Question
I am quite sure that I am a closed relay but I have noticed that my server is still relaying Spam messages.
The SMTP log shows:
250-VRFY 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-ETRN 250-DSN 250-AUTH LOGIN PLAIN 250-XRCPTLIMIT 100 250-XAUD 789249kw1403121096122172 0.9 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 dGVzdA== 334 UGFzc3dvcmQ6 dGVzdA== 235 2.3.5 Authentication successful MAIL FROM:250 2.5.0 OK. RCPT TO: 250 2.5.0 OK. DATA 354 3.5.4 Start mail input, end with . .
Answer
In this particular example you will notice that the Auth Logon command is issued at the SMTP protocol stage. This is the remote system authenticating to your system.
Either this is a genuine user on your system or someone has managed to somehow discover a username and password for an account on your system and they are exploiting this.
In this example the spammer is authenticating using a username of "test" and a password of "test".
If you are experiencing a similar issue then you need to take the base64 encoded string and decode it to find the account they are using. Taking the example above the string used is "dGVzdA==" which decodes to "test"
Inspection of the SMTP log with full logging enabled will reveal the account that is being used to authenticate to your server.
See Also:
- How do I prevent #GMS# v2 or v3 acting as an open relay?
- How do I allow external users to relay mail through my server?
- How do I prevent Gordano Products acting as an open relay?
Keywords:bluestell, relay, closed, auth, logon, Base64