Hi All,
Could you pls analyze the following transcript of my session with a remote server and help me judge whether the server is in some sense an open relay...One thing abt the server is that it passes all anonymous relaying tests.....but what if i know two contacts on the same server..
---------------------------------------------------- [root@bijucyborg root]# telnet 2XX.1XX.XXX.XX 25 Trying 2XX.1XX.XXX.XX... Connected to 2XX.1XX.XXX.XX. Escape character is '^]'. 220 COPSTOP.com ESMTP ehlo popa 250- COPSTOP 250-PIPELINING 250 8BITMIME mail from:xyz@COPSTOP 250 ok rcpt to:abc@COPSTOP.com 250 ok data 354 go ahead we went to school together . 250 ok 1099213953 qp 10543 quit 221 COPSTOP.com Connection closed by foreign host. ------------------------------------------------------
As I have observed the server accepts message from xyz@COPSTOP to abc@COPSTOP.
1. xyz and abc are two valid users on the system. 2. This session was carried from a random machine on the internet.
If this is dangerous....assuming that i'am using sendmail, could u pls suggest a technique to stop this.
bye rgds
biju
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
mail from:xyz@COPSTOP 250 ok rcpt to:abc@COPSTOP.com 250 ok
As I have observed the server accepts message from xyz@COPSTOP to abc@COPSTOP.
If this is dangerous....assuming that i'am using sendmail, could u pls suggest a technique to stop this.
Yes I think this is bad. If the same server is acting as a mail relay for internal users and as an MX for that domain, then the solution may not be that simple. you could check this page out.
http://www.sendmail.org/%7Eca/email/check.html#check_rcpt
If this is only acting as an MX you can simply put this line in /etc/mail/access which i think might fix the problem (Not sure will have to try this out) and then makemap
From:copstop.com REJECT #will not accept from containing copstop.com In general check this page
http://www.sendmail.org/m4/anti_spam.html
On Sun, 31 Oct 2004 21:09:53 +0530, mitul@mitul.com mitul@mitul.com wrote:
Hey Biju,
I dont see any problem with the SMTP session.
I do
Try this [user@somehost] # telnet <server ip>:25 mail from : x@copstop.com rcpt to: y@copstop.com Data From: "X" spammer@domain.com To: "Some User" y@copstop.com Subject : some UCE .
Will the spammer not succeed in getting his message across?
Primarily because you are connecting to the AUTHORITATIVE MX server for CopStop.com and no matter who sends the mail, till the time the RCPT is for a user inside your domain i.e. CopStop.com, it seems to be ok. If the server would have accepted RCPT to: xyz@someotherdomain.com then it surely would be alarming issue.
Agreed It is not that much a problem but why not add another simple check that prevents spoofing in this manner and hence a little bit less spam .
Hey Biju,
I dont see any problem with the SMTP session.
Primarily because you are connecting to the AUTHORITATIVE MX server for CopStop.com and no matter who sends the mail, till the time the RCPT is for a user inside your domain i.e. CopStop.com, it seems to be ok.
If the server would have accepted RCPT to: xyz@someotherdomain.com then it surely would be alarming issue.
Ahhh but you might have to do some kind of checking here to see if the email thats getting inside is UCE or a Legitimate email. Qmail would give " 550 - Domain aint in my RCPT Hosts file ", if the RCPT TO would have been any thing other then copstop.com or any domain thats not listed in /var/qmail/control/rcpthosts file.
Let me know if this solves the problem ?
Best Regards, Mitul Limbani CTO, Enterux Solutions, The Enterprise Linux Company (TM), http://www.enterux.com/
Quoting BIJU KRISHNAN bijucyborg@yahoo.com:
Hi All,
Could you pls analyze the following transcript of my session with a remote server and help me judge whether the server is in some sense an open relay...One thing abt the server is that it passes all anonymous relaying tests.....but what if i know two contacts on the same server..
[root@bijucyborg root]# telnet 2XX.1XX.XXX.XX 25 Trying 2XX.1XX.XXX.XX... Connected to 2XX.1XX.XXX.XX. Escape character is '^]'. 220 COPSTOP.com ESMTP ehlo popa 250- COPSTOP 250-PIPELINING 250 8BITMIME mail from:xyz@COPSTOP 250 ok rcpt to:abc@COPSTOP.com 250 ok data 354 go ahead we went to school together . 250 ok 1099213953 qp 10543 quit 221 COPSTOP.com Connection closed by foreign host.
As I have observed the server accepts message from xyz@COPSTOP to abc@COPSTOP.
- xyz and abc are two valid users on the system.
- This session was carried from a random machine on
the internet.
If this is dangerous....assuming that i'am using sendmail, could u pls suggest a technique to stop this.
bye rgds
biju
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
----------------------------------------------------------------
Hey Clifford,
Quoting Clifford D'Mello cjdmello@gmail.com:
mail from:xyz@COPSTOP 250 ok rcpt to:abc@COPSTOP.com 250 ok
As I have observed the server accepts message from xyz@COPSTOP to abc@COPSTOP.
If this is dangerous....assuming that i'am using sendmail, could u pls suggest a technique to stop this.
Yes I think this is bad. If the same server is acting as a mail relay for internal users and as an MX for that domain, then the solution may not be that simple. you could check this page out.
What if a person xyz@copstop.com really wants to send email to abc@copstop.com (either using Email client or mebbe using WebMail ?)
Regards, Mitul Limbani CTO, Enterux Solutions, The Enterprise Linux Company (TM), http://www.enterux.com/
----------------------------------------------------------------
On Sun, Oct 31, 2004 at 08:18:53PM +0530, Clifford D'Mello wrote:
[user@somehost] # telnet <server ip>:25 mail from : x@copstop.com rcpt to: y@copstop.com Data From: "X" spammer@domain.com To: "Some User" y@copstop.com Subject : some UCE .
Perfectly valid, and not a relay.
Will the spammer not succeed in getting his message across?
And also true. But this check is up to spamassassin, not the MTA.
Will the spammer not succeed in getting his message across?
And also true. But this check is up to spamassassin, not the MTA.
Agreed. But if you can throw this out before spamassassin , the better it is because then your server can scale better because you know this is a bogus message.
Dear All
Best remedy is to enable smtp authentication on the server
1. This will allow the local users to send the mail after authentication the sender id
2. In case the server is live MX, it will also recv the mail from outside or internet only for that domain which is configured in this case COPSTOP
Thanks & Regards
Ming --- BIJU KRISHNAN bijucyborg@yahoo.com wrote:
Hi All,
Could you pls analyze the following transcript of my session with a remote server and help me judge whether the server is in some sense an open relay...One thing abt the server is that it passes all anonymous relaying tests.....but what if i know two contacts on the same server..
[root@bijucyborg root]# telnet 2XX.1XX.XXX.XX 25 Trying 2XX.1XX.XXX.XX... Connected to 2XX.1XX.XXX.XX. Escape character is '^]'. 220 COPSTOP.com ESMTP ehlo popa 250- COPSTOP 250-PIPELINING 250 8BITMIME mail from:xyz@COPSTOP 250 ok rcpt to:abc@COPSTOP.com 250 ok data 354 go ahead we went to school together . 250 ok 1099213953 qp 10543 quit 221 COPSTOP.com Connection closed by foreign host.
------------------------------------------------------
As I have observed the server accepts message from xyz@COPSTOP to abc@COPSTOP.
- xyz and abc are two valid users on the system.
- This session was carried from a random machine on
the internet.
If this is dangerous....assuming that i'am using sendmail, could u pls suggest a technique to stop this.
bye rgds
biju
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
On Mon, 2004-11-01 at 12:24, Clifford D'Mello wrote:
Best remedy is to enable smtp authentication on the server
This will not solve the problem because an MX cannot ask other servers to authenticate. It has to accept mails for the domain.
Not really. Authentication is primarily used for MAIL from: user@domain command. AUTH is never used for RCPT to: command.
So when any other client/server sends mails to your MX host and has MAIL from: domain(s) of local host, it will reject mail saying relaying denied.
If the client/server AUTHenticates itself by initiating AUTH and giving correct Authentication info, will enable local domain(s) in MAIL from:
Remember, AUTH is optional and should happen before MAIL from: command.
-- Clifford
HTH With regards,
Dear All
--- Clifford D'Mello cjdmello@gmail.com wrote:
This will not solve the problem because an MX cannot ask other servers to authenticate. It has to accept mails for the domain.
It will accept the mails from any server. we need to check the sender only if the mail from is anybody@copstop.com or when it comes with from domain as copstop
Thanks & Regards
Ming
-- Clifford
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail