[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive Apr 2004 ]

Re: [edlug] Strange mail relaying DOS.

To: Andrew Aylett <andrew@xxx.xxx.xxx>
Subject: Re: [edlug] Strange mail relaying DOS.
From: Steve Kemp <edlug@xxx.xxx.xxx>
Date: Thu, 15 Apr 2004 23:14:50 +0100
Cc: edlug@xxx.xxx.xxx
In-reply-to: <m3d668q4vq.fsf@xxx.xxx.xxx>
List-post: <mailto:edlug@xxx.xxx.xxx>
List-subscribe: <mailto:edlug-request@xxx.xxx.xxx>
List-unsubscribe: <mailto:edlug-request@xxx.xxx.xxx>
References: <200404092321.48653.teamdba@xxx.xxx.xxx> <40780BE3.9070905@xxx.xxx.xxx> <20040415203728.GA17376@xxx.xxx.xxx> <m3d668q4vq.fsf@xxx.xxx.xxx>
Reply-to: Steve Kemp <edlug@xxx.xxx.xxx>
Sender: owner-edlug@xxx.xxx.xxx
User-agent: Mutt/1.3.28i

On Thu, Apr 15, 2004 at 10:59:37PM +0100, Andrew Aylett wrote:

> foo@[xxx.xxx.xxx.xxx], I think.

  Ahem, our little secret? 

> >   The messages were queued and the bounces from hotmail
> >  were coming back to the nonexistent user 'foo@xxx.xxx.xxx'
> 
> That's really not a good thing :-((.

  No I agree.  Barring a change of IP address for the server this
 machine has been happily running for at least the past three years
 with no outages, no problems, and no history of relaying.

> If you telnet from your server to relay-test.mail-abuse.org, they will
> try to relay through your server (trying all sorts of interesting
> tactics).  They won't blacklist you if you turn out positive.

  I've done that, thanks for the tip.  As I expected it didn't relay
 for any of the first seven tests.  The last few go like this:

:Relay test: #Test 6
>>> mail from: <spamtest@>
<<< 250 ok
>>> rcpt to: <nobody@xxx.xxx.xxx>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts

  Nothing, I'm starting to like this.

:Relay test: #Test 7
>>> mail from: <spamtest@[xxx.xx.xxx.xx]>
<<< 250 ok
>>> rcpt to: <nobody@xxx.xxx.xxx>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts

  Fine again - thats got the correct IP in it and it's being denied
 as expected.

:Relay test: #Test 8
>>> mail from: <spamtest@>
<<< 250 ok
>>> rcpt to: <nobody%mail-abuse.org@>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts

  No domain, and its being dropped.

:Relay test: #Test 9
>>> mail from: <spamtest@>
<<< 250 ok
>>> rcpt to: <nobody%mail-abuse.org@[212.20.241.40]>
<<< 250 ok
>>> QUIT
System appeared to accept 1 relay attempts

  This is the last one, and the only difference from the other IP
 address based one is the addition of the '% hack'.

  In the test which filaed the sender was being spoofed and that
 was rejected - in this case it's the recient which is being spoofed
 and for some reason the mail server is accepting it.

  I think that I need to tell it that this isn't a valid relay domain.

> You can also check openrbl.org to see if you're listed on any of the
> blacklists as a spam source or an open relay (I suspect you might well
> be by now).

  So far nothing, but I'll keep an eye on it.

Steve
--
-
----------------------------------------------------------------------
You can find the EdLUG mailing list FAQ list at:
http://www.edlug.org.uk/list_faq.html

Follow-Ups:
- Re: [edlug] Strange mail relaying DOS.
  - From: Subhi S Hashwa

References:
- [edlug] Free Wireless in Starbucks Today ...
  - From: Philip Nelson
- Re: [edlug] Free Wireless in Starbucks Today ...
  - From: Rory McCune
- [edlug] Strange mail relaying DOS.
  - From: Steve Kemp
- Re: [edlug] Strange mail relaying DOS.
  - From: Andrew Aylett

Prev by Date: Re: [edlug] Strange mail relaying DOS.
Next by Date: [edlug] More EdLug Talks
Previous by thread: Re: [edlug] Strange mail relaying DOS.
Next by thread: Re: [edlug] Strange mail relaying DOS.
Index(es):
- Main
- Thread

Morpheux

This archive is kept by wibble@morpheux.org.DONTSPAMME

homepage