Open Relay - Masses of Spam being sent

I had the same result with abuse.net - however...

abuse.net is the only one reporting an open relay - either they're right and 4 others are wrong, or they've got a uniqe test that's right when nobody else is.

Doesn't make any sense.
 
Ok, this is directed to Jeff - as you're the last person to modify exim.conf.

This version of spamblocked exim.conf does INDEED appear to cause an OPEN RELAY - tested at abuse.net and njrbl.org

http://article.gmane.org/gmane.mail.exim.user/57603


> mmm, relay_domains is local_domains + localhost? Do you *relay* for
> localhost??

I think we do... The exim.conf file was written specifically for use in
a webhosting environment (DirectAdmin). We don't control how
webhosting clients inject mail from the server. If they inject using
the sendmail alias we're not relaying their email. But if they inject
using smtp, I believe exim sees it as relaying.
Click to expand...


Can you elaborate on that more?

The specific relay is:

Received: from rt2.njabl.org ([69.28.95.4])
by www29.hostpc.com with esmtp (Exim 4.52)
id 1F1njG-0000C2-5z
for [email protected]; Wed, 25 Jan 2006 11:42:42 -0500
X-RT-Subject: relaytest: 199.237.54.174
X-RT-From: [email protected]
X-RT-To: [email protected]
From: [email protected]
To: [email protected]
Click to expand...


This needs to be addressed as it's a severe security issue
 
Atari said:
I am digging up old posts on "Open Relay" because we just did the dovecot upgrade and tested at abuse.net, which failed the very first test and passed the email through :(



The relay test is here:

http://www.abuse.net/relay.html
Click to expand...


I used this same URL on machines with dovecot installed and machines still using the old mbox format and at test 12 the test is terminated in all cases due to abuse.net sending too many non-mail commands in test 12. All tests 1-11 pass on all machines, no relaying on my machines...

I use the latest exim.conf (2.0) and for dovecot I upgraded to the latest exim.conf before patching the exim.conf file with the dovecot code.

Regards.
 
Hello,

My favorite method of testing for an open relay.. is to test for an open relay.
Code: 
[root@server root]# [b]telnet your.host.com 25[/b]
Trying 1.2.3.4...
Connected to your.host.com.
Escape character is '^]'.
220 your.host.com ESMTP Exim 4.60 Wed, 25 Jan 2006 17:35:16 -0600
[b]HELO bob[/b]
250 your.host.com Hello my.host.com [2.3.4.5]
[b]mail from: [email][email protected][/email][/b]
250 OK
[b]rcpt to: [email][email protected][/email][/b]
550 authentication required
[b]QUIT[/b]
221 your.host.com closing connection
Where you must be telnetting from a machine that does not check a pop/imap account on your.host.com (such that the IP is not in the pophosts file), and is not from 127.0.0.1 (to make sure it's a total stranger).

Note the 550 error..

If you run a test that shows that it's an open relay, by all means, paste us the output (or email it to me), I'd want to see it. I'd also want try out this manual test on it. I've used the above mentioned testing program, but didn't get an open realy (exim booted the connection on the 12th test).

John
 
# telnet mail.hostpc.com 25
Trying 199.237.54.179...
Connected to mail.hostpc.com (199.237.54.179).
Escape character is '^]'.
220 www0.hostpc.com ESMTP Exim 4.54 Wed, 25 Jan 2006 18:01:07 -0500
HELO pete
250 www0.hostpc.com Hello ns4a.8-95.com [216.180.238.239]
mail from: [email protected]
250 OK
rcpt to: [email protected]
250 Accepted
 
Hello,

is hostpc.com ON the www0.hostpc.com ??

(ie hostpc.com in the /etc/virtua/domains file)

If so, that's not a valid test because exim is supposed to accept local email ;)

Make sure you're sending the mail to an outside email address that is not on www0.hostpc.com

John
 
Received: from www29.hostpc.com (www29.hostpc.com [199.237.54.174])
by rt.njabl.org (8.11.6/8.11.6) with ESMTP id k0NHXkG28382
for <[email protected]>; Mon, 23 Jan 2006 12:33:47 -0500
Date: Mon, 23 Jan 2006 12:33:47 -0500
Received: from before-reporting-as-abuse-please-see-www.njabl.org ([209.208.0.15] helo=rt.njabl.org)
by www29.hostpc.com with esmtp (Exim 4.52)
id 1F15ZW-0006py-Fq
for [email protected]; Mon, 23 Jan 2006 12:33:45 -0500
X-RT-Subject: relaytest: 199.237.54.174
X-RT-From: [email protected]
X-RT-To: [email protected]
From: [email protected]
To: [email protected]
Message-id: <[email protected]>
Subject: relaytest: 199.237.54.174






Perhaps someone either needs to explain to njabl.org and abuse.net what an open relay is - or there's an issue here someplace...
 
eg:
Code: 
[root@localhost root]# telnet www0.hostpc.com  25
Trying 199.237.54.179...
Connected to www0.hostpc.com.
Escape character is '^]'.
220 www0.hostpc.com ESMTP Exim 4.54 Wed, 25 Jan 2006 18:04:09 -0500
HELO bob
250 www0.hostpc.com Hello bob [199.237.54.170]
mail from: [email][email protected][/email]
250 OK
rcpt to: [email][email protected][/email]
[b]550 authentication required[/b]
QUIT
221 www0.hostpc.com closing connection
John
 
mail.hostpc.com and www0.hostpc.com both resolve to 199.237.54.179.. shouldn't matter. Am I missing something?

I just tested the 199.237.54.174 IP.. same "auth required" result.

John
 
Someone's missing something - and at this point it's customers email.

Abuse.net and NJabl both show open relay and are filtering this servers IP address because of it.

I'm not professing to be a mail expert, but something isn't right. WHY would they think it's open - they showed by example it's open, yet your test shows closed. Who's wrong/correct here, and why?
 
Hello,

I tested your machine with their tester script and see what you mean now. I *did* get an email from them, meaning it's open, but only on the 5th test, when the from address was @hostpc.com .... I immediately tested the same method on our systems, but it didn't get through. Might be an issue with the exim.conf you're using.... hard to say for sure.

Code: 
Relay test 5
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<[email protected]>
<<< 250 OK
>>> RCPT TO:<[email protected]>
<<< 250 Accepted
>>> DATA
<<< 354 Enter message, ending with "." on a line by itself
>>> (message body)
<<< 250 OK id=1F1tna-0007sD-PJ
Try installing the default to see if it changes anything:
http://help.directadmin.com/item.php?id=51

John
 
Hello,

You'd need to re-patch:

cd /usr/local/directadmin/customapache
patch -p0 < exim.conf.dovecot.patch

John
 
I believe this is the answer; please let me know by immediate telephone or email if I'm wrong.

If I'm right, then this could be why some people are reporting an open relay while some do not.
hostpc.com said:
Ok, this is directed to Jeff - as you're the last person to modify exim.conf.

This version of spamblocked exim.conf does INDEED appear to cause an OPEN RELAY - tested at abuse.net and njrbl.org

http://article.gmane.org/gmane.mail.exim.user/57603
Click to expand...
Is your own domain whitelisted?

If your own domain is whitelisted then some open relay tests will see you as an open relay.

If your domain is whitelisted, then please unwhitelist your own domain and try the relay test again.

And let me know immediately by telephone or email.

And please let me know which version of exim.conf you're using; If you post the second line of the file that will be helpful.

Thanks.

Jeff
 
That's the problem.

You're not an open relay. But you are relaying any email with a return address of your domain.

And one of those tests is a test to see if mail from your domain will be relayed. It will, because by whitelisting it you told your server it's okay to relay it.

I recommend not whitelisting your entire domain but instead whitelisting only specific usernames at your domain.

Jeff
 
Maybe his server isn't an open relay in the traditional sence of the word, but it is still expoitable. I assume there is a reason why abuse.net included it as one of their tests. If they do, so could spammers scanning for mail servers to exploit. Removing the host from whitelist_domains may solve the problem, but I feel that it is a hole that should be plugged, or at the very least a bit more text should be added to the spamblocker readme.

Maybe listings in whitelist_domains should only apply to RCPT TO addresses but not to MAIL FROM addresses? Afterall, RCPT TO addresses must be real addresses or the mail would not be delivered, but MAIL FROM addresses can be fake.
Or maybe the mail server itself sould be excluded (or ignored) if it is listed in whitelist_domains?
Or maybe some combination of the two? (just thinking out loud)
 
hostpc.com said:
Someone's missing something - and at this point it's customers email.

Abuse.net and NJabl both show open relay and are filtering this servers IP address because of it.

I'm not professing to be a mail expert, but something isn't right. WHY would they think it's open - they showed by example it's open, yet your test shows closed. Who's wrong/correct here, and why?
Click to expand...


Run the test again using an account not on the system.... like a gmail/hotmail/yahoo account.


If you use an email account that is ON the system... then it will "Relay" the message to any domain _on that server_ but it wont relay (in the true sense of the word) any mail THROUGH the server to another email account on another server.
 
You must log in or register to reply here.
Back
Top