a other methode to send spam?

Discussion forum for Enterprise Edition.
Post Reply
nowhere
Posts: 29
Joined: Mon Aug 09, 2010 7:34 pm

a other methode to send spam?

Post by nowhere » Mon Aug 06, 2012 10:12 pm

Hi, running MailEnable Premium latest version 6.57

A lot of spam will be sent through my system
194.242.35.120 ist the mailserver
office@domain.at is a mailbox at the server
@domain.at ist hostet at this server

Even if I change the password or deactivate auth. of the mailbox spam will be sent out

I have no idea what happens.
Need some help

Code: Select all

Content-Description: Undelivered Message
Content-Type: Message/Rfc822
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment

Return-Path: office@domain.at
Errors-To: office@domain.at
Resent-Date: Tue, 7 Aug 2012 04:02:10 +0800 (CST)
Resent-From: xiaobobai@tom.com
Resent-To: xiaobobai@vip.tom.com
Received: from tommx.cdn.163.net (unknown [172.24.140.145])
	by bjmx21 (Coremail) with SMTP id FIBoncEiIFBHAIyR.1
	for <xiaobobai@tom.com>; Tue, 07 Aug 2012 04:02:10 +0800 (CST)
X-Originating-IP: [172.24.140.145]
Authentication-Results: bjtc-antispam3 smtp.mail=office@domain.at; spf=pass
Received-SPF: pass (bjtc-antispam3: domain domain.at designates 194.242.35.120 as permitted sender)
Received: from [194.242.35.120] ([194.242.35.120:1134] helo=dns-factory.net)
	by bjtc-antispam3 (envelope-from <office@domain.at>)
	(ecelerity 3.4.0.22880 r(/root/Momo-3.4:0b01fc72f675)) with ESMTP
	id A6/FD-10696-9B220205; Tue, 07 Aug 2012 04:02:05 +0800
Received: from nruucbux ([124.94.113.22]) by dns-factory.net with MailEnable ESMTP; Mon, 6 Aug 2012 21:34:31 +0200
Reply-To: 3658go5370@169.com
Date: Tue, 7 Aug 2012 03:34:17 +0800
From: =?utf-8?B?6YK1542B?= <office@domain.at>
To: <vinca002@126.com>,
	<yafei2005117@yahoo.com.cn>,
	<xiaobobai@tom.com>,
	<chensicun@mail.huash.com>,
	<lily5208216@yahoo.com.cn>,
	<hh9816@alibaba.com.cn>
Subject: =?utf-8?B?55Sf5Lqn6K6h5YiS5LiObW5udeeJqeaWmeaOp+WItueuoeeQhg==?=
Message-ID: <20120807033426052713@domain.at>
X-mailer: Foxmail 6, 13, 102, 15 [cn]
Mime-Version: 1.0
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: base64
Thank you for any hints

Alois

nowhere
Posts: 29
Joined: Mon Aug 09, 2010 7:34 pm

Is it a bug?

Post by nowhere » Tue Aug 07, 2012 9:43 am

Additional information:
Because I can not stop the spam senders (tried everything I can think off) I realiced that I am unable to connect to the internet because of my IPS-firewall which is in front of the Mailenable Server blocks the outgoing traffic from my Mailenable Server to the internet.

The description why the traffic will be blocked by the IPS of the firewall:
It indicates a possible exploit of denial of service vulnerability in Microsoft Exchange server.

Microsoft exchange server is one of the popular email server used for email services. A denial of service vulnerability is reported in it that may allow an attacker to cause denial of service on it. This is due to application failure to properly parser MIME header with an empty value for charset in a email message . An attacker may send email message with malformed MIME header via charset="" command to vulnerable system and cause denial of service. Exchange 2000 is not susceptible to this vulnerability.
This does mean that my IPS Firewall blocked outgoing traffic because a lot of malformed mails had been sent out from the mailenable server.
On the other hand I am unable to stop some external sender from sending spam even if I deactivate the authentication for the Mailbox so nobody is able to login to the specific mailbox.

Isn´t it the reason that someone can send mails without authentication?

rfwilliams777
Posts: 1321
Joined: Thu Nov 11, 2004 5:26 pm
Location: Kingsville, Texas

Re: a other methode to send spam?

Post by rfwilliams777 » Fri Aug 10, 2012 6:59 pm

There are a number of options that can be enabled to throttle or stop the spam going through your server.
1. Set the options to authenticate senders when sending e-mail out. This stops someone from taking advantage of your server and sending e-mail claiming to be an account on the server. In short, they must have the correct user and password to send out e-mail.
2. You can control how many messages can go out at the server level and at the post office level.
3. Find out what e-mail account is really sending the spam and disable the account. If it is just your server allowing messages to flow through, do suggestio 1. Let me know if you would like for us to take a look at your settings and make adjustments. We can be hired to help you with this.
Robert Williams, Owner
www.WWSHosting.net
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and get your first 2 months FREE!
We can be hired to help you with your Mail Enable server, too!

MailEnable-Ian
Site Admin
Posts: 9216
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: a other methode to send spam?

Post by MailEnable-Ian » Sun Aug 12, 2012 11:32 pm

Hi,

You also have the option of raising a support ticket via the MailEnable support form for assistance: http://www.mailenable.com/support/SupportRequest.asp

Check the outgoing SMTP queue for the spam messages. Once you know the message ID for one of the messages and the sender/recipient addresses search through the SMTP activity logs for the sender address and the same message ID. Once you have found the entry for SMTP-OU of the message ID and sender address keep searching further up in the log file for the SMTP-IN entry in respect to the sender address. You will see entries before the MAIL FROM command. The SMTP command your looking for is the AUTH command where it will report which mailbox the spammer is using the authenticate.

Example:

Code: Select all

07/05/12 12:13:03	SMTP-IN	C5E186FAF9484B18BEF4DDA9D09CCE01.MAI	1380	192.168.2.5	EHLO	EHLO MAILENABLE-PC	250-mailenable.com.au [192.168.2.5], this server offers 6 extensions	181	20
07/05/12 12:13:03	SMTP-IN	C5E186FAF9484B18BEF4DDA9D09CCE01.MAI	1380	192.168.2.5	AUTH	AUTH LOGIN	334 VXNlcm5hbWU6	18	12		
07/05/12 12:13:03	SMTP-IN	C5E186FAF9484B18BEF4DDA9D09CCE01.MAI	1380	192.168.2.5	AUTH	{blank}	334 UGFzc3dvcmQ6	18	10	test2	
07/05/12 12:13:03	SMTP-IN	C5E186FAF9484B18BEF4DDA9D09CCE01.MAI	1380	192.168.2.5	AUTH	cGFzcw==	235 Authenticated	19	10	test2	
07/05/12 12:13:03	SMTP-IN	C5E186FAF9484B18BEF4DDA9D09CCE01.MAI	1380	192.168.2.5	MAIL	MAIL FROM:<test2@mailenable.com.au>	250 Requested mail action okay, completed	43	37
Also please review the following articles:

http://www.mailenable.com/kb/viewarticl ... 020339.htm
http://www.mailenable.com/kb/viewarticl ... 020280.htm
http://www.mailenable.com/kb/viewarticl ... 020250.htm
Regards,

Ian Margarone
MailEnable Support

Post Reply