used as a spam relay

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
associates
Normal user
Normal user
Posts: 162
Joined: 2006-01-30 04:48

used as a spam relay

Post by associates » 2007-09-03 04:18

Hi,

I have another problem as i was trying to figure out what caused 550 denied by policy issue. I have ASSP up and running as always. Today, i happen to scan through the maillog.txt under assp folder and noticed that some people have been trying to use our domain to send email to one of our co-workers as follows

Sep-3-07 blah blah 208.78.69.74 <rocjhso@mydomain.com.au> to: michael.bella@mydomain.com.au ... (treated as spam though)

Not just one, a couple more went in yesteday and the day before from the following address, 208.78.69.71 and 204.13.249.71.

Fear that our domain has been used as a spam relay for sending spams. Is there any way of stopping this?

Thank you in advance

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-09-03 18:42

There's no way in hMailServer to stop it (without using scripts). You could create a script which makes hMailServer require SMTP authentication when the domain is local. Requires some work though.

User avatar
harddiskman
New user
New user
Posts: 7
Joined: 2007-04-07 19:09

SMTP relay and Spam

Post by harddiskman » 2007-09-09 17:49

Martin,

Can you explain this issue a little bit more please.
I'm receiving thousands of mails daily which seems that undelivered messages responses, mail-delivery system erors, post-master erors etc. Some one uses our hmail server to send spams to the world I think.
I checked mail relay test, it is ok..

Thanks in advance..

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-09-09 17:50

Can you post an example of one of the NDR's?

Have you set up SPF records for your domain(s)?

User avatar
harddiskman
New user
New user
Posts: 7
Joined: 2007-04-07 19:09

Post by harddiskman » 2007-09-09 18:04

Yes I'm using SPDF record in DNS server.

Some NDR's ; (these mails didn't send from our server)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1-) - These recipients of your message have been processed by the mail server:
theo.vonbernstorff@virgilio.it; Failed; 5.2.2 (mailbox full)

Remote MTA ims1b.cp.tin.it: SMTP diagnostic: 552 RCPT TO:<theo.vonbernstorff@virgilio.it> Mailbox disk quota exceeded

------------------------------------------------------------------------------------
2-) This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

uluk@pro-serv.co.il
uluz@pro-serv.co.il
-------------------------------------------------------------------------------------
3-) We're sorry. There's a problem with the e-mail address(es) you're trying to send to. Please verify the address(es) and try again. If you continue to have problems, please contact Customer Support at (480) 624-2500.

<arrut@cloudcity.com>:
child status 100...The e-mail message could not be delivered because there are no users here by that name.

--- Below this line is a copy of the message.

Return-Path: <oafullsu@radius.com.tr>
Received: (qmail 25640 invoked from network); 9 Sep 2007 14:47:45 -0000
Received: from unknown (HELO pre-smtp35-02.prod.mesa1.secureserver.net) ([64.202.166.93])
(envelope-sender <oafullsu@radius.com.tr>)
by dbp-smtp02-01.prod.mesa1.secureserver.net (qmail-1.03) with SMTP
for <arrut@cloudcity.com>; 9 Sep 2007 14:47:45 -0000
Received: (qmail 17913 invoked from network); 9 Sep 2007 14:47:45 -0000
Received: from admf58.neoplus.adsl.tpnet.pl (HELO radius.com.tr) ([79.185.35.58])
(envelope-sender <oafullsu@radius.com.tr>)
by pre-smtp35-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <arrus@cloudcity.com>; 9 Sep 2007 14:47:44 -0000
Message-ID: <OHKSNSI.4147615481@radius.com.tr>
Reply-To: "FAddie ZBritton" <oafullsu@radius.com.tr>
From: "FAddie ZBritton" <oafullsu@radius.com.tr>
Subject: ma man
To: <arrus@cloudcity.com>, <arrut@cloudcity.com>, <arruth@cloudcity.com>, <arruthers@cloudcity.com>
Date: Sun, 09 Sep 2007 16:47:05 +0100
MIME-Version: 1.0
Content-Type: text/plain

buddy Bernardo

Next youtube, enter before its bought,
symbol-chvc
Get in now, else regret later

Mathew
-------------------------------------------------------------------------------------
4-) The following message to <art_324@twcny.rr.com> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 550-'5.1.1 unknown or illegal alias: art_324@twcny.rr.com'

-----------------------------------------------------------------------------------
5-) The original message was received at Sun, 9 Sep 2007 14:41:52 +0100 from 59-117-188-96.dynamic.hinet.net [59.117.188.96]

----- The following addresses had permanent fatal errors ----- <icolae@severnvale.co.uk>
(reason: 550 5.1.1 <icolae@severnvale.co.uk>... User unknown)

----- Transcript of session follows ----- ... while talking to isolde.merula.net.:
>>> DATA
<<< 550 5.1.1 <icolae@severnvale.co.uk>... User unknown 550 5.1.1 <icolae@severnvale.co.uk>... User unknown <<< 503 5.0.0 Need RCPT (recipient)
---------------------------------------------------------------------------------
6) The original message was received at Sun, 09 Sep 2007 12:02:06 -0400 EST from radius.com.tr [200.155.55.161]



----- The following addresses had permanent fatal errors ----- <antonio_terrazasmx@yahoo.com.mx>

----- Transcript of session follows -----
>>> DATA

<<< 554 delivery error: dd Sorry your message to antonio_terrazasmx@yahoo.com.mx cannot be delivered. This account has been disabled or discontinued [#102]. - mta479.mail.mud.yahoo.com
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

There are lost of NDR's like this..

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-09-09 18:32

None of those NDRs seems to be generated by hMailServer.

The SMTP protocol doesn't have built in verification of sender addresses. This means that I can send an email which appears to come from your address. If this email then bounces, the NDR may be sent to you since the email appears to come from you. If the recipients SMTP server uses SPF, it may not send a NDR to you since it can determine that the sender address was forged. But most SMTP servers does not use SPF.

User avatar
harddiskman
New user
New user
Posts: 7
Joined: 2007-04-07 19:09

Post by harddiskman » 2007-09-09 18:48

So, this means nothing to worry about.
The huge mail I collect everyday comes from catch-all then.
There is nothing to do about this or do I install spamassasign or ASSP?

Thank you..

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-09-09 19:21

Well it's hard to say whether it's actual spam or just normal NDR's. Installing ASSP or SpamAssassin may reduce it.

Post Reply