PDA

View Full Version : Help! Xserve mail server being used as spam relay 10.4.11




Ben Kei
Jul 15, 2008, 04:59 AM
Hello,

We've got a bit of an urgent issue going on.
It looks as though our mailserver is being used as an open spam relay.

Unfortunately this isn't something we really know how to prevent, disable or find the cause of.

We're using the Apple mail server built into 10.4 and are fully updated to the most recent version of 10.4.11

Currently we have all outgoing mail on hold until we can find the root of the problem.

We have around 20 machines all using mac mail on 10.4.11 and then 6 XP machines, all of which have been fully scanned and are clean.

Is anyone familiar with the mac mail server and knows how to help us close the relay?

Many thanks in advance!
Ben



tersono
Jul 15, 2008, 05:25 AM
Firstly, go to the following URL and run the 'exhaustive relay' option. This will tell you for sure whether your server is an open relay:

http://www.toxicservers.com/

If it comes back negative (which it should - OS X server has relaying disabled by default, so if it's on, it's because it's been turned on), then your problem is probably just that someone is spamming using a spoofed header showing an address from your domain as the originator - happens to everybody.

If, however, toxicservers show that you ARE running an open relay, then open the server admin tools, go to the mail section and restrict relaying. You can either specify a specific IP range (i.e. the range you use on your internal LAN), or check one or more of the checkboxes for SMTP authentication - this will require that a users' mail client authenticates via password whenever sending an email.

For further info, take a look at:
http://macos-x-server.com/wiki/index.php?title=Open_Relays

Ben Kei
Jul 15, 2008, 06:01 AM
Firstly, go to the following URL and run the 'exhaustive relay' option. This will tell you for sure whether your server is an open relay:

http://www.toxicservers.com/

If it comes back negative (which it should - OS X server has relaying disabled by default, so if it's on, it's because it's been turned on), then your problem is probably just that someone is spamming using a spoofed header showing an address from your domain as the originator - happens to everybody.

If, however, toxicservers show that you ARE running an open relay, then open the server admin tools, go to the mail section and restrict relaying. You can either specify a specific IP range (i.e. the range you use on your internal LAN), or check one or more of the checkboxes for SMTP authentication - this will require that a users' mail client authenticates via password whenever sending an email.

For further info, take a look at:
http://macos-x-server.com/wiki/index.php?title=Open_Relays

You're a star! Thanks.

I'll get right on it and see what the deal is.

We're pretty sure we've been relaying spam.
The server slowed to a crawl pace and Messagelabs who scan our incoming mail said they would not do the same for our outgoing mail as we were being used as an open relay.

not sure quite how this happened but it's just killed 2 days of work for the whole office.

hopefully this will fix it for us.

Thanks,
Ben

Ben Kei
Jul 15, 2008, 11:42 AM
Well it seems that we've got it fixed now.

After following instructions to secure our servers we were then routing our mail through Messagelabs to scan.

They picked up more instances of Spam originating from our server along with full details of message contents etc...

Somehow an account not connected to any of our users (a test account used to check the setup when we first set up the mail server some years ago) had been accessed and compromised and the account itself was acting as a relay.
It also gave us the ip address of the originator of the mail we were unwittingly forwarding.

It was in Nigeria and was sending out those 'with your help we can open the bank account' type phishing mails.

Now the question is how did this account become compromised and how come OS X server mail does not have anything in place to warn you of any compromised accounts?

operator207
Jul 17, 2008, 07:44 AM
Well it seems that we've got it fixed now.

After following instructions to secure our servers we were then routing our mail through Messagelabs to scan.

They picked up more instances of Spam originating from our server along with full details of message contents etc...

Somehow an account not connected to any of our users (a test account used to check the setup when we first set up the mail server some years ago) had been accessed and compromised and the account itself was acting as a relay.
It also gave us the ip address of the originator of the mail we were unwittingly forwarding.

It was in Nigeria and was sending out those 'with your help we can open the bank account' type phishing mails.

Now the question is how did this account become compromised and how come OS X server mail does not have anything in place to warn you of any compromised accounts?

If its years old, maybe a disgruntled X employee. Its happened before. If its a test account, poor password (user:test pass: test123). I had a friend ask for an account on my server, which I allowed shell access at the time, he was a competent admin of some mail servers (worked for Verizon as a mail admin) and wanted to test some mail back and forth. I gave him an account, set his password to something pretty cryptic, though he was going to change it. He did change it, to something like act1v3 or some such. :rolleyes: It was hacked within a day. I now do not hand out accounts to even the most competent of people without requiring a cryptic password. They also never get a shell anymore.

Its good you got this fixed. I also find it refreshing that you found the problem and actually did something about it. At my old work place, I was the main Policy Enforcement person. It surprised me how many times we would get calls from businesses telling us that it was ok to relay spam, as that was "normal". ?!?!?!111 :confused: I responded with, it was also "normal" for us to block mailservers that were "normally" spamming our servers.