ;)
They do however block smtp mail not coming from their own domain.
Anyway, I came across enough sites and organisations which do not do an SPF check on incoming mail.

Note that there are customers getting and sending their mail via another system. Maybe like for example Gmail of Gmail. In some of those cases you need to include those in the according SPF line.

But I agree with Tim that the MTA should do a check for the authentication on smtp. If possible. This would probably also be beneficial for isp's not using spf.
 
My very first concern on the matter happened in 2015 if to believe Directadmin tickets system. The forums might suggest older threads. Nothing changed since then to address the issue. More to say I don't need it for my own, I don't recall my clients ever asking for a solution for this "issue", and I don't have a solution ready in my notes. If anybody has it please share it.

If you think Exim should fix it, then feel free and send a feature request to Exim's developers.

If you think Directadmin developers should fix it, then feel free and report it to John via tickets.
 
I tested some of the system including Gmail personal ([email protected]), Gmail business ([email protected]), Proxmox Mail Gateway ([email protected])
All of them accept email that the "mail from:" "RCPT to:" "From:" and "To:" are set to the valid email address.

It seems that this is allow in Email standard. But for me and my client, it is an abnormal situation that email server accept spam email that pretend to be the local virtual user and not asking for SMTP Auth.
 
You can always make Directadmin/CustomBuild to skip updates for exim.conf and customize the Exim configuration per your needs.
 
All of them accept email that the "mail from:" "RCPT to:" "From:" and "To:" are set to the valid email address.
If that is the case then we don't need to worry about it imho.

it is an abnormal situation that email server accept spam email that pretend to be the local virtual user and not asking for SMTP Auth.
This is also a default situation as the email client could also send mail as himself to himself via another provider.
For example, you can setup your mail so you connect to your hosting server where your domain resides, and then you need SMTP auth.
But you can also send mail (at least I can and lots of people can) by using my domain email and send it via the smtp server from my ISP, for which I then only have to authenticate with my ISP and then the mail is send to the server my domain resides on.
In that case exactly what you describe will happen. A mail from your customer to your customer is coming in without smtp authentication on your server. Which is logical, because that is incoming mail and not smtp (outgoing mail).

So that's why SPF can fix these things for you and this way you can prevent your server to accept those kinds of mails.

I see now I got confused before and mixed it up with smtp traffic, so via the server.
But this is something indeed DA should not need to fix. Exim maybe could be able to, but I guess it's allmost undoable to build in these kind of checks without breaking things or messing things up. It's not important enough for all that fuzz.
Next to that, this kind of spam is generally very little used and easy to prevent with changing SPF preferences.
 
Back
Top