Mailing List SIMS@mail.stalker.com Message #10085
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: Open Relay Question
Date: Thu, 24 Jan 2002 17:31:38 -0800
To: <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 1.1.8 (Bluto)
On 01/24/02 at 17:51, Lyle D. Gunderson wrote:

> On Mon, 21 Jan 2002 10:42, Christopher Bort <webmaster@globalhomes.com>
> is alleged to have written:

I deny it all. You can't prove a thing.  ;-)

> >On 01/21/02 at 08:51, Shawn Rogers wrote:
> >
> (snip)
>
> >> So how do I need to configure SIMS so I am no longer an open relay,
> >> but so my users can still reach and send mail using SIMS?
> >
> >In the SMTP Service Settings, enable 'Relay for Clients Only', then
> >enter the IP addresses of any machines you want to allow to relay
> >into the 'Client Hosts' list. You have now closed your relay.
>
> That's what I would have thought, too, but this morning I found that a
> spammer had used my SIMS to send out a few pieces of spam which SIMS
> delivered. The "Relay for Clients Only" box is checked (as it always has
> been) but the "Verify Return Paths" checkbox was not. I have since
> checked the latter box, and have seen no spam go out since then, but that
> doesn't mean it made any difference since the spammer's machine tried
> many times before succeeding anyway.
>
> So, where can I look to see what else I may have missed? The
> correspondence between my server and the spammer's machine
> (bounce.em5000.net) seems to have mentioned an unused IP address
> that's on my server. I can't tell if the spammer is using it or how it
> even could. That IP address is on my SIMS client IP list.

If SIMS thinks the message was sent from an IP that's in its client IP list,
that explains why SIMS relayed it. "Relay for Clients Only" hasn't broken,
SIMS is relaying the message because it thinks it's from a valid client
address.

Why SIMS thinks the connection is from a client IP is another, more serious,
matter. Either someone is actually sending spam from that address (we can't
know how possible that is, of course, without knowing more about your
situation) or the spammer is sending from a spoofed IP address. In either
case, if you don't need to send legitimate mail from the address in question,
removing it from the client IP list will solve the immediate relay problem.
Getting to the root of how the address might have been used by a spammer might
take a bit of detective work, though.

> I have no idea how to tell from the log or from the message queue what
> the IP address of the spammer's machine is.

SIMS logs either the IP address or domain name that SMTP connections come
from, as in:

23:21:28 1 SMTP-521([203.93.217.190]) SPAM? ...

The same information should be in the 'Received' line that SIMS writes into
the message's headers, along with whether or not SIMS could match a DNS A
record to the HELO/EHLO argument. So, if you can capture a copy of one of the
messages, you can get the info you're looking for.

> Anyway, if somebody can help me understand what else I need to do or
> check, I'm sure the information would be useful to others reading the
> list who are just starting out with SIMS. I've been reading this list for
> a long time, and now that I've actually got SIMS running, I get surprised.
>
> Thanks in advance!

No worries.

                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
      <http://www.globalhomes.com/> | PGP public key available on request
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster