SPAM email, from localhost

Discussions on webmail and the Professional version.
Post Reply
labsy
Posts: 148
Joined: Sun Nov 16, 2003 6:49 am
Location: Slovenia

SPAM email, from localhost

Post by labsy »

Hi,

I intentionaly started new threat, simmilar to existing one, but with different details.

Past few months I notice hundreds and thousands of emails in SMTP -> OUTBOUND Queue. All are very simmilar, like this one:

Code: Select all

Received: from MYDOMAIN ([127.0.0.1]) by mydomain.com with MailEnable ESMTP; Thu, 05 Mar 2009 10:22:58 +0100
Date: Thu, 05 Mar 2009 10:22:58 +0100
Subject: Who would refuse from a  nice sum of money? Sign up if you are not an exception.
To: bdavid4181@aol.com
From: Marty Mason <maio@netscape.com>
Reply-To: ucoi@mail.com
MIME-Version: 1.0
Content-Type: text/plain; Charset=windows-1251
Content-Transfer-Encoding: 8bit
X-ME-Bayesian: 0.000000

Dreaming of becoming a permanent millionaire? Then don't lose your chance to win your first money. Sign up and we won't keep you waiting long for your first bonus. Feel free to start your new lucrative business right now.

http://sicheridioten.si.funpic.de/800.php
* I replaced my actual server's domain with "mydomain"

Now, I have ME latest version, and it is configured to receive and relay only LOCAL mail, from 127.0.0.1, and listening port is some high port, like 61234, which is opened only locally.
Access to this port is enabled only for local IIS SMTP service, and my SMTP proxy server.

I stopped IIS SMTP service, and blocked all mail with FROM or TO or CC field, containing "aol.com" or "netscape.com" on both, my SMTP proxy and in ME (in ME filter -> delete message).But still, mail is filling SMTP outbound queue!

Why is ME filtering not working?
Any other idea, how is this spam coming thru?
Image
Windows Hosting Sollutions Provider
http://www.hostmachine.net

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Post by MailEnable-Ben »

If it is in your SMTP outgoing queue then someone or something is sending the messages through your server. You can only track the messages backwards through the queues and find out how the sender either authenticated to send or was allowed relay.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Post by MailEnable-Ben »

One other thing that may help. I find if something like this is happening a lot then if you check the SMTP debug logs you will see the same thing occurring over and over again like "allowed relay" with same IP or "authenticated" with same mailbox. It can stand out which makes it easier to find.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

labsy
Posts: 148
Joined: Sun Nov 16, 2003 6:49 am
Location: Slovenia

Post by labsy »

Thenx, Ben,

I looked at debug logs already, but only known facts are there. Messages are definitelly comming from my web server, but since I host 250+ domains, it does not help me a lot:

Code: Select all

03/05/09 00:00:25	ME-I0018: [7E3014A7387047479040E3C66E406DBE.MAI] Outbound message from ([SMTP:DO_NOT_REPLY@mydomain.com]) requeued as [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] to the target domain [yahoo.com]
03/05/09 00:00:37	ME-I0123: Domain [yahoo.com] has MX list [g.mx.mail.yahoo.com,a.mx.mail.yahoo.com,b.mx.mail.yahoo.com,c.mx.mail.yahoo.com,d.mx.mail.yahoo.com,e.mx.mail.yahoo.com,f.mx.mail.yahoo.com]
03/05/09 00:00:37	ME-I0026: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] Sending message
03/05/09 00:00:37	ME-I0009: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] Remote server has closed connection after 0 milliseconds. Server Response: (-)
03/05/09 00:00:37	ME-I1350: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] Attempting to connect to MX 2 of 7 (a.mx.mail.yahoo.com).
03/05/09 00:00:38	ME-I0107: [1588] Relay Granted: Sender IP (127.0.0.1) is within an authorized IP range.
03/05/09 00:00:38	ME-I0148: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] DATE (DATA Termination) command failed with temporary return code.
03/05/09 00:00:38	ME-E0034: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] DATA command returned with a 421 response, meaning that the entire message should be retried.
03/05/09 00:00:38	ME-E0033: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] DATA Transmission failed.
03/05/09 00:00:38	ME-E0059: [A0407C96237F48E1BAC64A5D6CCA1D74.MAI] Message Delivery Failure. Attempt (1): Domain (yahoo.com) returned temporary error for email. Message has been requeued.
The address "DO_NOT_REPLY@mydoman.com" is specified in PHP.INI on my web server, so messages are comming from there. Most probably a dozen of unprotected user feedback forms.
But stil, I entered DO_NOT_REPLY@mydomain.com in ME to be filtered out and deleted...but messages are still there.
Image
Windows Hosting Sollutions Provider
http://www.hostmachine.net

labsy
Posts: 148
Joined: Sun Nov 16, 2003 6:49 am
Location: Slovenia

Post by labsy »

Despite all filtering methods and AntiSpam server in front of ME, there is obviously just one way to get rid of spam: I had to remove relay rights for my web server's IP.
It was meant for web server to be isolated from mail server and only allow PHP to relay mail to ME via dedicated high port (eg. 62345), so web designers would have an oportunity to use web forms to send feedback. Of course, from my point of view, the obvious prerequisite is to have well protected web-forms, with Captcha and simmilar protections.

But obviously not all web designers use Captcha, I had to remove relay rights to get rid of spam. It's one drastic consequence for all "good" programmers.
Image
Windows Hosting Sollutions Provider
http://www.hostmachine.net

Post Reply