I've recently noticed in the Logs some connections from the same Hotmail
accounts occurring every 15 minutes.
The recipient never actually receives any mail from them, so I'm
wondering why the constant connecting?
Is this a Relay attempt, or worse a successful Relay?
There are two different Hotmail accounts this is coming from so far,
'hawaiiantita89' and 'nedras22'.
Here's pieces of the Log:
-----------------------------------------------------------------------------------------------
09:16 00:06 SMTPD(000B028A) [12.35.200.18] connect 64.4.9.82 port 1696
09:16 00:06 SMTPD(000B028A) [64.4.9] EHLO hotmail.com
09:16 00:06 SMTPD(000B028A) [64.4.9.82] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 00:06 SMTPD(000B028A) [64.4.9.82] RCPT TO:<[EMAIL PROTECTED]>
09:16 00:21 SMTPD(009800B0) [12.35.200.18] connect 64.4.9.82 port 3223
09:16 00:21 SMTPD(009800B0) [64.4.9.82] EHLO hotmail.com
09:16 00:21 SMTPD(009800B0) [64.4.9.82] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 00:21 SMTPD(009800B0) [64.4.9.82] RCPT TO:<[EMAIL PROTECTED]>
09:16 00:36 SMTPD(000900B4) [12.35.200.18] connect 64.4.9.82 port 4782
09:16 00:36 SMTPD(000900B4) [64.4.9.82] EHLO hotmail.com
09:16 00:36 SMTPD(000900B4) [64.4.9.82] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 00:36 SMTPD(000900B4) [64.4.9.82] RCPT TO:<[EMAIL PROTECTED]>
09:16 00:51 SMTPD(003100B4) [12.35.200.18] connect 64.4.9.82 port 2651
09:16 00:51 SMTPD(003100B4) [64.4.9.82] EHLO hotmail.com
09:16 00:51 SMTPD(003100B4) [64.4.9.82] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 00:51 SMTPD(003100B4) [64.4.9.82] RCPT TO:<[EMAIL PROTECTED]>
-----------------------------------------------------------------------------------------------
09:16 05:57 SMTPD(032B0088) [12.35.200.18] connect 216.32.181.87 port
4204
09:16 05:57 SMTPD(032B0088) [216.32.181.87] EHLO hotmail.com
09:16 05:57 SMTPD(032B0088) [216.32.181.87] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 05:57 SMTPD(032B0088) [216.32.181.87] RCPT
TO:<[EMAIL PROTECTED]>
09:16 06:12 SMTPD(02B900B4) [12.35.200.18] connect 216.32.181.87 port
2367
09:16 06:12 SMTPD(02B900B4) [216.32.181.87] EHLO hotmail.com
09:16 06:12 SMTPD(02B900B4) [216.32.181.87] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 06:12 SMTPD(02B900B4) [216.32.181.87] RCPT
TO:<[EMAIL PROTECTED]>
09:16 06:27 SMTPD(02DE00B4) [12.35.200.18] connect 216.32.181.87 port
4758
09:16 06:27 SMTPD(02DE00B4) [216.32.181.87] EHLO hotmail.com
09:16 06:27 SMTPD(02DE00B4) [216.32.181.87] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 06:27 SMTPD(02DE00B4) [216.32.181.87] RCPT
TO:<[EMAIL PROTECTED]>
09:16 06:42 SMTPD(03660088) [12.35.200.18] connect 216.32.181.87 port
3047
09:16 06:42 SMTPD(03660088) [216.32.181.87] EHLO hotmail.com
09:16 06:42 SMTPD(03660088) [216.32.181.87] MAIL
FROM:<[EMAIL PROTECTED]>
09:16 06:42 SMTPD(03660088) [216.32.181.87] RCPT
TO:<[EMAIL PROTECTED]>
-----------------------------------------------------------------------------------------------
I do have 'Relay for Local Users Only' set.
I know I should be setting 'Relay for Addresses Only', but I have some
Outside Sales Reps who
insist they must be able to retrieve their mail through their favorite
personal Dialup ISP.
This is despite the fact they've all been given Corporate Dialup
Accounts which would establish
a local VPN connection and allow me to restrict Relay to the known VPN
Addresses.
I'm 'discussing' the issues with the Sales Reps Managers and attempting
to educate them that the
current way of doing things is potentially leaving us wide open to
Spammers.
If somebody could verify for me that this is a successful Spammer Relay,
then I'd have the ammo
I need to enforce the use of the VPN connection for these Outside Sales
Reps and could shut
down the potential Open Relay.
Alan Walters
Director of I.T.
Royce Medical
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
