Re: Current abuse of James 2.3.0 as open relay

Wed, 29 Oct 2008 13:34:57 -0700 

Tor-Einar Jarnbjo schrieb:
I didn't notice until I realized that outgoing mails seemed to "hang" somewhere, but obviously someone has been able to use my James server as an open relay a few days ago and my outgoing spool repository was filled up with undeliverable mails. After deleting the mails from the spool table, the server seem to work fine again now. 

Hi,


I'll pick up my own mail from June again and report, that it happened 
again. I'm more or less 100% convinced that my James installation is 
configured properly, but the last few days, a "spam wave" managed to 
fill up my spool table again with SMTP connects from a UK IP address. 
Both sender and recipient addresses were mostly in the .uk TLD and not 
local. After the server managed to forward some of the mails, about 
40,000 mails were left in the spool table and choked the server 
completely, making it unable to process regular outgoing mails.


The first log entries in the smtpserver log looked like this:


27/10/08 13:14:17 INFO  smtpserver: Connection from 
wvps212-241-x-x.vps.webfusion.co.uk (212.241.x.x)
27/10/08 13:14:18 INFO  smtpserver: Successfully spooled mail 
Mail1225109658790-1134809 from [EMAIL PROTECTED] on 212.241.221.21 for 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED]



(I've deleted the user part of the e-mail addresses and the last two 
numbers in the client IP address, but there's nothing obiously wrong 
with them.)



After this, the same client managed to open more than 5000 connections 
over the next two days and filled up my server.



Is there anything I can do to more easily find the reason why James 
thinks it's ok to spool these mails without authentication from the 
client? I've looked into the source code, but did of course not find 
anything obviously wrong. The only thing I can see is that SMTP 
authentications are logged, which makes me sure that the spammer has not 
managed to hack a username/password combination, but is indeed sending 
these mails without logging in.


Tor



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
























					Reply via email to