Len, all.
First let me beg forgiveness for the long post.
I got an attack from an iMail 6.05 server on the 13th and 14th. I telneted
to this machine and it does report the iMail 6.05 but would not let me
relay through it. That at least suggests this did originate from
mail.salonchannel.com. If this is a spoofed address, they spoofed the mail
server reporting also. I'm just not going to hide anything.
It attempted to send email with an empty from address fortunately. It sent
it directly to mail.tulsa.com. It was bypassing my IMGATE which has a lower
MX number, so IMGATE wasn't involved except to save email till I was able
to remove two iMail logs totaling 780mb which filled the disk and stopped
iMail from being able to do anything. From counting lines in the logs (cat
| grep -c 00008D) and calculated they have made 348 thousand failed
attempts in one log and the other is bigger. I did stop blocking mail
from:<>, but with great reluctance after this. "relay for addresses" is
still checked. I have not caught what they are trying to send or to whom.
348 thousand of these while I'm home sleeping:
02:13 23:12 SMTP-(0000008D) Connect salonchannel.com [216.247.149.240:25] (1)
02:13 23:12 SMTP-(0000008D) 220 X1 NT-ESMTP Server mail.salonchannel.com
(IMail 6.05 25180-5)
02:13 23:12 SMTP-(0000008D) >EHLO mail.tulsa.com
02:13 23:12 SMTP-(0000008D) 250-mail.salonchannel.com says hello
02:13 23:12 SMTP-(0000008D) 250-SIZE 0
02:13 23:12 SMTP-(0000008D) 250-8BITMIME
02:13 23:12 SMTP-(0000008D) 250-DSN
02:13 23:12 SMTP-(0000008D) 250-ETRN
02:13 23:12 SMTP-(0000008D) 250 EXPN
02:13 23:12 SMTP-(0000008D) >MAIL FROM:<>
02:13 23:12 SMTP-(0000008D) 501 bogus mail from
02:13 23:12 SMTP-(0000008D) ERR undeliverable 501 bogus mail from
02:13 23:12 SMTP-(0000008D) SMTP_DELIV_FAILED
02:13 23:12 SMTP-(0000008D) >QUIT
02:13 23:12 SMTP-(0000008D) 221 Goodbye
I don't know how long that went on but I saw nothing else in the logs for
over 30 minutes that I looked at.
My situation:
In about 200 domains dns, I use:
IN MX 10 mailgateway.internetworks.net ;my IMGATE machine
IN MX 20 mail.a-domain-name.com ;the iMail name for this domain.
Almost all of the spam and abuse, that gets through, goes around the IMGATE
machine and hits mail.a-domain-name.com directly.
The question:
Is there an easy way around this where my customers can pop their accounts
at mail.a-domain-name.com still and remove the iMail box from view or
access for smtp?
The only way I see to do this is with a firewall between the iMail and the
Internet that re-routes smtp to the IMGATE machine. At least Linux and
IPCHAINS can redirect any connection to port 25 to the IMGATE machine.
That's easy on bsd also. This is also alot of work and another point of
failure.
Isn't it interesting how much we do to protect our investment in iMail.
This is a huge waste of time, effort, resources....
What I'm looking for is one of those "Forehead slapping, why didn't I think
of that answers".
Any advice is greatly appreciated!! Even long and involved ones!!
Thank you all for your patience.
Dave
At 12:56 AM 2/17/01 +0100, you wrote:
>
>>I keep getting this in my log file about every second. Also my log file from
>>yesterday was 65M!!!! How do I stop it? I have already added the IP from
>>mylinuxisp.com to the not granted list.... This domains listed are not mine
>>and I have relay set to Relay for local hosts only...
>
>you have just learned painfully (the lesson may continue for many
>hours as you clean up the mess) why "Relay for local hosts only" is
>uselessly dangerous. Ipswitch should put a popup-when-selected
>warning on these dangerous radio buttons, damn it. And they should
>install Imail to default of "relay for addresses" rather than
>installing as an open relay.
>
>stop the SMTP service.
>
>check the imail queue tab, there could be tons of stuff in there,
>delete it if you can.
>
>if you can't because there's too much, copy you imail spool directory
>to someplace else,
>
>delete your Imail spool directory contents (you have the copy above).
>
>set your relay options to "relay for addresses"
>
>start your SMTP service so your mail server can progress
>
>now you need to work on the directory to where you copied the spool
>directory, deleting the files with bogus msgs from .cn, and keeping
>everything else.
>
>You could do this with a little script using "file grep", fgrep,
>searching for files that contains ".cn " and deleting each one.
>
>see www.ProfSoftware.com for unixdos tools. This is a critical step
>since deleting all this crap, maybe 10's of 1000's of msgs, by hand
>could take hours. The grep script could do it at machine speed.
>
>When that's all cleaned up, stop the smtp service, copy what's left
>in your work dir back to the spool directory so Imail can work on it,
>and start the smtp service.
>
>Len
>
>
>http://BIND8NT.MEIway.com : Binary for ISC BIND 8.2.3 for NT4 & W2K
>http://IMGate.MEIway.com : Build free, hi-perf, anti-spam mail gateways
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
