My GMS is a closed relay, how is someone is still relaying through?
I am quite sure that I am a closed relay but I have noticed that my server is still relaying Spam messages.
The SMTP log shows:
250-VRFY 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-ETRN 250-DSN 250-AUTH LOGIN PLAIN 250-XRCPTLIMIT 100 250-XAUD 789249kw1403121096122172 0.9 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 dGVzdA== 334 UGFzc3dvcmQ6 dGVzdA== 235 2.3.5 Authentication successful MAIL FROM:
250 2.5.0 OK. RCPT TO: 250 2.5.0 OK. DATA 354 3.5.4 Start mail input, end with . .
In this particular example you will notice that the Auth Logon command is issued at the SMTP protocol stage. This is the remote system authenticating to your system.
Either this is a genuine user on your system or someone has managed to somehow discover a username and password for an account on your system and they are exploiting this.
In this example the spammer is authenticating using a username of "test" and a password of "test".
If you are experiencing a similar issue then you need to take the base64 encoded string and decode it to find the account they are using. Taking the example above the string used is "dGVzdA==" which decodes to "test"
Inspection of the SMTP log with full logging enabled will reveal the account that is being used to authenticate to your server.
- How do I prevent #GMS# v2 or v3 acting as an open relay?
- How do I allow external users to relay mail through my server?
- How do I prevent Gordano Products acting as an open relay?
Keywords:bluestell, relay, closed, auth, logon, Base64