Mailing List SIMS@mail.stalker.com Message #12405
From: Chris Ellens <domainadmin@sympatico.ca>
Subject: Paranoid newbie seeks reasurrance
Date: Mon, 20 Jan 2003 12:12:06 -0800
To: <sims>
I've been testing SIMS on my LAN for some time now and only recently opened port 25 to the scary world out there.

I've also been lurking on this list for some time, so hopefully I've learned enough to configure SIMS properly.

But looking at some recent logs, I'm concerned that I might still be vulnerable.

02:16:58 4 SMTP-050() Got connection from [64.169.240.3:1087]
02:16:58 4 SMTP(tcp) Connection accepted from [64.169.240.3:1087], seq=49, 1/2
02:16:58 4 SMTP-050([64.169.240.3]) Sending 220-fmly.ca Stalker Internet Mail Server V.1.8b9d14 is ready.\r\n220 ESMTP is spoken here. You are welcome\r\n
02:16:58 5 SMTP-050([64.169.240.3]) OT 106 of 106 bytes sent, Flags=0
02:16:58 5 SMTP-050([64.169.240.3]) *Status=34
02:16:58 4 SMTP-050([64.169.240.3]) Looking for 3.240.169.64.relays.osirusoft.com
02:16:58 5 SMTP-050([64.169.240.3]) *Status=34

(other relay checks ommitted here). It looks like the sender is not a know relay. OK.

02:16:59 5 SMTP-050([64.169.240.3]) Received 11 bytes
02:16:59 4 SMTP-050([64.169.240.3]) Input Line: HELO none\r
02:16:59 5 SMTP-050([64.169.240.3]) *Status=21
02:16:59 4 SMTP-050(none) Looking for none
02:16:59 3 SMTP-050(none) Failed to verify. Real address is [64.169.240.3:1087]
02:16:59 4 SMTP-050(none) Sending 250 fmly.ca cannot verify none\r\n
02:16:59 5 SMTP-050(none) OT 32 of 32 bytes sent, Flags=0

Couldn't verify. Doesn't that mean I shouldn't trust him and SIMS should drop the connection? But it accepts a message:

02:16:59 5 SMTP-050([64.169.240.3]) *Status=22
02:17:00 5 SMTP-050([64.169.240.3]) Received 37 bytes
02:17:00 4 SMTP-050([64.169.240.3]) Input Line: MAIL FROM:<handsomeguy@hotmail.com>\r
02:17:00 5 SMTP-050([64.169.240.3]) *Status=25
02:17:00 5 SYSTEM {S.0000018985} in work, ref=4702, nFresh=4
02:17:00 5 ROUTER Input: handsomeguy(hotmail.com)
02:17:00 5 ROUTER Parser: handsomeguy@hotmail.com -> handsomeguy(hotmail.com)
02:17:00 4 ROUTER redirected to email(NULL) (safe)
02:17:00 5 ROUTER Input: handsomeguy(NULL)
02:17:00 5 ROUTER Parser: handsomeguy@NULL -> handsomeguy(NULL)
02:17:00 5 ROUTER Input: NULL()
02:17:00 5 ROUTER Parser: NULL -> NULL()
02:17:00 4 SMTP-050([64.169.240.3]) Sending 250 <handsomeguy@hotmail.com> sender accepted\r\n

OK, I confess I'm so paranoid I have the following entry in my router:   *.com = NULL
Obviously it has no effect on the sender address.

02:17:00 5 SMTP-050([64.169.240.3]) OT 47 of 47 bytes sent, Flags=0
02:17:00 5 SMTP-050([64.169.240.3]) *Status=23
02:17:00 5 SMTP-050([64.169.240.3]) Received 31 bytes
02:17:00 4 SMTP-050([64.169.240.3]) Input Line: RCPT TO:<snowbaby@hotpop.com>\r
02:17:00 5 ROUTER Input: snowbaby(hotpop.com)
02:17:00 5 ROUTER Parser: snowbaby@hotpop.com -> snowbaby(hotpop.com)
02:17:00 4 ROUTER redirected to email(NULL) (safe)

Yes - redirecting to NULL should be safe!

02:17:00 5 ROUTER Input: snowbaby(NULL)
02:17:00 5 ROUTER Parser: snowbaby@NULL -> snowbaby(NULL)
02:17:00 5 ROUTER Input: NULL()
02:17:00 5 ROUTER Parser: NULL -> NULL()
02:17:00 4 SMTP-050([64.169.240.3]) Sending 250 <snowbaby@hotpop.com> Welcome to the Black Hole\r\n
02:17:00 5 SMTP-050([64.169.240.3]) OT 53 of 53 bytes sent, Flags=0

Ummm, correct me if I'm wrong, but did I just relay a message to "snowbaby"?

I've got "Relay for Clients only" (and only one IP address in the clients list). I've got "Verify Return Path" and "Use Blacklist Servers".
Any elightenment as to how I can better protect my server would be appreciated.

Part of the reason I'm so paranoid is that a couple days after opening up port 25 on my router one of my ISP email addresses suddenly got swamped with bounced spam (400 msgs/day). But I've checked everything and nowwhere is that email address used anywhere in my SIMS configuration. (It was used on a domain registration a few years back, though). I assume the incident was just a nasty coincidence.

--
Chris Ellens
Nepean, Ontario Canada



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster