Open relay question

nealdxmhost

nealdxmhost

Verified User
Joined
Jan 1, 2009
Messages
232
Location
Los Angeles CA
Exim went a little bit nutty on me a little while ago as emails were going out like crazy. Right away I got a firewall alert to an outside email address that I use and this the basic rundown of it;

Time: Mon May 23 19:08:49 2011 -0700
Type: RELAY, Remote IP - 184.82.210.39 (US/United States/-)
Count: 112 emails relayed
Blocked: No

Sample of the first 10 emails:

2011-05-23 19:07:58 1QOh2M-0008GN-H2 <= [email protected] H=(cyclops) [184.82.210.39] P=smtp S=2019 T="reach 788k doctors - we have the list and others too" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:01 1QOh2O-0008Gz-VV <= [email protected] H=(kaddish) [184.82.210.39] P=smtp S=2440 T="pharmaceutical companies - email only list 47,000 emails of pharma company employees" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:03 1QOh2R-0008HX-RU <= [email protected] H=(clyde) [184.82.210.39] P=smtp S=1998 T="optometrists - 63,837 records 2,015 emails" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:06 1QOh2U-0008I3-3G <= [email protected] H=(citric) [184.82.210.39] P=smtp S=2400 T="We have email lists of US surgery centers" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:09 1QOh2X-0008Ij-30 <= [email protected] H=(libya) [184.82.210.39] P=smtp S=2040 T="business/medical marketing lists" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:11 1QOh2Z-0008JC-Fh <= [email protected] H=(oligoclase) [184.82.210.39] P=smtp S=1066 T="physicians (34 specialties) - 788k records, 17k emails, 200k fax numbers" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:34 1QOh2w-0008Jd-2Y <= [email protected] H=(mental) [184.82.210.39] P=smtp S=1982 T="pharmaceutical companies mailing lists" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:38 1QOh30-0008LU-5G <= [email protected] H=(soapy) [184.82.210.39] P=smtp S=1966 T="Marketing database for Canadian Businesses" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:42 1QOh34-0008Li-Jr <= [email protected] H=(blend) [184.82.210.39] P=smtp S=4281 T="new business mailing list" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2011-05-23 19:08:45 1QOh37-0008Lz-Mz <= [email protected] H=(plaything) [184.82.210.39] P=smtp S=4312 T="acupuncturists - 23,988 records 1,826 emails" from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]


Anyhow I added the offending IP address to my CSF firewall and cleared out my exim queue and so far so good. But my inbox got inundated with close to 2000 failure messages and my server IP got blacklisted on two lists......

This is the first time this has happened to me since last fall and I want to know what I can do to prevent a repeat of this. I have been doing some reading on this until my eyes get blurry but I am missing something.....

Thanks guys,
Neal
 
Have you tested to see if it is open relay? ( http://www.abuse.net/relay.html )

When I try I get:
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<[email protected]>
<<< 250 OK
>>> RCPT TO:<[email protected]>
<<< 250 Accepted

Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Click to expand...
It stops at test 4, while our servers stops at test 12 when I test.
 
Peter Laws said:
Have you tested to see if it is open relay? ( http://www.abuse.net/relay.html )

When I try I get:

It stops at test 4, while our servers stops at test 12 when I test.
Click to expand...

Happened to me again today.

Discovered that I had some local domains in virtual domain whitelist/ I cleared those out

Anyhow I just ran that test in your link and it made it to 12 tests today. Not that I quite understand a whole lot of it though :(
 
nealdxmhost said:
Discovered that I had some local domains in virtual domain whitelist/ I cleared those out
Click to expand...
That opens a hole in exim; it whitelists the domain, so anyone can spam using a from address at the domain. And that's what the test is looking for.

Jeff
 
Got it!

jlasman said:
That opens a hole in exim; it whitelists the domain, so anyone can spam using a from address at the domain. And that's what the test is looking for.

Jeff
Click to expand...

Looking around through some other posts on this topic, I saw that being mentioned and somehow during my "feeling my way around" moments a while back I had inadvertently made a couple of entries in that file and much to my chagrin I ended up with the situation in question.

Chalk another one up in the lessons learned column
:D:D:D
 
You must log in or register to reply here.
Back
Top