alexander_price Posted August 10, 2004 Posted August 10, 2004 This server which i manage (80.176.169.194) is currently listed in spamcop and i'm trying to sort this matter out. It seems to be getting caught by spamtraps only, and i'm curious as to why this is happening. Since purging the badmail folder yesterday, three more bad mails have gone into it. An analysis of these three emails are that they are delivery notification failures, i.e; - Someone sent us an email to a non-existant user at our domain. - The server tried to reply with a delivery status notifcation failure message but failed as the email address is non-existant. Could this behaviour get me listed on spamcop? I.e someone sends a spam or virus to a nonexistant email address and then our server replies saying the message didnt get through? I hope not as obviously this is desireable behaviour. We have a lot of legitimate people sending us email and they are always doing silly things like mistyping an email address - to switch of failure notifications would be very very bad. Thanks for any help.
GraemeL Posted August 10, 2004 Posted August 10, 2004 Could this behaviour get me listed on spamcop? I.e someone sends a spam or virus to a nonexistant email address and then our server replies saying the message didnt get through? I hope not as obviously this is desireable behaviour. We have a lot of legitimate people sending us email and they are always doing silly things like mistyping an email address - to switch of failure notifications would be very very bad. 14938[/snapback] Looking at senderbase, your mail output is up over 1,000% in the last 24 hours. This is often an indication that you have problems. http://www.senderbase.org/search?searchString=80.176.169.194 If you are bouncing after the SMTP transaction is complete, then that can cause a listing as you are sending your rejections to forged email addresses. Bouncing spam or viruses after receipt is not desirable, but a source of network abuse. These days, the only acceptable place to reject mail is during the SMTP transaction. I connected to your server for a quick look and you have SMTP AUTH enabled. If you do not have remote users that require SMTP AUTH to send mail, then disable it. If you do require SMTP AUTH for your users, then go through every local account on the machine and change the password to a secure one. Disable any unused accounts such as Guest. See the FAQ and pay attention to the section on Exchange servers. http://forum.spamcop.net/forums/index.php?showtopic=972 Finally, connecting an Exchange server directly to the internet is, generally, a bad idea. Running a mail gateway on some form of Linux/Unix in the DMZ is a lot more secure.
Miss Betsy Posted August 10, 2004 Posted August 10, 2004 It looks as though your problem this time is not sending emails to notify of non-existent mailboxes. However, you *like* to accept email and then decide. We have a lot of legitimate people sending us email and they are always doing silly things like mistyping an email address - to switch of failure notifications would be very very bad. I am not a server admin so I don't quite understand all the nuances. Rejecting email at the server will generate a notification to an innocent party who mistypes so I don't understand why that is so bad. And since there is someone who obviously knows what they are doing in this topic (the other person who responded to your post), I thought I would ask a question. If admins feel that it is absolutely necessary to accept the email before deciding whether it can be delivered or not, then why can't they run it through a spam content filter set very high (like Spamassassin) and a virus filter and only send an email if it makes it through? I know that a lot of businesses do not like to reject at the server level because they don't want to miss any chance of a real inquiry about their product. To accept all email, they have to filtered it for spam and then search the filtered material for false positives. If they do that, they can also search for mistyped addresses before sending emails of non-delivery. It is simply the cost of business online because of the spammers. Otherwise, you, yourself, help the spammers by forwarding their spam to innocent people - and will get listed by blocklists (not just spamcop) when some of that forwarded spam hits a spamtrap. Miss Betsy
GraemeL Posted August 10, 2004 Posted August 10, 2004 I know that a lot of businesses do not like to reject at the server level because they don't want to miss any chance of a real inquiry about their product. To accept all email, they have to filtered it for spam and then search the filtered material for false positives. If they do that, they can also search for mistyped addresses before sending emails of non-delivery. It is simply the cost of business online because of the spammers. 14940[/snapback] Using Sendmail milters you can filter for both viruses and with Spamassassin during the DATA phase of an SMTP transaction and issue a rejection rather than a bounce. Of course, most viruses/spammers don't hang around long enough to receive this rejection, but you still don't end up bouncing to the envelope sender. However, there are disadvantages to it. (1) MS software doesn't allow you to do this. (2) It uses up a lot more resources on your inbound mail servers. You pays you money. You makes your choices. Most users of Exchange take the lets annoy as many innocent people as possible choice.
StevenUnderwood Posted August 10, 2004 Posted August 10, 2004 Could this behaviour get me listed on spamcop? I.e someone sends a spam or virus to a nonexistant email address and then our server replies saying the message didnt get through? Yes if the message in question has a return address of the spamcop spamtrap. With all of the recent viruses, the sender email adresses is being forged. Your system is bouncing either that virus, or a message saying a virus was found, to an innocent victim for every message you receive. Same with spam, you are sending your spam on to other innocent people who just happen to have their email address forged as the sender. I hope not as obviously this is desireable behaviour. Before viruses and spammers, this was desirable behavior. Since so much email today has forged return addresses, returning messages after accepting them is no longer acceptable practice. As stated here and elsewhere, rejecting during the SMTP transaction has the desired efect of getting the valid, misdirected messages back to the sender because it is the sending server that is generating the bounce. The sending server says "I have mail for x", your server y says "x does not live here", the sending server sends a message back to to originator (it should know and trust where it got the message) saying, "server y says x does not live there".
alexander_price Posted August 10, 2004 Author Posted August 10, 2004 phew - loads of replies - thanks everyone. Ok - the first point. I have now turned SMTP AUTH off on the server, - thanks for the advice GraemeL. Could you take another look at my server now and confirm I changed the right setting and that smtp auth is definately off? Thanks. As for the other tip - rejecting during the smtp transaction - that sounds like a great idea. The only thing is i'm not an expert at exchange. If anyone can tell me how to configure exchange to do this (if its not already configured) then i'd be grateful.
GraemeL Posted August 10, 2004 Posted August 10, 2004 phew - loads of replies - thanks everyone. Ok - the first point. I have now turned SMTP AUTH off on the server, - thanks for the advice GraemeL. Could you take another look at my server now and confirm I changed the right setting and that smtp auth is definately off? Thanks. As for the other tip - rejecting during the smtp transaction - that sounds like a great idea. The only thing is i'm not an expert at exchange. If anyone can tell me how to configure exchange to do this (if its not already configured) then i'd be grateful. 14945[/snapback] Your server is still offering AUTH LOGIN. telnet 80.176.169.194 25 Trying 80.176.169.194... Connected to 80.176.169.194. Escape character is '^]'. 220 server01.Proud.local Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 10 Aug 2004 15:03:39 +0100 ehlo myserver.invalid 250-server01.Proud.local Hello [0.0.0.0] [snip] 250-AUTH=LOGIN <--- This line. 250-X-LINK2STATE 250-XEXCH50 250 OK auth login 334 VXNlcm5hbWU6 <-- Prompt for username. If you're not an Exchange expert, I would suggest hiring a consultant for a day or two. Let them give your whole network a checkup and disable bouncing to the envelope sender for viruses and spam. Did you go through the machine, disable all unused accounts and change the passwords on all other accounts? Secure passwords should stop anyone abusing AUTH LOGIN until you get it disabled.
alexander_price Posted August 10, 2004 Author Posted August 10, 2004 well, we have disabled quite a few accounts temporarily, and am forcing a password change for all accounts on next login. I would rather make the configuration changes myself so I can learn from this experience, so if you know how to make the server reject invalid addresses immediately (before the data line) i'd be grateful. Also, I believe I have now managed to turn off the smtp auth. I now get this when i send an ehlo command to the server - is this ok?; ehlo test 250-server01.Proud.local Hello [81.5.164.146] 250-TURN 250-ATRN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM 250-AUTH GSSAPI NTLM 250-X-LINK2STATE 250-XEXCH50 250 OK auth login 504 5.7.4 Unrecognized authentication type.
GraemeL Posted August 10, 2004 Posted August 10, 2004 well, we have disabled quite a few accounts temporarily, and am forcing a password change for all accounts on next login. Be more worried about local accounts on the Exchange server, rather than network login accounts. Spammers usually attack the role accounts that are created by default. To attack network accounts, they need to guess both the username and the password. To attack role accounts, they need only guess the password. I would rather make the configuration changes myself so I can learn from this experience, so if you know how to make the server disallow logins (smtp auth) and how to make the server reject invalid addresses immediately (before the data line) i'd be grateful. Sorry, can't help you here. My philosophy is to use Unix/Linux boxes to talk to the internet. I don't use any Microsoft server software for external access. It's just not worth the risk.
alexander_price Posted August 10, 2004 Author Posted August 10, 2004 ok - no problem. Thanks for all your help. Btw, I believe I have managed to make the server no longer allow smtp auth (see - i'm learning already)
Merlyn Posted August 10, 2004 Posted August 10, 2004 well, we have disabled quite a few accounts temporarily, and am forcing a password change for all accounts on next login. So what you have done is ask the hacker to change his password when he logs on.
alexander_price Posted August 10, 2004 Author Posted August 10, 2004 So what you have done is ask the hacker to change his password when he logs on. 14950[/snapback] No - I haven't. When a user logs off and on again, they will have to change their domain password. When a hacker logs into the smtp server he wont get that option - only the domain computers will. I have disabled the smtp auth rights anyway now so the hacker won't even get the ability to login now hopefully.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.