Mailing List SIMS@mail.stalker.com Message #15532
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Spam on my server
Date: Fri, 31 Aug 2007 23:19:10 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 5:59 PM +0100 8/31/07, Clive Bruton  imposed structure on a stream of electrons, yielding:
Ok, it happened again, and as far as I can tell from the logs there is no POP log-in by the host sending the spam:

*******

First logged connection:

14:19:13 3 SMTP-522(smtp0000.mail.yahoo.com) Failed to verify. Real address is [125.82.235.75:2432]
14:19:13 3 SMTP-417([77.123.105.53]) Abort Received, reason=60
14:19:13 3 SMTP-417([77.123.105.53]) Reading Failed. Error Code=-25010. Read:
14:19:14 3 SMTP-399(wicked.com) Failed to connect to [208.236.11.161:25]. reason=60
14:19:14 3 SMTP [S.0002952391] dequeueing
14:19:14 3 SMTP-419(sohu.com) Failed to connect to [61.135.132.110:25]. reason=60
14:19:14 3 SMTP-419(sohu.com) No relay address is accessable. Error Code=-25010
14:19:14 3 SMTP [S.0002950057] dequeueing
14:19:14 3 SMTP [S.0002950080] dequeueing
14:19:14 3 SMTP [S.0002948942] dequeueing
14:19:14 3 SMTP [S.0002949070] dequeueing
14:19:14 3 SMTP [S.0002950104] dequeueing
14:19:14 3 SMTP-414(gzyp21.net) Failed to connect to [219.137.167.218:25]. reason=60
14:19:14 3 SMTP-413(gzyp21.net) Failed to connect to [219.137.167.218:25]. reason=60
14:19:14 3 SMTP [S.0002952427] dequeueing
14:19:14 3 SMTP [S.0002948832] dequeueing
14:19:14 3 SMTP [S.0002950248] dequeueing
14:19:14 3 SMTP [S.0002952376] dequeueing
14:19:14 3 SMTP [S.0002952380] dequeueing
14:19:14 3 SMTP [S.0002952387] dequeueing

Spam relay address identified by router:

14:19:16 5 ROUTER Input: lvlin(chinese.com)
14:19:16 5 ROUTER Parser: lvlin@chinese.com -> lvlin(chinese.com)
14:19:16 3 SMTP [S.0002948989] delayed by sina.com.cn: 450 4.1.8 <q105ba912@bdzagbaza.mo.cn>: Sender address rejected: Domain not found\r
14:19:18 1 SMTP-526([58.65.90.221]) SPAM? Host is blacklisted per RBL cbl.abuseat.org with result [127.0.0.2]
14:19:20 3 SMTP [S.0002952893] delayed by sina.com.cn: 450 4.1.8 <q10c6a112@bdzagbaza.mo.cn>: Sender address rejected: Domain not found\r
14:19:21 2 SMTP-522([125.82.235.75]) {S.0002956215} received, 964 bytes
14:19:21 5 ROUTER Input: lvlin(chinese.com)
14:19:21 5 ROUTER Parser: lvlin@chinese.com -> lvlin(chinese.com)

Another relay address:

14:19:22 5 ROUTER Input: caowhitneyq(mail.china.com)
14:19:22 5 ROUTER Parser: caowhitneyq@mail.china.com -> caowhitneyq(mail.china.com)
14:19:27 3 SMTP-529(18.186.133.219.broad.sz.gd.dynamic.163data.com.cn) Failed to verify. Real address is [219.133.186.18:3847]

Another relay address from a different host:

14:19:28 5 ROUTER Input: jlbrisbin(163data.com.cn)
14:19:28 5 ROUTER Parser: jlbrisbin@163data.com.cn -> jlbrisbin(163data.com.cn)
14:19:32 3 SMTP-528(sanshui.gd.cn) Failed to get IP addresses. Error Code=-3162
14:19:32 3 SMTP [S.0002952426] dequeueing

********

Checked logs, closest previous POP log-in from different host is five minutes previously. Relaying allowed from POP hosts for *one* minute after log-in.

It looks like you don't really have logging turned up.

Each subsystem  (POP, SMTP, SYSTEM, HTTP) in SIMS has its own log level. The lack of level 4/5 SMTP entries above is proof that you have SMTP logging set to level 3, since the level 3 entries describe events between which many other lines would be logged if you had logging set more verbosely. Since you've got so little there for SMTP and it includes lines from 10 different sessions, some inbound and some outbound, I'm having a hard time seeing the relaying...


My best guess on this is that some machines on the LAN were logging into the POP host via the firewall/router (10.10.250.1) with the external name of the mail server (mail.indx.co.uk), rather than the LAN name of the server (mail.battersea.indx.co.uk). This caused the router/firewall itself to become "authenticated", thus any incoming SMTP was authenticated because it came through the router. ie:

LAN mail client -> router -> mail server

SIMS logs the LAN IP address of the router when these LAN clients log-in.

That would indeed authorize the router's IP address. Not good.

However, I'm not seeing any SMTP connections from an ything but external addresses in the log snippets above.


I've changed all the LAN mail clients so that they log-in and send to mail.battersea.indx.co.uk (the LAN host), watching the logs to see what happens.

My guess on why someone could still relay five minutes after a POP log-in is that throughout that period SMTP mail was incoming, so kept the router authenticated.

Any other ideas?

That sounds reasonable.

You may want to reconsider your network configuration, if it is really doing what you think.

--
Bill Cole                                  bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster