Mailing List CGatePro@mail.stalker.com Message #100472
From: W Sanders <wms2@stmarys-ca.edu>
Subject: SMPTI log tags not tracking unauthorized relaying
Date: Sun, 25 Jul 2010 11:44:11 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Howdy,

We are seeing some suspicious activity in our log files. A few external IP addresses are connecting to our SMTP relay service without authenticating. The problem is that incoming SMTP relay is closed except to authenticated users.

I am trying to find the origin of the SMPTI connection by grepping the log files. One example:

# grep SMTPI-63782 2010-07-2[345].log
2010-07-25.log:06:28:13.11 2 SMTPI-63782([91.74.96.10]) [134381327] received, 68157 bytes

Another example:

# grep 94.180.172.119 2010-07-22.log
09:53:57.24 2 SMTPI-91478([94.180.172.119]) [134316328] received, 2344 bytes
09:53:57.50 3 SMTPI-91478([94.180.172.119]) read failed. Error Code=connection reset by peer
10:10:36.74 1 SMTPI-92192([94.180.172.119]) Recipient stanpfoff@enyart.com rejected: prohibited. We do not relay

In both examples, spam was successfully sent to one of our users (the first one had a Mydoom virus attached, but our filters caught it.) This is very odd, because normally I see the SMTPI connection and disconnection as part of the log if authentication is successful

# grep SMTPI-68328  2010-07-25.log
10:21:41.38 2 SMTPI-68328([149.137.4.10]) 'wms2@stmarys-ca.edu' connected from [149.137.4.10:52525]
10:21:41.38 2 SMTPI-68328([149.137.4.10]) 'wms2@stmarys-ca.edu' disconnected ([149.137.4.10:52525])
10:21:41.63 2 SMTPI-68328([149.137.4.10]) [134383478] received encrypted, 722 bytes

Normally, anyone not coming from one of our "internal" IP addresses to ports 25 or 587 should hang, except for users who have authenticated via POP, IMP, HTTP, etc, who are allowed to connect using the "temporary client" feature.

Somehow these IPs authenticated, or were allowed to relay without authentication - but I see no other log entries for them. Authentication attempts via all protocols - POP. IMAP, HTTP, etc are logged.

Does anyone have any tips on why the SMPTI would not log the connection and disconnections, or the authentications? Perhaps these are authenticating via some other service? I am baffled....

We're still running CGPro 4.X, FWIW. Perhaps this is a bug that's fixed in 5.X?

Thanks,

-W Sanders
St Marys College of California
Moraga CA
http://wsanders.net
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster