Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

mail server hacked ? spamming

Status
Not open for further replies.
zxmax

zxmax

Technical User
Nov 24, 2003
179
CA
Hi all, this is driving me nuts,I runing ( a deerfeild product )mail server ,, my problem is , my mail server keep relaying, and i'm not open for relaying at all, i even blocked sending any emails out .. even after that i look at the raw log and i find lots of things like:
----------------------------------------------------
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:36 -0500 Client session Connected
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:37 -0500 Client session <<< 220 sinamail.com ESMTP Service(Sinamail SMTPD) ready Thu, 27 Nov 2003 16:29:41 +0800 (CST)
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:37 -0500 Client session >>> EHLO mail.mydomain.com
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:38 -0500 Client session <<< 250 SIZE 10240000
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:38 -0500 Client session >>> MAIL From:<bramble's@yahoo.com> SIZE=1070
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:38 -0500 Client session <<< 250 Sender <bramble's@yahoo.com> OK
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:38 -0500 Client session >>> RCPT To:<spick@sinamail.com>
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:40 -0500 Client session <<< 250 Recipient <spick@sinamail.com> OK
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:40 -0500 Client session >>> DATA
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:41 -0500 Client session <<< 354 Enter mail, end <CRLF>.<CRLF>
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:44 -0500 Client session <<< 250 Message accepted for delivery
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:44 -0500 Client session *** <bramble's@yahoo.com> <spick@sinamail.com> 1 1070 00:00:02 OK
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:44 -0500 Client session >>> QUIT
210.200.138.21 [00000478] Thu, 27 Nov 2003 03:33:45 -0500 Client session <<< 221 sinamail.com
SYSTEM [00000478] Thu, 27 Nov 2003 03:33:45 -0500 Client session Disconnected
-------------------------------------------------------------
How could it be accepted for delivery from a non local sender to a non local receipiant, Could that be some kind of hacking in into my server , if it is, can someone suggest a software that could resolve this problem

Any any suggestion will be greatly appreciated,

Thanks
 
Sort by date Sort by votes
The server's local domain is sinamail.com ..

Connected to NK210-200-138-21.cl.fx.apol.com.tw (210.200.138.21).
Escape character is '^]'.
220 sinamail.com ESMTP Service(Sinamail SMTPD) ready Sat, 29 Nov 2003 06:16:43 +0800 (CST)

.. therefore it accepts mail for it's local domain. This is quite normal.

However, it does not relay ..

Connected to NK210-200-138-21.cl.fx.apol.com.tw (210.200.138.21).
Escape character is '^]'.
220 sinamail.com ESMTP Service(Sinamail SMTPD) ready Sat, 29 Nov 2003 06:17:56 +0800 (CST)
helo dude
250 sinamail.com
mail from: chris@iproute.co.uk
250 Sender <chris@iproute.co.uk> OK
rcpt to: chris.ac@iproute.co.uk
553 Specified domain is not allowed.
quit
221 sinamail.com

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Thanks IpRoute, for your input,

Good thing its not relaying, but i get sooo soo many of these in the queue and its killing my resources, my question is , why is it coming to my server ?

In a matter of fact sometimes i see some emails are being relayed, and i see a message in the log saying that authenticated Successful .. here is a copy of that log

--------------------------------------------------------------
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:56 -0500 <<< RCPT TO:<sales@repenmedia.com>
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:56 -0500 >>> 250 2.1.5 <sales@repenmedia.com>... Recipient ok; will forward
205.158.62.137 [0000059C] Thu, 27 Nov 2003 00:16:57 -0500 Client session <<< 550 <tonestone@blackplanet.com>: inactive user
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:57 -0500 Connected
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:57 -0500 >>> 220-mail.mydomain.com ESMTP VisNetic.MailServer.v5.0.2.3; Thu, 27 Nov 2003 00:16:57 -0500
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:57 -0500 <<< DATA
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:57 -0500 >>> 354 Enter mail, end with &quot;.&quot; on a line by itself
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 <<< EHLO counsellor's
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 >>> 250-mail.pcclick.ca Hello counsellor's [218.90.6.239], pleased to meet you.
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 <<< AUTH LOGIN
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 >>> 334 VXNlcm5hbWU6
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:59 -0500 *** <membership@yahoo.com> <sales@repenmedia.com> 1 897 00:00:02 OK
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:59 -0500 >>> 250 2.6.0 897 bytes received in 00:00:02; Message accepted for delivery
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:59 -0500 <<< d2VibWFzdGVy
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:59 -0500 >>> 334 UGFzc3dvcmQ6
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:17:00 -0500 <<< d2VibWFzdGVy
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:17:00 -0500 >>> 235 2.0.0 Authentication successful218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:56 -0500 <<< RCPT TO:<sales@repenmedia.com>
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:56 -0500 >>> 250 2.1.5 <sales@repenmedia.com>... Recipient ok; will forward
205.158.62.137 [0000059C] Thu, 27 Nov 2003 00:16:57 -0500 Client session <<< 550 <tonestone@blackplanet.com>: inactive user
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:57 -0500 Connected
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:57 -0500 >>> 220-mail.pcclick.ca ESMTP VisNetic.MailServer.v5.0.2.3; Thu, 27 Nov 2003 00:16:57 -0500
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:57 -0500 <<< DATA
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:57 -0500 >>> 354 Enter mail, end with &quot;.&quot; on a line by itself
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 <<< EHLO counsellor's
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 >>> 250-mail.pcclick.ca Hello counsellor's [218.90.6.239], pleased to meet you.
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 <<< AUTH LOGIN
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:58 -0500 >>> 334 VXNlcm5hbWU6
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:59 -0500 *** <membership@yahoo.com> <sales@repenmedia.com> 1 897 00:00:02 OK
218.94.47.39 [000007CC] Thu, 27 Nov 2003 00:16:59 -0500 >>> 250 2.6.0 897 bytes received in 00:00:02; Message accepted for delivery
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:59 -0500 <<< d2VibWFzdGVy
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:16:59 -0500 >>> 334 UGFzc3dvcmQ6
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:17:00 -0500 <<< d2VibWFzdGVy
218.90.6.239 [0000045C] Thu, 27 Nov 2003 00:17:00 -0500 >>> 235 2.0.0 Authentication successful
----------------------------------------------------------------
Notice the athentication successful ,and none of these domains are local, .. also my log file use to be about 100k now they are about 25M, can you imagine how much traffic is going on, i'm really frustrated,

Please if any one has any clue of what is happening , will be a great great help,

Thanks
 
Upvote 0 Downvote
Well, I can't relay to that address from here ..

[chris@caesium chris]$ telnet 210.200.138.21 25
Trying 210.200.138.21...
Connected to NK210-200-138-21.cl.fx.apol.com.tw (210.200.138.21).
Escape character is '^]'.
220 sinamail.com ESMTP Service(Sinamail SMTPD) ready Sat, 29 Nov 2003 18:24:47 +0800 (CST)
helo ddude
250 sinamail.com
mail from: chris@iproute.co.uk
250 Sender <chris@iproute.co.uk> OK
rcpt to: sales@repenmedia.com
553 Specified domain is not allowed.
quit
221 sinamail.com
Connection closed by foreign host.

So, I can only think that you are allowing other relay networks. Not only can you specify what domains you can relay for, most mail servers can also be configured to accept relay connections from other network ranges. Maybe this is the case here. I certainly can't use it as a relay as you can see.

Your best bet now would be to speak to the vendor and go through your server configuration.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
155
Russtoleum
Russtoleum
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
123
xwray
xwray
MrPB
  • Locked
  • Question
Am I being hacked/spied on?
Replies
7
Views
240
kjv1611
kjv1611
Blue407
  • Locked
  • Question
Home network hacked?
Replies
9
Views
218
Noway2
Noway2
HopnDude
  • Locked
  • Question
Forefront on Server 2008, External IP Issue.
Replies
1
Views
111
HopnDude
HopnDude

Part and Inventory Search

Sponsor

Back
Top