Question
I have all the relay options set as per Gordano’s instructions, however my server appears to be being used as a relay. What might be the cause of this?
Answer
Junk emailers are attempting to exploit accounts on mail servers which have insecure passwords, using the ESMTP AUTH options.
Many mail servers have accounts such as:
- Postmaster
- Administrator
- Webmaster
- Test
- Backup
- Root
With insecure passwords, set to either "password" or otherwise with a password set the same as the username. If a Spammer manages to guess an account using a brute force attack such as this, they will proceed to relay through a server.
To check if you are being exploited, check your SMTP log for instances of the log entry:
AUTH username@domain.dom (0)
If there are entries such as this for an account that should not be in use, then this is likely the account being exploited. You can enable full logging for SMTP and you will then see the full AUTH transaction, which will look like this.
AUTH LOGIN 334 VXNlcm5hbWU6 YWRtaW5pc3RyYXRvcg== 334 UGFzc3dvcmQ6 cGFzc3dvcmQ= AUTH administrator@domain.dom (0) 2.3.5 Authentication successful
These strings are Base64 encoded. If you decode these, you will see the username and password being used to authenticate. So this log extract decodes as follows:
AUTH LOGIN 334 Username: Administrator 334 Password: administrator AUTH administrator@domain.dom (0) 2.3.5 Authentication successful
In this case, securing the password on the Administrator account will resolve this.
Gordano advises that secure password policies are implemented, using the options in the Security->Passwords page in the Administration interface.
Keywords:Relay, AUTH