Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Jul 15, 2008, 04:59 AM   #1
Ben Kei
macrumors regular
 
Join Date: Oct 2002
Location: London UK
Send a message via AIM to Ben Kei
Help! Xserve mail server being used as spam relay 10.4.11

Hello,

We've got a bit of an urgent issue going on.
It looks as though our mailserver is being used as an open spam relay.

Unfortunately this isn't something we really know how to prevent, disable or find the cause of.

We're using the Apple mail server built into 10.4 and are fully updated to the most recent version of 10.4.11

Currently we have all outgoing mail on hold until we can find the root of the problem.

We have around 20 machines all using mac mail on 10.4.11 and then 6 XP machines, all of which have been fully scanned and are clean.

Is anyone familiar with the mac mail server and knows how to help us close the relay?

Many thanks in advance!
Ben
Ben Kei is offline   0 Reply With Quote
Old Jul 15, 2008, 05:25 AM   #2
tersono
macrumors 68000
 
tersono's Avatar
 
Join Date: Jan 2005
Location: UK
Firstly, go to the following URL and run the 'exhaustive relay' option. This will tell you for sure whether your server is an open relay:

http://www.toxicservers.com/

If it comes back negative (which it should - OS X server has relaying disabled by default, so if it's on, it's because it's been turned on), then your problem is probably just that someone is spamming using a spoofed header showing an address from your domain as the originator - happens to everybody.

If, however, toxicservers show that you ARE running an open relay, then open the server admin tools, go to the mail section and restrict relaying. You can either specify a specific IP range (i.e. the range you use on your internal LAN), or check one or more of the checkboxes for SMTP authentication - this will require that a users' mail client authenticates via password whenever sending an email.

For further info, take a look at:
http://macos-x-server.com/wiki/index...le=Open_Relays
__________________
11" MacBook air 2012 i5 4gb/ 128gb - 17" unibody MBP C2D 2.8Gz / 4gb / 500gb - 20" iMac 2ghz C2D / 4gb/ 2tb - iPad 3 32gb wifi/3G - iPhone 5 16gb
I also like it HERE

Last edited by tersono; Jul 15, 2008 at 05:31 AM.
tersono is offline   0 Reply With Quote
Old Jul 15, 2008, 06:01 AM   #3
Ben Kei
Thread Starter
macrumors regular
 
Join Date: Oct 2002
Location: London UK
Send a message via AIM to Ben Kei
Quote:
Originally Posted by tersono View Post
Firstly, go to the following URL and run the 'exhaustive relay' option. This will tell you for sure whether your server is an open relay:

http://www.toxicservers.com/

If it comes back negative (which it should - OS X server has relaying disabled by default, so if it's on, it's because it's been turned on), then your problem is probably just that someone is spamming using a spoofed header showing an address from your domain as the originator - happens to everybody.

If, however, toxicservers show that you ARE running an open relay, then open the server admin tools, go to the mail section and restrict relaying. You can either specify a specific IP range (i.e. the range you use on your internal LAN), or check one or more of the checkboxes for SMTP authentication - this will require that a users' mail client authenticates via password whenever sending an email.

For further info, take a look at:
http://macos-x-server.com/wiki/index...le=Open_Relays
You're a star! Thanks.

I'll get right on it and see what the deal is.

We're pretty sure we've been relaying spam.
The server slowed to a crawl pace and Messagelabs who scan our incoming mail said they would not do the same for our outgoing mail as we were being used as an open relay.

not sure quite how this happened but it's just killed 2 days of work for the whole office.

hopefully this will fix it for us.

Thanks,
Ben
Ben Kei is offline   0 Reply With Quote
Old Jul 15, 2008, 11:42 AM   #4
Ben Kei
Thread Starter
macrumors regular
 
Join Date: Oct 2002
Location: London UK
Send a message via AIM to Ben Kei
Well it seems that we've got it fixed now.

After following instructions to secure our servers we were then routing our mail through Messagelabs to scan.

They picked up more instances of Spam originating from our server along with full details of message contents etc...

Somehow an account not connected to any of our users (a test account used to check the setup when we first set up the mail server some years ago) had been accessed and compromised and the account itself was acting as a relay.
It also gave us the ip address of the originator of the mail we were unwittingly forwarding.

It was in Nigeria and was sending out those 'with your help we can open the bank account' type phishing mails.

Now the question is how did this account become compromised and how come OS X server mail does not have anything in place to warn you of any compromised accounts?
Ben Kei is offline   0 Reply With Quote
Old Jul 17, 2008, 07:44 AM   #5
operator207
macrumors 6502
 
Join Date: Jul 2007
Quote:
Originally Posted by Ben Kei View Post
Well it seems that we've got it fixed now.

After following instructions to secure our servers we were then routing our mail through Messagelabs to scan.

They picked up more instances of Spam originating from our server along with full details of message contents etc...

Somehow an account not connected to any of our users (a test account used to check the setup when we first set up the mail server some years ago) had been accessed and compromised and the account itself was acting as a relay.
It also gave us the ip address of the originator of the mail we were unwittingly forwarding.

It was in Nigeria and was sending out those 'with your help we can open the bank account' type phishing mails.

Now the question is how did this account become compromised and how come OS X server mail does not have anything in place to warn you of any compromised accounts?
If its years old, maybe a disgruntled X employee. Its happened before. If its a test account, poor password (user:test pass: test123). I had a friend ask for an account on my server, which I allowed shell access at the time, he was a competent admin of some mail servers (worked for Verizon as a mail admin) and wanted to test some mail back and forth. I gave him an account, set his password to something pretty cryptic, though he was going to change it. He did change it, to something like act1v3 or some such. It was hacked within a day. I now do not hand out accounts to even the most competent of people without requiring a cryptic password. They also never get a shell anymore.

Its good you got this fixed. I also find it refreshing that you found the problem and actually did something about it. At my old work place, I was the main Policy Enforcement person. It surprised me how many times we would get calls from businesses telling us that it was ok to relay spam, as that was "normal". ?!?!?!111 I responded with, it was also "normal" for us to block mailservers that were "normally" spamming our servers.
operator207 is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Setting up xServe as server (noob) lpp71 Mac OS X Server, Xserve, and Networking 1 May 25, 2013 03:41 AM
Lion server Slow on Xserve ^squirrel^ Mac OS X Server, Xserve, and Networking 1 Feb 4, 2013 02:24 PM
How does one effectively stop mail spam (real mail, not e-mail)? someguy Community Discussion 9 Dec 31, 2012 01:15 AM
Mac mini 2011 vs Xserve 2006 for file server / web server / bt box Amethyst Mac mini 9 Aug 30, 2012 02:05 PM
Lion Mail Server SMTP/relay problem AusS2000 Mac OS X Server, Xserve, and Networking 3 Jun 22, 2012 03:27 AM

Forum Jump

All times are GMT -5. The time now is 12:25 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC