[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] SMTP hole maybe - any ideas

Hi Andreas,

> Hmmm... seems to be harder than anticipated...
>
> > It seems unbelievable that this can happen to be honest. With this
> > scenario it would surely mean that the servers own SMTP server can be used
> > to send spam mail to people on that server with no method of tracing the
> > culprits normal mail route.
>
> There are log files and Received-Kludges in mails so there is a trace
> Check the header of the mail you mentioned in your former mail.
>
> > i.e. they look for company that provides hosting that in some cases they
> > list a large number of there clients, for which that spammer then picks a
> > domain as its sending email address and then sends loads of spam to the
> > other domains, in that first domains name in effect. Surely cant be
> > right....
>
> you did miss the point: If the mail server knows it is responsible for the
> receiver or if the sender is known (there is a reason I wrote that the
> sender normally is not determined by the email address).
>
> Anyone can send any spam to any address as long as it is either known or
> guessable. So if you write on this list your email address is in the list
> archive that is accessible in the web. Harvesters will get ist and voila,
> you get spam. Add postmaster@, webmaster@, info@ to the addresses connected
> to your domain and with any luck you'll get 4 of them. You don't need to
> have any local address as sender and that's not the point here.
>
> The validity of a sender is mostly determined by:
> the smtp-server feels responsible for the recipient (normally no further
> check is done - it relays the mail to this recipient)
> the ip address of the sending host (client or server) is known and allowed
> to relay (e.g. ISP dialin-pools, office nets and so on)
> There is some way of athentication involved (smtp-auth or smtp-after-pop)
>
> In these cases the mails gets relayed.
>
> Surely your office is allowed to relay through your raq3, otherwise nobody
> in your office would be allowed to send mail to the outside world.
> Additionally you sent the mail to a "local" address, so it got relayed
> anyway.
>
> Because your raq3 doesn't know about the outside MX (it is told by
> configuration that it is the host that handles your domain) it'll deliver
> the mail locally so there is no pop3 involved.
>
> > Any one else got any ideas of stopping this...
>
> I'm not a native speaker, but I'll do anything needed to explain to you that
> your raq3 does anything that it is supposed to do. Just because any other
> mailserver in the world knows another host is MX for your domain doesn't
> mean your raq3 cares about (and it doesn't need to).
>
> It's not an exploit, it's not a security problem and for god's sake it's not
> a new way to send spam.
>
> It is the result of a crude hack to allow you to use a smtp server behind a
> dialin connection and the fact that your smtp server doesn't know about this
> hack.

Your points are not lost on me and I am grateful for the input, and yes it has been a long
day already and maybe I am missing something very obvious in what you are saying and the
workings of SMTP, so please bare with me just a tick :)

from what I have experienced, this means that I could surely in effect find someone elses
raq3, locate domains on it and send emails through its smtp server to other domains on
that server, when I have nothing what so ever to do with it. Thus I could in effect say to
the people I email within that server, that I am there hosting supplier (if there domain
and email is run from that server) and say "You are the worst customer we have had and
want you to go away" hehehe

The only thing that will be traceable is the method with which they connect to the
internet, ie there dynamic IP address.

If I am getting this so so wrong then please forgive me and excuse my tired tired head....

I need more coffee obviously :)

Thanks

Mac