My GMS is a closed relay, how is someone is still relaying through?

Question

I am quite sure that I am a closed relay but I have noticed that my server is still relaying Spam messages.

The SMTP log shows:

250-VRFY
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-ETRN
250-DSN
250-AUTH LOGIN PLAIN
250-XRCPTLIMIT 100
250-XAUD 789249kw1403121096122172 0.9
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdA==
334 UGFzc3dvcmQ6
dGVzdA==
235 2.3.5 Authentication successful
MAIL FROM:
250 2.5.0 OK.
RCPT TO:
250 2.5.0 OK.
DATA
354 3.5.4 Start mail input,   end with ..

Answer

In this particular example you will notice that the Auth Logon command is issued at the SMTP protocol stage. This is the remote system authenticating to your system.

Either this is a genuine user on your system or someone has managed to somehow discover a username and password for an account on your system and they are exploiting this.

In this example the spammer is authenticating using a username of "test" and a password of "test".

If you are experiencing a similar issue then you need to take the base64 encoded string and decode it to find the account they are using. Taking the example above the string used is "dGVzdA==" which decodes to "test"

Inspection of the SMTP log with full logging enabled will reveal the account that is being used to authenticate to your server.

See Also:

• How do I prevent #GMS# v2 or v3 acting as an open relay?
• How do I allow external users to relay mail through my server?
• How do I prevent Gordano Products acting as an open relay?

Keywords:bluestell, relay, closed, auth, logon, Base64