Jump to content


Photo

Mail server... relay attack??


  • Please log in to reply
1 reply to this topic

#1 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 09 September 2006 - 06:01 PM

I created a socket smtp server and I think that it is being used to relay messages. I have disabled it now but I am wondering if I am right.

Here is part of my log.

T 20060709 145550 44af5598 Connection from 61.230.66.156
T 20060709 145551 44af5598 helo www.MyMainServer.com
T 20060709 145551 44af5598 mail from:<michael78694@MyMainServer.com>
T 20060709 145552 44af5598 rcpt to:<nomail12356@yahoo.com.hk>
E 20060709 145552 44af5598 Relay attempt by 61.230.66.156: from <michael78694@MyMainServer.com> to <nomail12356@yahoo.com.hk>.
T 20060709 145552 44af5598 Connection closed with 61.230.66.156, 2 sec. elapsed.

T 20060710 090212 44af55a3 HELO 68.99.113.17
T 20060710 090212 44af55a3 MAIL FROM: <fsfhhrret@msa.hinet.net>
T 20060710 090212 44af55a3 RCPT TO: <bbb1@so-net.net.tw>
E 20060710 090212 44af55a3 Relay attempt by 59.112.84.200: from <fsfhhrret@msa.hinet.net> to <bbb1@so-net.net.tw>.
T 20060710 090213 44af55a3 Connection closed with 59.112.84.200, 2 sec. elapsed.
T 20060711 025413 44b28d53 Connection from 211.228.100.196
T 20060711 025414 44b28d53 HELO lwoyma.com
T 20060711 025414 44b28d53 MAIL FROM: <dind@sxjjio.com>
T 20060711 025414 44b28d53 RCPT TO: <lvmanias@daum.net>
E 20060711 025415 44b28d53 Relay attempt by 211.228.100.196: from <dind@sxjjio.com> to <lvmanias@daum.net>.
T 20060711 025415 44b28d53 Connection closed with 211.228.100.196, 2 sec. elapsed.
T 20060712 074621 44b28d54 Connection from 59.117.206.209
T 20060712 074622 44b28d54 helo www.MyMainServer.com
T 20060712 074622 44b28d54 mail from:<michael78694@MyMainServer.com>
T 20060712 074623 44b28d54 rcpt to:<nomail12356@yahoo.com.hk>
E 20060712 074623 44b28d54 Relay attempt by 59.117.206.209: from <michael78694@MyMainServer.com> to <nomail12356@yahoo.com.hk>.
T 20060712 074623 44b28d54 Connection closed with 59.117.206.209, 3 sec. elapsed.
T 20060712 094255 44b4b6e7 Connection from 68.1.19.10
T 20060712 094256 44b4b6e7 Connection closed with 68.1.19.10, 1 sec. elapsed.
T 20060712 094457 44b4b6e8 Connection from 68.1.19.10
T 20060712 094457 44b4b6e8 Connection closed with 68.1.19.10, 0 sec. elapsed.
T 20060712 181932 44b4b6e9 Connection from 59.112.82.158
T 20060712 181932 44b4b6e9 HELO 68.99.113.17
T 20060712 181932 44b4b6e9 MAIL FROM: <fsfhhrret@msa.hinet.net>
T 20060712 181933 44b4b6e9 RCPT TO: <bbb1@so-net.net.tw>
E 20060712 181933 44b4b6e9 Relay attempt by 59.112.82.158: from <fsfhhrret@msa.hinet.net> to <bbb1@so-net.net.tw>.
T 20060712 181933 44b4b6e9 Connection closed with 59.112.82.158, 1 sec. elapsed.
T 20060713 034959 44b4b6ea Connection from 203.128.172.235
T 20060713 035000 44b4b6ea HELO cirtsq.com
T 20060713 035000 44b4b6ea MAIL FROM: <btso@vdlvls.com>
T 20060713 035000 44b4b6ea RCPT TO: <lvmanias@hanmail.net>
E 20060713 035000 44b4b6ea Relay attempt by 203.128.172.235: from <btso@vdlvls.com> to <lvmanias@hanmail.net>.
T 20060713 035000 44b4b6ea Connection closed with 203.128.172.235, 1 sec. elapsed.


There are many of these. People are trying to relay spam through my mail server. From what I can see it is not working but this has go me a bit worried.

Any added security measures that you can recomend would be great.

Thanks,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#2 R_P

R_P
  • Members
  • PipPipPip
  • Advanced Member
  • 98 posts

Posted 11 September 2006 - 03:39 PM

Did you write the script or are you using mailer()? If this is your own code and you are using it to send mail from your box only, try binding your mailer to localhost/12.0.0.1. IE, if the incoming connection, is not localhost or 127.0.0.1, deny access - simple but effective.
Pro in: Win2K3S | Apache2 | PHP5 | Perl5 | MySQL | MSSQL | Firefox | Photoshop
Student of: Ubuntu6 | Java | C | VB.NET | ASP.NET
Developer: Roddzilla Webstudios, Burrson CG, DVIDSHUB, The Four Nations
Student: Georgia Tech, Georgia Tech College of Computing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users