Hi, I use SIMS on os9 as a backup mailserver from time to time - when my main sendmail box is down, for example.
I run it with all the anti-spam measure in place including the RBL option and a strictly limited set of real-permitted IP addresses.
Despite this it appears that the server was used to send spam in the last 24 hours, often associated with the email virus that I'm sure you're all seeing example of - often there's a ".pif" associated with the message that I presume carries the payload.
I started getting bouncebacks from adminbots referring to these messages, and examined the SIMS logs, only to find, much to my surprise, that somehow the messages were indeed being relayed despite my no-relay settings.
here's a header from one such returned message:
---snip---
Received: from JOE (mail.c2mcorp.com [216.201.140.226]) by rly-xd03.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXD37-1153f4293115d; Tue, 19 Aug 2003 17:13:55 -0400
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Re: Re: My details
Date: Tue, 19 Aug 2003 16:13:48 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_24C4EE05"
X-AOL-IP: 216.201.140.226
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
Message-ID: <[EMAIL PROTECTED]>
---snip---
That message never passed through SIMS. SIMS ALWAYS adds a Received header.
In fact, I don't see any evidence that the message has any connection to you at all except for the From header, and those are essentially always bogus in the Sobig worm family which this appears to be from.
Do you have logs showing actual relaying of spam or messages that appear to have really touched your machine?
I added the spammer IP to my local blacklist and then just shut down the server, as I didn't need it anymore. The logs were set to "problems only", and I did see some reject messages associated with the IP and "JOE" - the logs also normally record incoming and outbound messages with from and to addresses, which were NOT recorded in these instances.
Maybe I'm just momentarily caffeine-deprived, but I can't assemble a rational mental picture of what that means. I suspect that what you are seeing in the logs is just blow-back from an infected machine forging your address on outgoing worm mail.
My sendmail logs do not record any such activity, however, so I'm reasonably sure that if anything DID get through it was on the SIMS box. The sendmail install is secure in that it's a restricted relay - but then again, that's what i thought about the SIMS install too.
I'm baffled. Is there a security hole in older SIMS that I just don't know about?
There are some relatively small (and largely theoretical) holes in 1.7. Itwould be a good idea to update any SIMS machine to 1.8b9d14. Despite its 'development release of a potential beta' status it has a rather long history in production at many sites and no reports here of significant problems.
's also of concern that the messages appear, to the other mail admins, to be associated with my address and domain ([EMAIL PROTECTED]). Anybody have some words of wisdpom?
How about: Don't worry, it's probably nothing.
Anyone with a few basic clues about Sobig and similar Microsoft mail worms knows that they grab random addresses from wherever they can find them for use as From headers and Return Paths. Anyone who looks at headers like those you posted and deems you responsible should have their qualifications to be a mail admin questioned.
--
Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
