I've been testing SIMS on my LAN for some time now and only recently opened port 25 to the scary world out there.No, that check is so risky that all a verification failure does is modify how SIMS writes a relay header.
I've also been lurking on this list for some time, so hopefully I've learned enough to configure SIMS properly.
But looking at some recent logs, I'm concerned that I might still be vulnerable.
02:16:58 4 SMTP-050() Got connection from [64.169.240.3:1087]
02:16:58 4 SMTP(tcp) Connection accepted from [64.169.240.3:1087], seq=49, 1/2
02:16:58 4 SMTP-050([64.169.240.3]) Sending 220-fmly.ca Stalker Internet Mail Server V.1.8b9d14 is ready.\r\n220 ESMTP is spoken here. You are welcome\r\n
02:16:58 5 SMTP-050([64.169.240.3]) OT 106 of 106 bytes sent, Flags=0
02:16:58 5 SMTP-050([64.169.240.3]) *Status=34
02:16:58 4 SMTP-050([64.169.240.3]) Looking for 3.240.169.64.relays.osirusoft.com
02:16:58 5 SMTP-050([64.169.240.3]) *Status=34
(other relay checks ommitted here). It looks like the sender is not a know relay. OK.
02:16:59 5 SMTP-050([64.169.240.3]) Received 11 bytes
02:16:59 4 SMTP-050([64.169.240.3]) Input Line: HELO none\r
02:16:59 5 SMTP-050([64.169.240.3]) *Status=21
02:16:59 4 SMTP-050(none) Looking for none
02:16:59 3 SMTP-050(none) Failed to verify. Real address is [64.169.240.3:1087]
02:16:59 4 SMTP-050(none) Sending 250 fmly.ca cannot verify none\r\n
02:16:59 5 SMTP-050(none) OT 32 of 32 bytes sent, Flags=0
Couldn't verify. Doesn't that mean I shouldn't trust him and SIMS should drop the connection? But it accepts a message:
02:16:59 5 SMTP-050([64.169.240.3]) *Status=22Well it does, but not with any usefulness. It just means that SIMS sees it as a valid element of the Great Nothingness. This means that it will accept the message. On the other hand, if you tried to send to that address, it would simply pass the message into the Great Nothingness. Silently.
02:17:00 5 SMTP-050([64.169.240.3]) Received 37 bytes
02:17:00 4 SMTP-050([64.169.240.3]) Input Line: MAIL FROM:<[EMAIL PROTECTED]>\r
02:17:00 5 SMTP-050([64.169.240.3]) *Status=25
02:17:00 5 SYSTEM {S.0000018985} in work, ref=4702, nFresh=4
02:17:00 5 ROUTER Input: handsomeguy(hotmail.com)
02:17:00 5 ROUTER Parser: [EMAIL PROTECTED] -> handsomeguy(hotmail.com)
02:17:00 4 ROUTER redirected to email(NULL) (safe)
02:17:00 5 ROUTER Input: handsomeguy(NULL)
02:17:00 5 ROUTER Parser: handsomeguy@NULL -> handsomeguy(NULL)
02:17:00 5 ROUTER Input: NULL()
02:17:00 5 ROUTER Parser: NULL -> NULL()
02:17:00 4 SMTP-050([64.169.240.3]) Sending 250 <[EMAIL PROTECTED]> sender accepted\r\n
OK, I confess I'm so paranoid I have the following entry in my router: *.com = NULL
Obviously it has no effect on the sender address.
02:17:00 5 SMTP-050([64.169.240.3]) OT 47 of 47 bytes sent, Flags=0
02:17:00 5 SMTP-050([64.169.240.3]) *Status=23
02:17:00 5 SMTP-050([64.169.240.3]) Received 31 bytes
02:17:00 4 SMTP-050([64.169.240.3]) Input Line: RCPT TO:<[EMAIL PROTECTED]>\r
02:17:00 5 ROUTER Input: snowbaby(hotpop.com)
02:17:00 5 ROUTER Parser: [EMAIL PROTECTED] -> snowbaby(hotpop.com)
02:17:00 4 ROUTER redirected to email(NULL) (safe)
Yes - redirecting to NULL should be safe!
Yes, SIMS treats NULL as valid.
02:17:00 5 ROUTER Input: snowbaby(NULL)Yes, after a fashion. You relayed the message to right where your router says all *.com addresses belong: the bit bucket. The Great Nothingness. Or as SIMS expresses it: the Black Hole.
02:17:00 5 ROUTER Parser: snowbaby@NULL -> snowbaby(NULL)
02:17:00 5 ROUTER Input: NULL()
02:17:00 5 ROUTER Parser: NULL -> NULL()
02:17:00 4 SMTP-050([64.169.240.3]) Sending 250 <[EMAIL PROTECTED]> Welcome to the Black Hole\r\n
02:17:00 5 SMTP-050([64.169.240.3]) OT 53 of 53 bytes sent, Flags=0
Ummm, correct me if I'm wrong, but did I just relay a message to "snowbaby"?
You DID NOT actually hand the mail to anyone else and if you had, you'd see than in a different SMTP session.
I've got "Relay for Clients only" (and only one IP address in the clients list). I've got "Verify Return Path" and "Use Blacklist Servers".Route addresses you want to reject mail to or from to ERROR instead of NULL. That way, instead of swallowing all the mail from spammers (including the spammers who call themselves 'white hat relay testers') trying to relay through you, you will reject it outright. If a spammer of a particular flavor of stupidity gets ahold of your server, he could take it to its knees with messages that you are simply dropping.
Any elightenment as to how I can better protect my server would be appreciated.
Note as well that some relay testers who run blacklists (including Joe Jared of Osirusoft) will list machines that accept test messages before the test message is actually relayed. If you accept a test from the Osirusoft tester (as you would) but them just drop it (as you would) then your machine would be listed for some period greater than a day and less than a week. Joe doesn't like to discuss the details of how long those provisional listing live.
You should also know that routing any valid address to NULL results in behavior that is in formal violation of the RFC's defining SMTP. If you accept a message, you are accepting a responsibility to make a best-effort attempt to either deliver it or send a bounce to the sender.
Part of the reason I'm so paranoid is that a couple days after opening up port 25 on my router one of my ISP email addresses suddenly got swamped with bounced spam (400 msgs/day). But I've checked everything and nowwhere is that email address used anywhere in my SIMS configuration. (It was used on a domain registration a few years back, though). I assume the incident was just a nasty coincidence.Probably.
There are a few viruses out there now (mostly Klez variants) which use bogus sender addresses from a variety of sources on the infected machine to send infective mail, and a lot of places are (unwisely) generating bounces to the fake senders when they find Klez-infected mail. It's easy to land yourself in some Outlook user's address book or web cache and end up getting a flood of such bounces.
There are also a few of the nastier spammers out there who gather addresses from abuse complaints passed to them by providers (bad practice) to use as forged sender addresses.
--
Bill Cole [EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
