<Sorry for the repost, I didn't change the subject last time. Also, I forgot to
mention I'm on the last release of iMail before ICS. Also, this version is in
plaintext... thanks!>
Hey guys,
I recently received an abuse complaint, concerning a message sent from one of
our iMail servers. This is very strange, because in our system, those iMail
servers are not ever supposed to send mail; they are inbound only. That, and
the fact that I have seen this spam message before in the wild leads me to
beleive that we are realying, or have been exploited.
Those servers obviously have port 25 open to the world, but they are set to
"Relay for addresses", which include only 10.10.30.*, 172.16.0.* and 127.0.0.1.
The first two are internal IP ranges associated with the trusted and dmz zones
of out network. I assume there is nothing there allowing open relaying.
Which leaves me with exploit as the only possibility. It looks like the spammer
dictionaried a domain which is lexigraphically very early
(atlasadvancement.com), and then did a lookup to see what their MX was. This, I
assume, is why they attached the inbound servers and not the outbound servers,
which there are no DNS records for.
The question is, did they use some iMail exploit I am unaware of, or could they
possibly forge the first-hop IP address? I am not aware whether that is
currently even possible, or if so if it's in use by spammers currently. Maybe
as a tactic to make IP blacklisting unpractical?
I have studied out outgoing mail logs, and do not see this message in them at
all. Also, a quick audit of our outgoing mail traffic from before and after
this report shows no increase in throughput, which would be expected if we were
owned. Also, I have not received a single other abuse complaint.
Where do I go from here? Thanks!
-Chase
Chase Seibert | Network and Systems Engineer | Bullhorn Inc. | 617.464.2440
x119 | www.bullhorn.com
