Relay is Allowing messages from me to me.

Discussions on webmail and the Professional version.
merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: Smiles

Post by merk »

RBogan wrote: Yes...I've been saying that I have had this problem........

I GET EMAIL FROM USERS ON MY SMTP SERVER TO ACCOUNTS THAT ARE NOT SERVED BY MY SMTP SERVER.

FOR INSTANCE...YET AGAIN...A FOREIGN USER AUTHS TO MY SMTP SERVER TO SEND MAIL TO MY ISP ADDRESS. THIS SHOULD NOT BE ABLE TO HAPPEN.
Your 2 statements above are contradictory.

First you said people are sending email to accounts that are not served by your smtp server. If thats true, then yeah something is messed up somewhere.

But a foreign user sending email to your isp address SHOULD be allowed to happen. I'm assuming your 'isp' address is an address hosted by your ME server. This is because the foreign user is not AUTHenticating at all in this case. Authentication would only be required if trying to send email to a domain not hosted by your server.

So is someone using your server to send email to your local users? or are they sending email to other domains not hosted by you?

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Re: Smiles

Post by RBogan »

merk wrote:
RBogan wrote: Yes...I've been saying that I have had this problem........

I GET EMAIL FROM USERS ON MY SMTP SERVER TO ACCOUNTS THAT ARE NOT SERVED BY MY SMTP SERVER.

FOR INSTANCE...YET AGAIN...A FOREIGN USER AUTHS TO MY SMTP SERVER TO SEND MAIL TO MY ISP ADDRESS. THIS SHOULD NOT BE ABLE TO HAPPEN.
Your 2 statements above are contradictory.

First you said people are sending email to accounts that are not served by your smtp server. If thats true, then yeah something is messed up somewhere.

But a foreign user sending email to your isp address SHOULD be allowed to happen. I'm assuming your 'isp' address is an address hosted by your ME server. This is because the foreign user is not AUTHenticating at all in this case. Authentication would only be required if trying to send email to a domain not hosted by your server.

So is someone using your server to send email to your local users? or are they sending email to other domains not hosted by you?
Oy vey..........nevermind...ME is wonderful. In fact...the greatest piece of software known to email-kind...and is without any technical problem at all...and anyone having questions or needing help are complete fools who don't understand the "ultra-uber-complex" world of SMTP servers.

I'll now drop this subject. I've emailed support about it...so I can escape the world of forum fanboys. lol

merk
Posts: 423
Joined: Sun Oct 12, 2003 2:50 pm

Re: Smiles

Post by merk »

RBogan wrote: Oy vey..........nevermind...ME is wonderful. In fact...the greatest piece of software known to email-kind...and is without any technical problem at all...and anyone having questions or needing help are complete fools who don't understand the "ultra-uber-complex" world of SMTP servers.

I'll now drop this subject. I've emailed support about it...so I can escape the world of forum fanboys. lol
It would of been easier to help you if you didnt turn around and insult people and if you knew what the hell you were talking about and could actually describe what the problem is instead of contradicting yourself.

I apologize for trying to be helpful. I wont make that mistake again.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan »

Actually there pal...your mistakes come from "assuming" things are different than what I'm communicating.

Read your 2nd to last post...for proof. You'll find your assumptions are completely incorrect about my situation...so...it's not my fault that you get twisted around...as it's not coming from me.

Your assumptions contradict my statements of fact...about my specific situation.

Support is here for a reason...amateurs can only take you so far. And, incidentally...if I knew everything there is to know about SMTP...like some of you email fanboys think you do...I wouldn't have to post questions...would I?

Slicer101
Posts: 95
Joined: Fri Jun 27, 2003 9:26 pm
Location: Houston, TX

Post by Slicer101 »

FLAME ON :twisted:

Rbogan,

If all you can say is bad and hateful, what do you expect to get back? Anyone here that has tried to discuss this with you and point things out to you have suffered a backlash of hate and arrogant contempt. Instead of taking the time to discuss and guide people, you have ranted and screamed like a 2 year old that is not getting his diaper changed. :evil:

Maybe in the future so that you do not have to contend with us "Amateurs" you should only direct your issues and comments to Support and not make such a fool of yourself to the whole world. :wink:

Nuff said,

Slicer

FLAME OFF 8)

whiteknight
Posts: 19
Joined: Tue Nov 18, 2003 6:17 am
Location: Singapore
Contact:

Relay issues

Post by whiteknight »

Hi, As I have said earlier that I would contact support and I did and got a reply.
In short, they said that the smtp cannot require authentication for emails bound for local addresses because otherwise other smtps will not be able to deliver emails to your inbox.

With the reply I have further analyse the logs to get my conclusion. It is not possible to prevent the use of the smtp to send emails to the local addresses. This is the reason.

The smtp is like an email postoffice that accepts and sends emails. The method of accepting emails from your client email software is the same as the method of accepting emails from other smtps. The way it sends emails is the same way your client software logs in to an smtp to send email, but for the client software, when the email is sent to your 'local' smtp, the email is then analysed and then sent out again by the smtp to the smtp of the server that the domain name of that email address points to.
When using the relay settings, the local smtp can accept emails bound for external addresses. So having the setting for authentication means that if authentication is successful, emails bound for external addresses are accepted and will later in turn by sent out by the smtp.
Since your client software logs in to smtps the same way an smtp logs in to another smtp to send emails, effectively you can log in to any smtp and deliver emails to any of the local addresses in that mail server.
Also because there are no differentiation, I don't see a way to prevent this from happening.
If anyone can tell me the difference, it would very much be appreciated, then there would be one more way to plug the holes that allow spams to go through.
White Knight

cassius
Posts: 338
Joined: Tue Mar 11, 2003 2:29 pm
Location: Indianapolis, IN

Post by cassius »

Okay, basically, this is what I understand the issue to be that you're talking about, RBogan:

User A has an account at abc.com - a@abc.com
User B has an account at xyz.com - b@xyz.com
User A can connect to abc.com and send mail to a@abc.com saying it is from a@abc.com
User B can also connect to abc.com and send mail to a@abc.com saying it is from a@abc.com.
Because it is extremely unlikely that there is a legitimate reason for user B spoofing the from address, he is probably a spammer.

I agree with all that. So do those of us that have argued with you up until now. That's all fine and good, and we could have gotten to this point a lot sooner if you would have presented things rationally. What we do NOT agree with, is that this is a bug.

The way the SMTP protocol works, is that any server on the internet has the right to "deliver" mail for any user, regardless of whether that user's account actually resides on the server's domain. This builds a lot of redundancy into the e-mail system, allowing for many things, some good and some bad. One good thing is that it allows for cross-domain backup mail servers, for instance. One bad thing is that since it allows for the possibility of "convincing" a server to deliver mail for you even if you don't have an account on the server's domain, it can be abused.

The idea of closed relaying is supposed to address this. The way that it addresses it is very specific. In a nutshell, it restricts the original framework of the SMTP protocol a bit further, so that if all e-mail servers implemented it (which they all should), each e-mail server would only accept e-mails addressed TO users at their domain, unless the person trying to input the e-mail (whether it's a real person with an e-mail client, or an e-mail server who is relaying the message) has authenticated properly.

An e-mail to a@abc.com will be accepted by xyz.com only if the authentication passes. This could be one of several ways -- the host contacting xyz.com could be on an IP flagged as privileged for relaying (relaying through your ISP's mail server can be an example of this), the server xyz.com itself could be flagged as accepting relays for abc.com directly, or the mail could be "from" a user at xyz.com (local relay, not recommended because it can be spoofed although some servers do it).

On the other hand (contrast this with above), an e-mail to a@abc.com will be accepted by abc.com UNDER ALL CIRCUMSTANCES. It doesn't matter what host is trying to tell abc.com about the message. It doesn't matter what the "from" address on the e-mail is. It could be "from" bgates@msn.com or it could be "from" a@abc.com (as in the issue we're talking about) -- it doesn't matter.

The reason it doesn't matter is because CLOSED RELAYING IS NOT DESIGNED TO ADDRESS THIS ISSUE. It's not that MailEnable isn't designed to address it, thus it isn't a bug. Relaying says nothing at all about a server not accepting e-mails for a user AT THE SERVER'S DOMAIN under certain circumstances. The SMTP protocol, and the revised version of the protocol if you include proper relaying security, both stipulate that a server should ALWAYS accept e-mails for a user at its domain.

The reason it is stipulated this way, is because in the general case, xyz.com delivering a message to a@abc.com has to contact abc.com to do it, and has no way of authenticating to that server -- it's just trying to send a normal e-mail. Say from b@xyz.com.

Now, what you have been whining about this whole thread, is a much more SPECIFIC case -- the case where the from and to address are both a@abc.com. As I stated above, in most cases this is probably spam, you're right. And the way you're trying to address it -- require authentication, so that such an e-mail can still be sent, but only by a@abc.com and by no one else, because he has to authenticate to do it -- is a very good approach, because it would eliminate the spam, but still allow the possibility of such an e-mail to happen if one of your users wanted to do it, send an e-mail to himself.

Very very good approach. (Notice how I mix praise in with my sarcastic insults? Sometimes being nice to people gets them to listen better to what you're trying to say my friend).

But in the end, this is a specific case that is NOT addressed by the smtp protocol, NOT addressed by the security of relaying, and NOT addressed by MailEnable. IT IS NOT A BUG. It is added security that you would like to implement or have implemented, because it happens that it would neatly address a problem you're facing. And I'm all for that. If you had presented it this way from the beginning, figured out a way to do it and shared it, all the posters in this thread would have probably said either "Wow thanks! I can really use that!" or at the very worst "We don't get much spam like that here so it's not that useful to be, but it's nice to know there's a solution if spammers start using tactics like that on my server!"

.... sigh, suddenly I'm very fearful that all the thought I put into trying to get past your attitude will have been wasted. Oh well, I tried. Does everybody else agree with me though? My essential point is that, Rbogan has a legitimate problem (no one disputed), the solution he talked about would be very useful to him and probably to others *somewhere* (no one disputed), and that it is not a bug in MailEnable or anything else, it's just something that was never meant to be addressed (this is where everyone was disputing with Rbogan, I think).

Frankly, it's just not an issue that has come up all that much before because most people don't face that problem. It's rather... inefficient, for a spammer to have to make the from address match the to address for everyone he tries to spam. Spammers try to target hundreds of thousands, even millions of e-mail addresses, and an attack like the one you described would pretty much have to be targeted specifically at your server, and I really don't know that it would accomplish all that much because he'd be severely limiting the number of recipients he could get to, versus say just spamming a million aol accounts or something.

It might be worthwhile if you've got thousands of accounts or more on your mail server, and it would be a helluva lot easier if he somehow obtained a username list from your mail server. All in all, though, I'm surprised it's that much of an issue to you that you've put all this effort into yelling at people about it. It's got to be even more trouble for the spammer than it is for you... someone must really have a grudge against your domain or something, lol.

Anyway, I've twisted the topic around just about every which way I can think of to try to get you to understand. If you don't by now, I give up.

~Cassius

Slicer101
Posts: 95
Joined: Fri Jun 27, 2003 9:26 pm
Location: Houston, TX

Post by Slicer101 »

WOW!! Now that is how a Pro should respond!!

Hats off to Cassius & White Knight!!! They have done their homework and provided some very good information for anyone that could need it. Of course Cassius appears to always been on his game so no surprise there.

As I also stated before, a quick search of the log files and I have been able to stop this issue from bothering my users by simply loading the perps IP in my local DNS blacklist. I have not seen this type of spam coming across again, but I have seen plenty of attempts.

I plan on exporting the DNS entries from some of the domains that I am the admin on and handing them off to some of the listing sites. Hopefully if we can all work together, we can all start helping to shut some of these guys down.

Have a Great Day Folks!!
73's

Slicer

whiteknight
Posts: 19
Joined: Tue Nov 18, 2003 6:17 am
Location: Singapore
Contact:

Possible solution to problem

Post by whiteknight »

Hi,

I have a suggestion that can help to solve part of the problem. Currently the situation is like this,

1) From external to local - allowed
2) From local to local - allowed
3) From local to external - authenticate
4) From external to external - authenticate

Item 1 must remain the same because smtps need to use that to deliver emails to other smtps.
However Item 2 can be controlled if all emails from local users must also be authenticated. This means that there are two situation for authentication.

1) Relay - Any email that is bound for external address.
2) Local sender - Any email that is from a local address.

I thought I would put this up to see if anyone thinks this is a good idea or not... or if there are any other loopholes.
White Knight

Post Reply