[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RE: Closing port 23

Subject: [cobalt-users] RE: Closing port 23
From: Charlie Summers <charlie@xxxxxxxxxx>
Date: Wed Jan 8 11:40:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

At 1:42 PM -0500 1/8/03, Tom Nelson is rumored to have typed:

> I guess I thought it may be a way of preventing spammers from using my mail
> server to send mail.

   You guessed wrong, because you don't understand how SMTP works. Just trust
us that a properly-configured mail server should allow a telnet connection
from (practically) any machine, it simply shouldn't accept and deliver
third-party relay mail. (It _has_ to receive connections to deliver mail into
your box. Really. Believe us.)

> Yet it still looks like someone is able to connect somehow to spam...
> I get lots of bounce back messages....

   Whoa, youngster...without seeing the bounce messages I can't be certain,
but I'd be willing to wager (assuming you have POP before SMTP active) that
the "bounces" you're getting are brain-damaged machines bouncing to forged
Return-Path: or Errors-To: header fields within spam. I can't speak for
everyone, but every mail administrator I know has to deal with bounce
messages which show up on mail that was never sent from our servers.

   If someone sends a spam with a forged envelope address of
support@xxxxxxxxxxxxx, you WILL receive a bunch of bounces even if the mail
was sent through a China open relay.

> And how are they able to do the
> following...

   Assuming you have POP before SMTP active, it could be (probably is, in
fact) that your machine is receiving email from 205.183.255.230 targeted to
an address on your machine that forwards to dtk27@xxxxxxx - it might be
inbound spam, but it isn't an open relay.

   Let's say you host my domain domain.tld on your machine. Lets also say I
have an address, me@xxxxxxxxxx on your box that is configured to forward mail
to dummyaddress@xxxxxxxx If spam comes in targeted to me@xxxxxxxxxx, your
machine (as configured in this hypothetical) _should_ forward the spam to the
dummyaddress@xxxxxxx address.

   So check your /etc/aliases file for the dtk27@xxxxxxx address; if as I
suspect it's there, you don't _have_ a problem. (Well, ok, other than
receiving spam, which is one we _all_ have.)

   Here's an example of a forwarded message which is probably spam, but
should still be forwarded since it's targeted to a legitimate address on the
server (target address and domain has been munged, of course):

Jan  8 14:25:31 www sendmail[1603]: OAA01603:
from=<yourcar.660@xxxxxxxxxxxxxxxxxxxxxxxx>, size=2352, class=0, pri=32352,
nrcpts=1, msgid=<80325190.8900599@mailhost>, bodytype=8BITMIME, proto=ESMTP,
relay=host13.discountcertificates.com [66.240.154.13]
Jan  8 14:25:34 www sendmail[1604]: OAA01603: to=SOMEONE@xxxxxxxxxxxxxx,
delay=00:00:04, xdelay=00:00:02, mailer=esmtp, relay=mail.SOMEDOMAIN.com.
[24.104.61.50], stat=Sent (2.0.0 h08EbZLN011570 Message accepted for delivery)

   This isn't a third-party relay, it's just a forwarded message.

> And how can I stop it???

   Assuming my hypothesis is correct...you can't, other than deny Premiere
Technology (205.183.255.192 - 205.183.255.255 - xpedite.com,
messagereach.com, and a bunch of other alleged "opt-in" domains) from
accessing your server. If I'm right, your machine is doing EXACTLY what it
should be doing.

   (FWIW, I DENY 205.183.255.0/24 in my ipchains, so trust me...I've dealt
with these spammers before. I added the block back in February, after
rejeting messagereach.com in my access file and geting tired of seeing them
in the log every day anyway. Now that I drop their packets on the floor, I
don't get any of their garbage anymore.)

   The first thing you need to do is test whether or not POP before SMTP is
working. You can do that by trying to send mail before receiving it (yeah,
yeah, I know). If that works, the spammers aren't using you as a third-party
relay, they are just spamming into your machine. Welcome to the club.  ;)

         Charlie

   P.S. None of this is really Cobalt-specific, and so probably should be
taken to a sendmail list instead. Or, if you're more interested in spam, one
of the many anti-spam mailing lists or newsgroups. My gut tells me you need
to learn a little more about how sendmail works, and how spammers operate,
before you decide your machine is being used as a thrid-party relay.

         Me

Follow-Ups:
- RE: [cobalt-users] RE: Closing port 23
  - From: Tom Nelson

References:
- Re: [cobalt-users] Closing port 23
  - From: Bruce Timberlake
- RE: [cobalt-users] Closing port 23
  - From: Tom Nelson

Prev by Date: RE: [cobalt-users] replacel formmail.pl from a server
Next by Date: RE: [cobalt-users] RAQ 4 - Siteadmin is gone (urgent)
Previous by thread: Re: [cobalt-users] Closing port 23
Next by thread: RE: [cobalt-users] RE: Closing port 23

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index