Jump to content

open relay problem

timinator

By timinator
in SpamCop Lounge

Recommended Posts

timinator Newbie

timinator

Posted
Posted

Hi, we are getting bounced mail all referrencing ordb.org. I've done many tests inside and outside our network and they all say: "relay operation rejected". Only ordb.org continues to list us. I must be missing something. We are running Linux RedHat 7.2 with Sendmail 8.12. I don't know how else to test to find out what's wrong. :unsure: Any suggestions?

Thanks

Tim

Link to comment
Share on other sites
StevenUnderwood What Life?

StevenUnderwood

Posted
Posted

I have moved this topic here because it does not deal with the spamcop DNSBL.

Without the IP address of your mail server, it is not possible to determine much from your messages. While this is not a dsbl related forum, the principals are the same and we should be able to help you with enough information.

To lookup the problem yourself, go to: http://www.ordb.org/lookup/

The IP you posted this from (only available to moderators) is listed in relays.ordb.org. ( 127.0.0.2 ) but some people are skittish about posting IP's in here (generally there is no problem). They claim to have send email to your postmaster acount.

It also has spam reports against it, though they all date from March 7:

Report History:

--------------------------------------------------------------------------------

Submitted: Monday, March 07, 2005 10:13:32 PM -0500:

=?Big5?B?pPRUvrQ5vrQ5t3M5sFRU?=

--------------------------------------------------------------------------------

Submitted: Monday, March 07, 2005 9:20:32 PM -0500:

=?Big5?B?rV6k5aZWpFe0o6TJqrqr5rN0p9a3UH5+?=

--------------------------------------------------------------------------------

Submitted: Monday, March 07, 2005 9:00:08 PM -0500:

=?big5?B?oba+paT0p1g2NaS4oUKstK+7p1g4MDCkuKFCpXjGUbrxsGe2rqTGp6mrfjen6T==?= ...

--------------------------------------------------------------------------------

These reports were send to: chris<at>boldwireless.net

And Senderbase is showing a great increase in the amount of mail flowing through that server as well:

Last day 3.4 1141%

Last 30 days 3.3 979%

Average 2.3

That machine is showing some problems right now and should be shutdown and repaired before you show up on more BL's. Good luck.

Link to comment
Share on other sites
Jeff G. T-shirt wearing out

Jeff G.

Posted
Posted

The following is in addition to StevenUnderwood's good advice.

Assuming that you are posting from the same network whose mail is blocked, you should follow along with me and paste your mailserver's IP Address into the Host/IP box on the Open Relay Database - Lookup Page and click the "Submit query" Button. There, you will see headers from an email which demonstrates how your mailserver was exploited, which include the following (sanitized data in bold):

From: spamtest[at][mailserver's rdns fqdn]

X-ORDB-Envelope-From: spamtest[at][mailserver's IP Address]

X-ORDB-Envelope-To: marvin.ordb.org!marvin

Please note that the brackets around the mailserver's IP Address were in the original test.

Sendmail's recommended fixes are the Anti-UBE FEATUREs in sendmail 8.10/8.11.

ORDB's recommended fix is at Open Relay Database - FAQ - Sendmail.

Kelkea's MAPS' recommended fix is at MAPS - Support - Application Note: How to secure your mail system against third-party relay - Sendmail Version 8.

I agree with the move of this Topic from "SpamCop Blocklist Help" to "SpamCop Lounge" because it has nothing to do with SpamCop per se.

Link to comment
Share on other sites
loafman Advanced Member

loafman

Posted
Posted
Hi, we are getting bounced mail all referrencing ordb.org.  I've done many tests inside and outside our network and they all say: "relay operation rejected". Only ordb.org continues to list us. I must be missing something. We are running Linux RedHat 7.2 with Sendmail 8.12.  I don't know how else to test to find out what's wrong. :unsure:  Any suggestions?

Thanks

Tim

27369[/snapback]

From a terminal window on the server itself, enter:

$ telnet relay-test.mail-abuse.org

This will very thoroughly test your server for open-relay points. Configure based on the results of those tests. I run them any time I make a config change of any size, just to be sure.

...Ken

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

This is a bit different than normal ... posting IP matches two MX systems at the same IP ...???? Two e-mail servers on the same machine, and you are also posting here from that very same computer?

This IP is also listed on BLARSBL

Anyway, if you are so sure that there is no existing problem, have you visited http://www.ordb.org/removal/ yet? Based on the above provided data, I'd recommend against it at this point in time ....

Link to comment
Share on other sites
StevenUnderwood What Life?

StevenUnderwood

Posted
Posted
This is a bit different than normal ... posting IP matches two MX systems at the same IP ...????  Two e-mail servers on the same machine, and you are also posting here from that very same computer?

27380[/snapback]

I noticed that as well Wazoo, have no idea why a secondary MX would be run on the same box as the primary, kind of defeats the purpose.

Link to comment
Share on other sites
Jeff G. T-shirt wearing out

Jeff G.

Posted
Posted
posting IP matches two MX systems at the same IP ...????  Two e-mail servers on the same machine

27380[/snapback]

I could see this happening in a bureaucracy where change management procedures for MX Records are more rigorous than those for A Records. I could also see it happening in an extended failure mode where the Secondary Mailserver is going to take a while to repair, so they just switched its A Record over to the IP Address of the Primary Mailserver, but this probably isn't the case, as the records are two weeks old already.
Link to comment
Share on other sites
timinator Newbie

timinator

Posted
  • Author
Posted

I've been to the ordb site several time and retested. The IP in question is the one I'm posting from. I've read the headers of their test on my server. I've tailed the log file and watched the test live, but it gives me know clues to what the problem is. More info on the server: We just moved to a new location 3-15-05, (new ip address). Also before the move I had a test server in place at the new location, that may have started the problems. It just seems there is a small hole somewhere that I'm missing.

Thanks

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

There are folks around with skills and tools that may offer to help. However, you're going to have to expose some data ... the IP address in question, for instance ... details about system configuration perhaps . firewall in use, what apps are involved (log file data varies for instance)

Link to comment
Share on other sites
loafman Advanced Member

loafman

Posted
Posted

If you've been to ordb.org, and you've tested the system, then surely the "Remove an open relay" tab at ordb.org is the next place to click. If you've done that, then ORDB will remove the relay from their list automagically.

Have you tested with the telnet link I gave above?

...Ken

Link to comment
Share on other sites
timinator Newbie

timinator

Posted
  • Author
Posted

I ran the "$ telnet relay-test.mail-abuse.org" test. It returned: System appeared to accept 1 relay attempts" It was #Test 17

Relay test: #Test 17

>>> mail from: <spamtest[at][xx.xxx.xxx.xxx]>

<<< 250 2.1.0 <spamtest[at][xx.xxx.xxx.xxx]>... Sender ok

>>> rcpt to: <mail-abuse.org!nobody>

<<< 250 2.1.5 <mail-abuse.org!nobody>... Recipient ok

>>> QUIT

What now?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...