Hello, Situation could be that as your Client having a DSL connection with a static IP address, They:
Have an Exchange Server for email that relay ougoing email to the Internet through your SMTP service as thier domain is hosted on your server. -What is happening- Thier Mail Exchanger or whatever mail server have an Open Relay SMTP. If that is the case, then a spammer will only need thier static IP and use it as SMTP gateway and therefore your server is acceping these messages as your Client Server I think is doing POP before SMTP (i.e checking email before sending any outgoing message). -Solution- There is no solution for this from your side other than blocking your client or individual emails. Your client has to apply Pop before SMTP or SMTP Access Limitation to his mail server. In your message you masked the dsl IP of your client but anyway just to verify you can test thier IP address if open relay using telnet or from this website http://www.abuse.net/relay.html . Regards, Al-Juhani [EMAIL PROTECTED]' ==Original Message== David Black [EMAIL PROTECTED] Tue, 25 Feb 2003 18:38:38 -0600 I think someone is relaying spam through our servers, by spoofing their originating IP, so the spam appears to come from one of my legitimate hosting customers' home IP addresses. I've noticed a repeating pattern of short bursts, similar to the events listed below... which seem to last from 2 - 5 minutes each. Since my up-to-date RaQ4 includes pop-before-relay (with a 5 minute window), I'm wondering if the spoofer is randomly catching my customer's relay window, then exploiting it, by spoofing my customer's IP. (?) I'd be very grateful if anyone with relevant expertise or experience would share some information with me (and the rest of the list). Thank you all very much, for your valuable time and knowledge. I'd be lost without you :�) Sincerely, -- David Black Houston, TX suspicious maillog events follow... Feb 25 14:03:11 www sendmail[18401]: h1PK3Ab18401: from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] ('size=0' repeats 77 times between 14:03:11 and 14:04:09) Feb 25 14:04:09 www sendmail[18874]: h1PK48b18874: from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] Feb 25 14:04:14 www sendmail[18876]: h1PK4Db18876: from=<>, size=2649, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] Feb 25 14:04:14 www sendmail[18879]: h1PK4Eb18879: from=<>, size=2571, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] Feb 25 14:04:15 www sendmail[18882]: h1PK4Fb18882: from=<>, size=0, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] Feb 25 14:04:15 www sendmail[18883]: h1PK4Fb18883: from=<>, size=2901, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] (119 lines - snipped - similar pattern: 1 or 2 'size=0', then 1 or 2 successful relays) Feb 25 14:05:13 www sendmail[19525]: h1PK5Cb19525: from=<>, size=2842, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] (108 more successful relays - snipped - ) Feb 25 14:06:47 www sendmail[20347]: h1PK6lb20347: from=<>, size=2790, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=adsl-xx-xx-xxx-xxx.dsl.xxx.net [xx.xx.xxx.xxx] (this (above) was the last related event, for several hours) _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
