1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPAM and a relay server

Discussion in 'Networks' started by Leehaa, Jan 24, 2008.

  1. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Someone is using one of my clients servers as a relay.

    We thought we had fixed the issue and locked everything down internally as thought that was where it was coming from - also locked down in Domino server doc due to some suggestions made by you guys / research etc, but have noticed a sudden increase in the number of nonsense emails going out to random addresses from there again...

    Server is set up with message labs.

    Firewall is a bit sus -

    Its set that ALL WAN traffic in is denied apart from some specific traffic - message labs on port 25, and LAN traffic is allowed out.

    The firewall is still allowing you to telnet into the server though??!?...


    Any ideas?? :blink
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  2. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Is that telnet on port 25?

    Are you sure a client isn't compromised on the internal side of the LAN?
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  3. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Edit: Doh! Sorry I am now confusing things more!!

    The telnet I used was to port 25, and got through!
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  4. Notes_Bloke

    Notes_Bloke Terabyte Poster

    3,230
    54
    146
    Hi Leehaa,
    Have you tested the mail server from outside to see if it is allowing open relay?
    Try this linky to test for open relay.

    HTH
    NB:)
     
    Certifications: 70-210, 70-215, A+,N+, Security+
    WIP: MCSA
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    I always use this link to test my mail servers from the outside world. Run the MX lookup from there then it will test to see whether its an open relay for you.

    Like Stoney, I'm leaning towards it being a compromised internal machine. This would be especially likely if your firewall was allowing all traffic outbound.
     
    Certifications: A few
    WIP: None - f*** 'em
  6. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Hi Leehaa,

    If you managed to telnet into the server from outside of the LAN on port 25 then I would say that you firewall is allowing access to the email server and thus allowing relaying.

    If not, I would setup a network sniffer and see if you can pin point where a lot of smtp traffic is coming from on the internal side of the LAN.

    HTH
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  7. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Only allow port 25 outbound from the IP of the Domino server and see what happens.

    Do the MX records for the domain go to a message labs server first and then forwarded onto the domino server? If so then you shouldn’t be able to telnet into the server on port 25 from an external location.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Thanks for all the input folks.

    Sparky - yes the MX records do go to the message labs first.

    Ran the MX record test and all pointed to message labs.

    I ran the above relay test and it failed (which indicates it may be a internal machine)...

    Will keep at it...

    but it worries me that we were still able to telnet into port 25 when we shouldn't be able to??!?:blink A colleague (who does contract work for us from time to time) has tried it from his home LAN and he could get in too?...but as I said, the relay test failed? Am really confused???
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  9. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Lee

    Just because you can telnet to port 25 on the server doesn't mean its allowing relaying. In fact, it just indicates that the SMTP service is up and running on that port (as it should be). Your MX records point correctly to the MessageLabs servers, so, providing you're not running an open relay, your maail server isn't vulnerable to an open-relay type of attack. Of course, as Sparky says, you shouldn't be able to telnet to the SMTP service if you're routing via a gateway server.
     
    Certifications: A few
    WIP: None - f*** 'em
  10. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    I am not that clued up on this side of things. Please can you advise? What is a safe network sniffer to use? How about this:

    http://netsecurity.about.com/od/securitytoolprofiles/p/aapranalogx.htm ??

    Thank you :oops:
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  11. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Oh - right -ok. Thank you.
    So why, do you think, it is that we can still telnet to the service? I know it isn't such a huge issue now, but it bugs me, and I want to know why it's still happening!!
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  12. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Certifications: A few
    WIP: None - f*** 'em
  13. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Aaaaah!! Just found out that although the telnet banner was displaying...do anything else and it gets rejected!! Doh - Lol :D
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  14. Leehaa

    Leehaa Gigabyte Poster

    1,648
    21
    91
    Groovy - thanking you!!
     
    Certifications: MCP, MCDST, ITIL v3, MBCS, others...
    WIP: BSc IT & Computing, RHCE
  15. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Well there you go then - breathe easier!

    Now all you've got to do is find the rogue machine internally - though that shouldn't be too hard. Ask your firewall guys to set up logging on the 'allow any outbound' rule (oooooh - I just got a shiver down my spine when i typed that!) and see which machines are making repeated connection attempts to outside IPs on port 25 and 6667 (IRC) - indicative of a mass mailing worm trying to spam and also connect back to the mothership (a bot herder) via an IRC channel
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...