Mailing List SIMS@mail.stalker.com Message #15531
From: Clive Bruton <clive@indx.co.uk>
Subject: Re: Spam on my server
Date: Fri, 31 Aug 2007 17:59:57 +0100
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Apple Mail (2.752.2)
Ok, it happened again, and as far as I can tell from the logs there is no POP log-in by the host sending the spam:

*******

First logged connection:

14:19:13 3 SMTP-522(smtp0000.mail.yahoo.com) Failed to verify. Real address is [125.82.235.75:2432]
14:19:13 3 SMTP-417([77.123.105.53]) Abort Received, reason=60
14:19:13 3 SMTP-417([77.123.105.53]) Reading Failed. Error Code=-25010. Read:
14:19:14 3 SMTP-399(wicked.com) Failed to connect to [208.236.11.161:25]. reason=60
14:19:14 3 SMTP [S.0002952391] dequeueing
14:19:14 3 SMTP-419(sohu.com) Failed to connect to [61.135.132.110:25]. reason=60
14:19:14 3 SMTP-419(sohu.com) No relay address is accessable. Error Code=-25010
14:19:14 3 SMTP [S.0002950057] dequeueing
14:19:14 3 SMTP [S.0002950080] dequeueing
14:19:14 3 SMTP [S.0002948942] dequeueing
14:19:14 3 SMTP [S.0002949070] dequeueing
14:19:14 3 SMTP [S.0002950104] dequeueing
14:19:14 3 SMTP-414(gzyp21.net) Failed to connect to [219.137.167.218:25]. reason=60
14:19:14 3 SMTP-413(gzyp21.net) Failed to connect to [219.137.167.218:25]. reason=60
14:19:14 3 SMTP [S.0002952427] dequeueing
14:19:14 3 SMTP [S.0002948832] dequeueing
14:19:14 3 SMTP [S.0002950248] dequeueing
14:19:14 3 SMTP [S.0002952376] dequeueing
14:19:14 3 SMTP [S.0002952380] dequeueing
14:19:14 3 SMTP [S.0002952387] dequeueing

Spam relay address identified by router:

14:19:16 5 ROUTER Input: lvlin(chinese.com)
14:19:16 5 ROUTER Parser: lvlin@chinese.com -> lvlin(chinese.com)
14:19:16 3 SMTP [S.0002948989] delayed by sina.com.cn: 450 4.1.8 <q105ba912@bdzagbaza.mo.cn>: Sender address rejected: Domain not found\r
14:19:18 1 SMTP-526([58.65.90.221]) SPAM? Host is blacklisted per RBL cbl.abuseat.org with result [127.0.0.2]
14:19:20 3 SMTP [S.0002952893] delayed by sina.com.cn: 450 4.1.8 <q10c6a112@bdzagbaza.mo.cn>: Sender address rejected: Domain not found\r
14:19:21 2 SMTP-522([125.82.235.75]) {S.0002956215} received, 964 bytes
14:19:21 5 ROUTER Input: lvlin(chinese.com)
14:19:21 5 ROUTER Parser: lvlin@chinese.com -> lvlin(chinese.com)

Another relay address:

14:19:22 5 ROUTER Input: caowhitneyq(mail.china.com)
14:19:22 5 ROUTER Parser: caowhitneyq@mail.china.com -> caowhitneyq(mail.china.com)
14:19:27 3 SMTP-529(18.186.133.219.broad.sz.gd.dynamic.163data.com.cn) Failed to verify. Real address is [219.133.186.18:3847]

Another relay address from a different host:

14:19:28 5 ROUTER Input: jlbrisbin(163data.com.cn)
14:19:28 5 ROUTER Parser: jlbrisbin@163data.com.cn -> jlbrisbin(163data.com.cn)
14:19:32 3 SMTP-528(sanshui.gd.cn) Failed to get IP addresses. Error Code=-3162
14:19:32 3 SMTP [S.0002952426] dequeueing

********

Checked logs, closest previous POP log-in from different host is five minutes previously. Relaying allowed from POP hosts for *one* minute after log-in.

My best guess on this is that some machines on the LAN were logging into the POP host via the firewall/router (10.10.250.1) with the external name of the mail server (mail.indx.co.uk), rather than the LAN name of the server (mail.battersea.indx.co.uk). This caused the router/firewall itself to become "authenticated", thus any incoming SMTP was authenticated because it came through the router. ie:

LAN mail client -> router -> mail server

SIMS logs the LAN IP address of the router when these LAN clients log-in.

I've changed all the LAN mail clients so that they log-in and send to mail.battersea.indx.co.uk (the LAN host), watching the logs to see what happens.

My guess on why someone could still relay five minutes after a POP log-in is that throughout that period SMTP mail was incoming, so kept the router authenticated.

Any other ideas?


-- Clive
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster